From ba96cddebc60eed5496c9f6b7253ea7083af3d25 Mon Sep 17 00:00:00 2001
From: rob thijssen <grenade@rob.tn>
Date: Thu, 25 Jun 2026 14:00:47 +0300
Subject: [PATCH] ci: install web deps with --ignore-scripts + explicit rebuild

CI's pnpm did not honor the build-script allowlist from package.json (removed
in pnpm 10) nor from pnpm-workspace.yaml under `pnpm --dir ui`, so build-web
kept failing with ERR_PNPM_IGNORED_BUILDS. Make it version- and discovery-
independent: run in ui/ via working-directory, install with --ignore-scripts
(no approval gate), then `pnpm rebuild @swc/core esbuild` to place the native
binaries vite needs. Verified locally: cold install + rebuild + vite build all
succeed.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01X7zF7Kf4JqDwa6M8Qgge9M
---
 .gitea/workflows/deploy.yml  | 10 ++++++++--
 .gitea/workflows/refresh.yml |  8 ++++++--
 2 files changed, 14 insertions(+), 4 deletions(-)

diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml
index cf6fd55..f24b019 100644
--- a/.gitea/workflows/deploy.yml
+++ b/.gitea/workflows/deploy.yml
@@ -91,10 +91,16 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       # The fedora-44 runner image bakes in node + pnpm (+ rsync) — no install.
+      # pnpm 10 blocks dependency build scripts unless approved, and CI doesn't
+      # reliably pick up the pnpm-workspace.yaml allowlist; so install with
+      # --ignore-scripts (no approval gate) and explicitly rebuild the two native
+      # deps vite needs (esbuild, @swc/core). Version-independent.
       - name: Build web (vite client + prerender)
+        working-directory: ui
         run: |
-          pnpm --dir ui install --frozen-lockfile
-          pnpm --dir ui run build
+          pnpm install --frozen-lockfile --ignore-scripts
+          pnpm rebuild @swc/core esbuild
+          pnpm run build
       - uses: actions/upload-artifact@v3
         with: { name: web-dist, path: ui/dist, retention-days: 1 }
 
diff --git a/.gitea/workflows/refresh.yml b/.gitea/workflows/refresh.yml
index f774683..e7389ff 100644
--- a/.gitea/workflows/refresh.yml
+++ b/.gitea/workflows/refresh.yml
@@ -36,10 +36,14 @@ jobs:
     runs-on: fedora-44       # image bakes in node + pnpm; that's all we need here
     steps:
       - uses: actions/checkout@v4
+      # Install without the pnpm 10 build-script gate, then rebuild the native
+      # deps vite needs (see deploy.yml build-web for the rationale).
       - name: Build web (vite client + prerender)
+        working-directory: ui
         run: |
-          pnpm --dir ui install --frozen-lockfile
-          pnpm --dir ui run build
+          pnpm install --frozen-lockfile --ignore-scripts
+          pnpm rebuild @swc/core esbuild
+          pnpm run build
       - uses: actions/upload-artifact@v3
         with: { name: web-dist, path: ui/dist, retention-days: 1 }