fix(ci): move grpc-tools to optionalDependencies (revert NODE_OPTIONS attempt) #200
Reference in New Issue
Block a user
Delete Branch "fix/ci-grpc-tools-optional"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Summary
The
NODE_OPTIONS=--use-system-caworkaround merged in #199 did not clear the CI install failure — the runner still rejects the TLS chain tonode-precompiled-binaries.grpc.io. Either the runner's OS CA bundle is missing the same intermediate Node's bundled set is missing, or--use-system-cadoes not propagate down to thenode-fetch@2thatnode-pre-gypuses. Without runner shell access the exact reason is not worth chasing.Switch angle: the protoc binary
grpc-toolsdownloads is never used in CI. The generated TypeScript stubs inapps/portal-bff/src/grpc/gen/are committed per ADR-0024 §"Sub-decision 3 — vendored protos", so CI only needs to type-check them; protoc only runs when a developer regenerates fromapps/portal-bff/src/grpc/proto/apf-ai/*.proto.This PR moves
grpc-toolsfromdevDependenciestooptionalDependencies. Per pnpm semantics, when an optional dep's install (including postinstall) fails, pnpm logs a warning and the overall install completes. CI'spnpm install --frozen-lockfiletherefore succeeds even when the binary cannot be fetched; developer machines (where TLS validates) install grpc-tools normally andpnpm grpc:codegenworks unchanged.What lands
package.json—grpc-tools: "^1.13.0"moves out ofdevDependenciesand into a newoptionalDependenciesblock. The entry inpnpm.onlyBuiltDependenciesstays — it controls whether pnpm attempts the postinstall, not whether failure is fatal. Local installs (where TLS works) still run the postinstall and download the binary.pnpm-lock.yaml— refreshed; the lockfile reflects the new optional-dep classification. No version changes to anything else..gitea/workflows/ci.yml— revert the workflow-levelenv: NODE_OPTIONS: --use-system-cablock added in #199. Did not help; left in place it would be a misleading "this is supposed to fix CI TLS" signpost..gitea/workflows/docs-site.yml— same revert.Notes for the reviewer
optionalDependenciesis the right primitive. pnpm 10 documents the contract: a package listed inoptionalDependenciesis attempted; if the install fails for any reason (platform mismatch, postinstall script error, network failure), the failure is logged and the overall command continues. That maps exactly to what this PR needs: try in CI, fail gracefully, succeed locally.grpc-toolsfrompnpm.onlyBuiltDependenciesinstead. Removing it from the allowlist tells pnpm not to even try the postinstall, which would also fix CI. But it would also break the developer workflow — locally, the protoc binary would never download, andpnpm grpc:codegenwould fail. The dev would have to manually trigger the build (pnpm approve-buildsthenpnpm rebuild grpc-tools), or worse, devs would commit accidentalpackage.jsonmutations fromapprove-builds. TheoptionalDependenciesroute keeps the local DX identical.env:blocks. They do not help here, and leaving them in place implies that--use-system-cais the canonical fix for this class of failure — which it is not, at least not for this runner / this CDN. If a future native dep hits a similar wall and--use-system-cadoes fix it for that case, the env var lands in a focused PR with a real validation. Carrying it now as a "maybe useful later" workaround is noise.pnpm installruns the postinstall (TLS validates locally), the protoc binary lands innode_modules/,pnpm grpc:codegenregenerates stubs. The only visible difference is a one-lineWARN GET_RESOLVED_FROM_REGISTRY ...if a contributor ever encounters the same TLS failure locally (e.g., on a corporate-proxied machine) — pnpm will mark grpc-tools as failed-optional and the rest of the install proceeds; the dev can then debug their own network without blocking the whole repo.--frozen-lockfile. The lockfile change is small (re-classifies grpc-tools fromdevtooptional) and lands in this PR. After merge, CI runs against the new lockfile; no further coordination needed.Test plan
pnpm installlocally — clean, grpc-tools postinstall runs successfully (TLS validates), protoc binary present.pnpm grpc:codegen— regenerates the TypeScript stubs identically (no diff inapps/portal-bff/src/grpc/gen/).pnpm nx run-many -t lint test build -p portal-shell,portal-admin,portal-bff,shared-ui,shared-charts— all five projects green.pnpm install --frozen-lockfilecompletes despite grpc-tools' postinstall failure;ci:checkruns to completion.What's next
optionalDependenciesdoes not work as documented (highly unlikely, but possible if the pnpm version has a regression), the fallback is to dropgrpc-toolsfrompnpm.onlyBuiltDependenciesand add a small dev-onboarding note. One-line change away.buf, system protoc) the optional-dep entry can be removed entirely. Out of scope here.