Audience: Deno CI on remote Mac mixing JSR (jsr:) and npm: over cross-border links. Deliverables: pain checklist, pull-path table, deno.lock/DENO_DIR env block, parallelism/timeouts, retry FAQ. Jump to home, the blog index, or cross-border Git/npm/Homebrew CI—no login.

Scenarios & pain points

CI breaks when two registries, one DENO_DIR, and bursty HTTP/2 compete on a congested uplink—especially on a shared remote Mac where multiple deno install jobs align by accident.

Pain 1 — Dual egress: jsr: uses JSR hosts; npm: follows npm registry settings. Allow lists and NO_PROXY must cover both.

Pain 2 — Cache coupling: Shared DENO_DIR without pruning yields partial-fetch ghosts across runners.

Pain 3 — Lock vs mirror lag: Fresh deno.lock on LAN can still fail --frozen CI when a mirror trails—treat registry freshness as infra, not app bugs.

Decision Choose dedicated remote Mac rental when… Keep shared office hardware when…
Egress control You need repeatable HTTPS_PROXY / NO_PROXY per pool and audited TLS inspection support All engineers sit on the same LAN as an approved forward proxy
Concurrency You want two to four isolated CI images with separate DENO_DIR roots and predictable disk budgets Only one modest pipeline runs nightly and cold-cache cost is negligible
Apple Silicon parity Production targets arm64 macOS and you refuse to emulate in Linux containers Linux CI is acceptable because deploy targets are server-side Linux only

Deno/JSR pull path comparison table

Use for allow lists and packet captures—each row is its own compliance line item.

Specifier style Primary registry / host Typical CI knobs Watch-outs on long-haul links
jsr:@scope/pkg JSR APIs and module tarballs Global HTTPS_PROXY, SSL_CERT_FILE, DENO_DIR Burst metadata requests; retry at workflow level before raising parallel jobs
npm:pkg@version npm registry (or enterprise mirror via NPM_CONFIG_REGISTRY) .npmrc, env vars, same TLS bundle as other Node tooling Large tarballs; ensure mirror supports range requests if you resume partial downloads
https://…/mod.ts Arbitrary HTTPS origin Proxy rules, optional import maps in deno.json Cache invalidation is your responsibility; pin versions in URL or map

Citable fact: runbooks that name JSR, npm, and HTTPS paths shorten network triage.

Lockfile & cache directory executable parameters

Export these in CI shell preludes; check paths into docs beside the pipeline YAML.

Parameter Example CI value Purpose
DENO_DIR $HOME/Library/Caches/deno-ci-$POOL Root for deps, npm cache, and generated data; isolate per pool on shared Macs
deno.lock Committed beside deno.json Deterministic graph; pair with --frozen in CI
DENO_NO_PROMPT 1 Prevents interactive hooks from stalling unattended jobs
DENO_NO_UPDATE_CHECK 1 Skips version ping noise in regulated environments
NPM_CONFIG_REGISTRY Mirror URL Steers npm: specifiers without editing every import
SSL_CERT_FILE / DENO_TLS_CA_STORE Org PEM or system,mozilla Fixes TLS MITM inspection without disabling verification 
export DENO_DIR="${DENO_DIR:-$HOME/Library/Caches/deno-ci-$CI_POOL_ID}"
export DENO_NO_PROMPT=1
export DENO_NO_UPDATE_CHECK=1
# Optional npm mirror for npm: specifiers:
# export NPM_CONFIG_REGISTRY="https://registry.npmmirror.com"

deno install --frozen
# or warm TypeScript entrypoints without changing lockfile:
# deno cache --frozen main.ts

Five-step sequence:

1
Freeze locally. Refresh deno.lock on a trusted machine; isolate lock-only PRs.
2
Align DENO_DIR. Use the same path for SSH debug and the CI service account.
3
Split fetch vs test. Fail fast on registry errors before long integration suites.
4
Probe JSR and npm. curl -I through the production proxy; paste results in the runbook.
5
Prune caches. Above ~80% disk, rotate or delete stale DENO_DIR subtrees on a schedule.

Citable facts: frozen installs fail closed on artifact mismatch (supply-chain signal). Prefer per-user Library/Caches paths on macOS. deno.json import maps swap mirrors without editing imports.

CI parallelism & timeout thresholds

There is no global Deno download concurrency knob—cap concurrent workflows per host and set orchestration timeouts instead.

Knob Starter value (cross-border) Rationale
Concurrent workflows per host 2 Preserves headroom for TLS handshakes and disk fsync under npm tarballs
deno install step timeout 2035 minutes Cold graphs with mixed JSR and npm deps routinely exceed ten minutes on lossy links
Overall job timeout 4590 minutes Leaves space for tests after fetch; tighten once caches stabilize
Retry wrapper backoff 2s / 4s / 8s (three attempts) Matches patterns in our pull stability FAQ

Add runners before raising per-host concurrency—Silicon is fast; uplinks often are not.

Cross-border network failure retry FAQ

Retry where? CI orchestrator first—clean env, uniform logs.

TLS only on CI? Match SSL_CERT_FILE / DENO_TLS_CA_STORE to the service account; Keychain trust may not reach daemons.

npm works, JSR fails? Proxy allow lists often forget JSR hosts—fix lists, verify with curl -I from the runner.

Delete DENO_DIR? Safe in CI (refetch only); do it in maintenance windows.

Ops signal: if packet loss ~1%+, halve concurrent workflows before changing code.

Summary

Use deno.lock with --frozen, isolate DENO_DIR per pool, document JSR and npm egress separately, cap concurrent jobs, stretch install timeouts on WAN, retry with bounded backoff at CI.

Renting a dedicated remote Mac beats oversubscribing one desktop: stable proxy policy, no sleep/logout surprises, room for per-tenant caches.

See pricing, help, and Go GOPROXY matrix for polyglot shops.

Offload cross-border pulls to macOS CI: start at the homepage, read more on the blog, then purchase a remote Mac tuned for fetch-heavy pipelines.

Remote Mac for Deno & JSR CI

Dedicated Apple Silicon nodes, isolated DENO_DIR friendly storage, and SSH-friendly debugging. Open pricing, purchase, help, or the blog—no login wall.

View Pricing Purchase Help Blog