The dpkg-lock thrashing — even with flock — was unwinnable: an unrelated
apt-get had been holding the host lock for >180s. Stop installing OS
packages from inside the workflow entirely; assume they're baked onto the
forgejo-runner container, fail loudly with a clear pointer if they're
missing.
scripts/bootstrap/runner-bake-deps.sh installs them all in one shot.
While here, fix the iltorb regression: --include=dev was dragging in
apps/web's bundlesize devDep, which transitively pulls iltorb (a
deprecated native node-gyp module that doesn't build on Node 20).
Moved style-dictionary to dependencies in @veza/design-system (it's a
build tool, needed by `npm run build:tokens` at deploy time, not a dev
tool), and the workflow now runs plain `npm ci` with NODE_ENV=production.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
