tls: failed to verify certificate: x509

[jimafisk]

I'd like to be able to plenti npm install in CI to avoid having to install NodeJS/NPM on the container and speed up the overall builds. When I try this currently, I get a TLS error (https://github.com/livebud/npm/issues/2):

Could not install NPM dependencies
tls: failed to verify certificate: x509: certificate signed by unknown authority

I believe this is because our official image is built from scratch (https://github.com/plentico/plenti/blob/master/Dockerfile) and doesn't have ca-certificates.crt available: https://stackoverflow.com/questions/52969195/docker-container-running-golang-http-client-getting-error-certificate-signed-by

I'd like to keep our image as slim as possible, according to this article it should have minimal impact on the overall size:

The final image is about 0.2 MB larger

[jimafisk]

Just want to note that apk is the package manager for alpine so it's not available on scratch itself.

I was trying to avoid adding a build step simply to steal the /etc/ssl/certs/ca-certificates.crt file from the alpine image, but I wasn't sure if this needed to be generated every time when it's included in the base of the project: https://pkgs.alpinelinux.org/contents?file=&path=&name=ca-certificates-bundle&branch=edge&repo=main&arch=x86

I ultimately set up a simple multi-stage build using the example provided here: https://medium.com/on-docker/use-multi-stage-builds-to-inject-ca-certs-ad1e8f01de1b

[jimafisk]

This should be available in v0.6.43 (note I had to skip a few version numbers because of failing builds)

Adding the root ca certificate only increased the size of the image 0.12 MB:

• v0.6.38 (26.81 MB)
• v0.6.43 (26.93 MB)

The jump from v0.6.8 (17.59 MB) to v0.6.9 (24.54 MB) was much larger (6.95 MB), likely because we introduced "Mac universal_binaries."

[jimafisk]

I tested out the new release in our Gitea act_runner and it worked!