fix(ci): pass NODE_OPTIONS=--use-system-ca to clear grpc-tools tls install
CI / scan (pull_request) Failing after 1m22s
CI / check (pull_request) Failing after 1m27s
CI / commits (pull_request) Failing after 1m31s
CI / perf (pull_request) Failing after 14s
CI / a11y (pull_request) Failing after 1m36s
Docs site / build (pull_request) Failing after 1m41s
CI / scan (pull_request) Failing after 1m22s
CI / check (pull_request) Failing after 1m27s
CI / commits (pull_request) Failing after 1m31s
CI / perf (pull_request) Failing after 14s
CI / a11y (pull_request) Failing after 1m36s
Docs site / build (pull_request) Failing after 1m41s
The CI runner (catthehacker/ubuntu:act-22.04) fails `pnpm install --frozen-lockfile` because grpc-tools' postinstall downloads a precompiled protoc archive from node-precompiled-binaries.grpc.io and Node 24's bundled CA set cannot verify the chain there. Node 24 itself surfaces the fix in the error message: pass `--use-system-ca` so Node consults the OS CA store in addition to its bundled set. The runner image carries the standard Ubuntu `ca-certificates` bundle, which validates the impacted chains. Applied at workflow scope (env: block) on both ci.yml and docs-site.yml so every Node child (pnpm itself plus every postinstall it spawns) inherits the option. Future native deps that hit the same TLS rejection will benefit automatically.
This commit is contained in:
@@ -11,6 +11,18 @@ on:
|
|||||||
push:
|
push:
|
||||||
branches: [main]
|
branches: [main]
|
||||||
|
|
||||||
|
# Node 24's bundled CA set does not include every intermediate the
|
||||||
|
# self-hosted runner's network path serves (the precompiled-binary
|
||||||
|
# CDN behind grpc-tools is the first surface where this surfaced).
|
||||||
|
# `--use-system-ca` tells Node to consult the OS CA store in
|
||||||
|
# addition to its bundled set — supported since Node 22 and the
|
||||||
|
# documented Node-team fix for exactly this class of TLS-chain
|
||||||
|
# rejection. The runner image (`catthehacker/ubuntu:act-22.04` per
|
||||||
|
# ADR-0015) carries the standard Ubuntu `ca-certificates` bundle,
|
||||||
|
# which validates the impacted chains.
|
||||||
|
env:
|
||||||
|
NODE_OPTIONS: --use-system-ca
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
check:
|
check:
|
||||||
runs-on: [self-hosted, on-prem]
|
runs-on: [self-hosted, on-prem]
|
||||||
|
|||||||
@@ -28,6 +28,13 @@ on:
|
|||||||
- 'pnpm-lock.yaml'
|
- 'pnpm-lock.yaml'
|
||||||
- '.gitea/workflows/docs-site.yml'
|
- '.gitea/workflows/docs-site.yml'
|
||||||
|
|
||||||
|
# See `.gitea/workflows/ci.yml` for the rationale — Node 24's
|
||||||
|
# bundled CA set rejects some chains the runner's OS trust store
|
||||||
|
# validates, and `--use-system-ca` (Node ≥ 22) tells Node to
|
||||||
|
# consult the OS CA bundle alongside its own.
|
||||||
|
env:
|
||||||
|
NODE_OPTIONS: --use-system-ca
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
build:
|
build:
|
||||||
runs-on: [self-hosted, on-prem]
|
runs-on: [self-hosted, on-prem]
|
||||||
|
|||||||
Reference in New Issue
Block a user