c419a73bf5
CI / scan (pull_request) Failing after 1m22s
CI / check (pull_request) Failing after 1m27s
CI / commits (pull_request) Failing after 1m31s
CI / perf (pull_request) Failing after 14s
CI / a11y (pull_request) Failing after 1m36s
Docs site / build (pull_request) Failing after 1m41s
The CI runner (catthehacker/ubuntu:act-22.04) fails `pnpm install --frozen-lockfile` because grpc-tools' postinstall downloads a precompiled protoc archive from node-precompiled-binaries.grpc.io and Node 24's bundled CA set cannot verify the chain there. Node 24 itself surfaces the fix in the error message: pass `--use-system-ca` so Node consults the OS CA store in addition to its bundled set. The runner image carries the standard Ubuntu `ca-certificates` bundle, which validates the impacted chains. Applied at workflow scope (env: block) on both ci.yml and docs-site.yml so every Node child (pnpm itself plus every postinstall it spawns) inherits the option. Future native deps that hit the same TLS rejection will benefit automatically.