Skip to content

ci: remove third-party borales/actions-yarn from workflows#130

Merged
mattgle merged 1 commit into
mainfrom
ci/remove-third-party-actions
May 12, 2026
Merged

ci: remove third-party borales/actions-yarn from workflows#130
mattgle merged 1 commit into
mainfrom
ci/remove-third-party-actions

Conversation

@mattgle

@mattgle mattgle commented May 11, 2026

Copy link
Copy Markdown
Contributor

What

Removes borales/actions-yarn@v4 from all three workflow files (publish-npmjs.yml, unit-tests-V2.yml, unit-tests-V3.yml). Replaces it with corepack enable + yarn install --frozen-lockfile, using actions/setup-node's built-in yarn cache. corepack reads packageManager (yarn@1.22.22) from package.json and installs that exact yarn version.

Why

Third-party GitHub Actions run inside our workflow with full access to job secrets and tokens. In publish-npmjs.yml that includes the npm OIDC publish token; in the unit-test workflows it includes any secret exposed to the runner. Each external action is an item on our supply-chain attack surface — a compromise or malicious update silently inherits those permissions. corepack ships with Node.js and does what this action did, with no third-party dependency.

CI note

The 🧪 Test job intermittently fails on this branch due to external GraphQL endpoint 502s in quick-sync-events-graph-v2 and railgun-txid-sync-graph tests — the rest of the suite passes. This flake exists on main independently and is not caused by this PR (the test makes live calls to a hosted Graph service that 502s periodically). Re-running usually clears it.

Drops the third-party borales/actions-yarn action from publish-npmjs.yml,
unit-tests-V2.yml, and unit-tests-V3.yml. Reduces CI supply-chain surface:
the previous action ran with full workflow permissions (including the
npm OIDC token in publish-npmjs.yml). Replaced with corepack enable +
yarn install --frozen-lockfile, using setup-node's built-in yarn cache.
The packageManager field in package.json (yarn@1.22.22) pins the
installed yarn version.
@mattgle mattgle self-assigned this May 11, 2026
@socket-security

Copy link
Copy Markdown

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
Protestware or unwanted behavior: npm es5-ext

Note: The script attempts to run a local post-install script, which could potentially contain malicious code. The error handling suggests that it is designed to fail silently, which is a common tactic in malicious scripts.

From: ?npm/es5-ext@0.10.64

ℹ Read more on: This package | This alert | What is protestware?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Consider that consuming this package may come along with functionality unrelated to its primary purpose.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/es5-ext@0.10.64. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@mattgle mattgle marked this pull request as ready for review May 11, 2026 18:02
@mattgle mattgle requested a review from mesquka May 11, 2026 18:02

@mesquka mesquka left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, simple change

@mattgle mattgle merged commit a56f26f into main May 12, 2026
3 of 5 checks passed
@mattgle mattgle deleted the ci/remove-third-party-actions branch May 12, 2026 13:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants