204727b1a7
CI / commits (pull_request) Successful in 3m57s
CI / scan (pull_request) Successful in 4m20s
CI / check (pull_request) Successful in 6m13s
CI / a11y (pull_request) Successful in 2m53s
Docs site / build (pull_request) Successful in 4m0s
CI / perf (pull_request) Successful in 7m41s
The NODE_OPTIONS=--use-system-ca workaround merged in #199 did not clear the failure — the same TLS-chain rejection still trips the runner. Either the runner's OS CA store also lacks the missing intermediate, or `--use-system-ca` does not propagate down to the node-fetch@2 used by node-pre-gyp. Without runner shell access the exact reason is not worth investigating. Different angle: grpc-tools is never invoked in CI. The protoc binary it downloads is only used by `pnpm run grpc:codegen`, which runs on a developer's machine when a proto file changes. The generated TypeScript stubs in apps/portal-bff/src/grpc/gen/ are committed (per ADR-0024 §"Sub-decision 3 — vendored protos"), so CI only needs to type-check them — protoc is dead weight there. Move grpc-tools from devDependencies to optionalDependencies. Per pnpm semantics, an optional dependency whose install (including postinstall) fails is logged as a warning and the overall install continues. On the runner: postinstall still fails on TLS, pnpm emits a warning, ci:check proceeds. On a developer machine: TLS validates, postinstall runs, protoc binary lands, `pnpm grpc:codegen` works exactly as before. No dev-side friction; no workflow env vars to maintain. Reverts the workflow `env:` blocks added in #199 — they did not help and adding noise to the workflow YAML for a non-working workaround is worse than removing it.