fix(ci): test vp TLS failure without ca-certificates on Alpine

fengmk2 · fengmk2 · commit c1ea842a4796 · 2026-03-25T09:59:55.000+08:00
The negative test now removes /etc/ssl/certs/ca-certificates.crt after
vp is installed, then verifies that vp HTTPS calls fail. This proves
rustls-platform-verifier requires OS root CAs.

The previous approach (skipping ca-certificates in apk add) didn't work
because curl transitively pulls in ca-certificates-bundle.
diff --git a/.github/workflows/test-standalone-install.yml b/.github/workflows/test-standalone-install.yml
@@ -221,21 +221,6 @@ jobs:
     steps:
       - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
 
-      - name: Verify install.sh fails without ca-certificates
-        run: |
-          docker run --rm \
-            -v "${{ github.workspace }}:/workspace" \
-            -e VITE_PLUS_VERSION=alpha \
-            -e CI=true \
-            alpine:3.21 sh -c "
-              apk add --no-cache bash curl libstdc++
-              if cat /workspace/packages/cli/install.sh | bash 2>&1; then
-                echo 'Error: install.sh should fail without ca-certificates'
-                exit 1
-              fi
-              echo 'Confirmed: install.sh fails without ca-certificates (expected)'
-            "
-
       - name: Run install.sh in Alpine container
         run: |
           docker run --rm \
@@ -269,6 +254,17 @@ jobs:
               vp env doctor
               vp env run --node 24 -- node -p \"process.versions\"
 
+              # Verify vp requires ca-certificates for TLS (rustls-platform-verifier reads OS cert store).
+              # Remove the cert bundle, then try to download a Node.js version not yet cached.
+              rm -f /etc/ssl/certs/ca-certificates.crt
+              if vp env run --node 23 -- node -e 'process.exit(0)' 2>&1; then
+                echo 'Error: vp should fail without ca-certificates'
+                exit 1
+              fi
+              echo 'Confirmed: vp HTTPS fails without ca-certificates (expected)'
+              # Restore certs for remaining tests
+              apk fix --no-cache ca-certificates-bundle
+
               # Test create command
               vp create vite --no-interactive --no-agent -- hello --no-interactive -t vanilla
               cd hello && vp run build && vp --version
