The CI runner (catthehacker/ubuntu:act-22.04) fails `pnpm install
--frozen-lockfile` because grpc-tools' postinstall downloads a
precompiled protoc archive from node-precompiled-binaries.grpc.io
and Node 24's bundled CA set cannot verify the chain there.
Node 24 itself surfaces the fix in the error message: pass
`--use-system-ca` so Node consults the OS CA store in addition to
its bundled set. The runner image carries the standard Ubuntu
`ca-certificates` bundle, which validates the impacted chains.
Applied at workflow scope (env: block) on both ci.yml and
docs-site.yml so every Node child (pnpm itself plus every
postinstall it spawns) inherits the option. Future native deps
that hit the same TLS rejection will benefit automatically.