fix(ci): pass NODE_OPTIONS=--use-system-ca to clear grpc-tools tls install
CI / scan (pull_request) Failing after 1m22s
CI / check (pull_request) Failing after 1m27s
CI / commits (pull_request) Failing after 1m31s
CI / perf (pull_request) Failing after 14s
CI / a11y (pull_request) Failing after 1m36s
Docs site / build (pull_request) Failing after 1m41s
CI / scan (pull_request) Failing after 1m22s
CI / check (pull_request) Failing after 1m27s
CI / commits (pull_request) Failing after 1m31s
CI / perf (pull_request) Failing after 14s
CI / a11y (pull_request) Failing after 1m36s
Docs site / build (pull_request) Failing after 1m41s
The CI runner (catthehacker/ubuntu:act-22.04) fails `pnpm install --frozen-lockfile` because grpc-tools' postinstall downloads a precompiled protoc archive from node-precompiled-binaries.grpc.io and Node 24's bundled CA set cannot verify the chain there. Node 24 itself surfaces the fix in the error message: pass `--use-system-ca` so Node consults the OS CA store in addition to its bundled set. The runner image carries the standard Ubuntu `ca-certificates` bundle, which validates the impacted chains. Applied at workflow scope (env: block) on both ci.yml and docs-site.yml so every Node child (pnpm itself plus every postinstall it spawns) inherits the option. Future native deps that hit the same TLS rejection will benefit automatically.
This commit is contained in:
@@ -28,6 +28,13 @@ on:
|
||||
- 'pnpm-lock.yaml'
|
||||
- '.gitea/workflows/docs-site.yml'
|
||||
|
||||
# See `.gitea/workflows/ci.yml` for the rationale — Node 24's
|
||||
# bundled CA set rejects some chains the runner's OS trust store
|
||||
# validates, and `--use-system-ca` (Node ≥ 22) tells Node to
|
||||
# consult the OS CA bundle alongside its own.
|
||||
env:
|
||||
NODE_OPTIONS: --use-system-ca
|
||||
|
||||
jobs:
|
||||
build:
|
||||
runs-on: [self-hosted, on-prem]
|
||||
|
||||
Reference in New Issue
Block a user