ci: remove third-party borales/actions-yarn from workflows#130
Conversation
Drops the third-party borales/actions-yarn action from publish-npmjs.yml, unit-tests-V2.yml, and unit-tests-V3.yml. Reduces CI supply-chain surface: the previous action ran with full workflow permissions (including the npm OIDC token in publish-npmjs.yml). Replaced with corepack enable + yarn install --frozen-lockfile, using setup-node's built-in yarn cache. The packageManager field in package.json (yarn@1.22.22) pins the installed yarn version.
|
Warning Review the following alerts detected in dependencies. According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.
|
What
Removes
borales/actions-yarn@v4from all three workflow files (publish-npmjs.yml,unit-tests-V2.yml,unit-tests-V3.yml). Replaces it withcorepack enable+yarn install --frozen-lockfile, usingactions/setup-node's built-in yarn cache.corepackreadspackageManager(yarn@1.22.22) frompackage.jsonand installs that exact yarn version.Why
Third-party GitHub Actions run inside our workflow with full access to job secrets and tokens. In
publish-npmjs.ymlthat includes the npm OIDC publish token; in the unit-test workflows it includes any secret exposed to the runner. Each external action is an item on our supply-chain attack surface — a compromise or malicious update silently inherits those permissions.corepackships with Node.js and does what this action did, with no third-party dependency.CI note
The
🧪 Testjob intermittently fails on this branch due to external GraphQL endpoint 502s inquick-sync-events-graph-v2andrailgun-txid-sync-graphtests — the rest of the suite passes. This flake exists onmainindependently and is not caused by this PR (the test makes live calls to a hosted Graph service that 502s periodically). Re-running usually clears it.