feat: Add skip-install input#74
Merged
Merged
Conversation
When set to `true`, the action checks out the repository and sets up Node.js, but skips all Yarn install steps (cache lookups, install, allow-scripts, and cache save). This is useful when a workflow only needs Node.js available and manages its own dependency installation.
GitHub Actions needs `action.yml` on disk before it can resolve `uses: ./`, so a pre-checkout step is required like in every other test job.
cryptodev-2s
approved these changes
Jun 11, 2026
4 tasks
pull Bot
pushed a commit
to dmrazzy/core
that referenced
this pull request
Jun 11, 2026
## Explanation The `check-release` composite action invokes `yarn workspaces list` to enumerate published packages, but the job calling it never sets up the project's pinned Yarn version. As a result, the runner's global Yarn 1.22.22 is used, which fails against the `packageManager` field in `package.json` (`yarn@4.16.0`) with: > This project's package.json defines "packageManager": "yarn@4.16.0". However the current global version of Yarn is 1.22.22. This PR replaces the standalone `actions/checkout@v5` step with `MetaMask/action-checkout-and-setup@v3`, which sets up Node and Yarn via Corepack. The new [`skip-install: true`](MetaMask/action-checkout-and-setup#74) input (added in v3.4.0) skips `yarn install`, which this action does not need — it only needs `yarn workspaces list`, which reads workspace globs from `package.json` directly. ## References - Added in [MetaMask/action-checkout-and-setup#74](MetaMask/action-checkout-and-setup#74) (released in v3.4.0) ## Checklist - [ ] I've updated the test suite for new or updated code as appropriate - [ ] I've updated documentation (JSDoc, Markdown, etc.) for new or updated code as appropriate - [ ] I've communicated my changes to consumers by [updating changelogs for packages I've changed](https://github.com/MetaMask/core/tree/main/docs/processes/updating-changelogs.md) - [ ] I've introduced [breaking changes](https://github.com/MetaMask/core/tree/main/docs/processes/breaking-changes.md) in this PR and have prepared draft pull requests for clients and consumer packages to resolve them <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Low Risk** > CI-only workflow changes; no application runtime or release publish logic is modified. > > **Overview** > Fixes the **check-release** composite action failing when it runs `yarn workspaces list` because the runner used global Yarn 1.x instead of the repo’s pinned **Yarn 4** from `packageManager`. > > The action’s checkout step is replaced with **`MetaMask/action-checkout-and-setup@v3`**, enabling Corepack/Yarn without running **`yarn install`** (`skip-install: true`). In **`main.yml`**, the **check-release** job’s checkout now uses **`fetch-depth: 0`** so merge-base/git history checks still work after checkout moved out of the composite action. > > <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit f178d76. Bugbot is set up for automated code reviews on this repo. Configure [here](https://www.cursor.com/dashboard/bugbot).</sup> <!-- /CURSOR_SUMMARY -->
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Explanation
The action currently always runs
yarn install(and surrounding cache lookups) as part of its setup. There are workflows that only need the repository checked out and Node.js available — for example, publishing to npm, where Node.js is required to run the publish action but installing the package's dependencies is undesirable from a supply-chain-security perspective. For those workflows, the install step is both wasted time and unnecessary attack surface.This adds a new
skip-installinput (defaultfalse). When set totrue, the action still performs the checkout and Node.js setup (includingcorepack enableand yarn hydration, soyarnitself is available), but skips:try-skip-setupcache lookupnode_modulescache restoreyarn --immutableyarn allow-scriptsA new
test-skip-installjob inbuild-lint-test.ymlexercises the new path and asserts that Node.js is set up,node_modulesis absent, and no caches were consulted.Note
Low Risk
Opt-in CI behavior change with default unchanged; reduces install surface when enabled rather than altering existing install paths.
Overview
Adds a
skip-installaction input (defaultfalse) so workflows can get checkout + Node.js (and Corepack/Yarn hydration) without installing dependencies or touching install caches.When
skip-install: true, the composite action skips yarn.lock prefetch, node_modules cache lookup/restore/save, setup-node yarn cache,yarn --immutable, andyarn allow-scripts. README documents the option;test-skip-installin CI asserts Node is configured,node_modulesis absent, and cache outputs are not hit.Reviewed by Cursor Bugbot for commit 640ad34. Bugbot is set up for automated code reviews on this repo. Configure here.