chore(ci): align Yarn 4 workflows and solidity workspace tooling

.github/actions/install-yarn-deps/action.yml

@@ -0,0 +1,56 @@
+name: Install Yarn dependencies (Yarn 4 / Corepack)
+description: >
+  Enable Corepack, set up the Git-for-Yarn wrapper, and run
+  `yarn install --immutable` in the given workspace. Centralises the
+  install incantation so each workflow does not need to re-export PATH,
+  GIT_CONFIG_*, or pin the Corepack-managed Yarn version.
+inputs:
+  working-directory:
+    description: "Workspace directory containing package.json and yarn.lock."
+    required: true
+runs:
+  using: composite
+  steps:
+    - name: Set up Git wrapper for Yarn git dependencies
+      uses: ./.github/actions/setup-git-for-yarn
+
+    - name: Cache Yarn artifacts
+      uses: actions/cache@v4
+      with:
+        path: |
+          ${{ inputs.working-directory }}/.yarn/cache
+          ${{ inputs.working-directory }}/.yarn/install-state.gz
+          ${{ inputs.working-directory }}/node_modules
+        key: yarn-${{ runner.os }}-${{ hashFiles(format('{0}/yarn.lock', inputs.working-directory)) }}
+        restore-keys: |
+          yarn-${{ runner.os }}-
+
+    - name: Install dependencies
+      shell: bash
+      working-directory: ${{ inputs.working-directory }}
+      run: |
+        set -euo pipefail
+        export PATH="${RUNNER_TEMP:-/tmp}/git-clean-bin:$PATH"
+        # Opt out of Yarn 4 hardened mode. Yarn auto-enables it on public PR
+        # contexts; we cannot use it here because the lockfiles contain
+        # legitimate npm-descriptor -> git-URL remaps (e.g. ethereumjs-abi
+        # @npm:0.6.8 -> github.com/ethereumjs/ethereumjs-abi.git#<commit>,
+        # because npm 0.6.8 was published broken). Hardened mode rejects all
+        # such remaps as potential supply-chain attacks, even when the
+        # remap is internally consistent with the rest of the lockfile.
+        # Note: lockfile checksums remain enforced (YARN_CHECKSUM_BEHAVIOR
+        # is left at its default), so per-package integrity is still checked.
+        export YARN_ENABLE_HARDENED_MODE=0
+        corepack enable
+        yarn --version
+        unset_args=()
+        while IFS='=' read -r key _; do
+          case "$key" in
+            GIT_CONFIG_*) unset_args+=("-u" "$key") ;;
+          esac
+        done < <(env)
+        env "${unset_args[@]}" \
+          GIT_CONFIG_NOSYSTEM=1 \
+          GIT_CONFIG_SYSTEM=/dev/null \
+          GIT_CONFIG_COUNT=0 \
+          yarn install --immutable

.github/actions/setup-git-for-yarn/action.yml

@@ -0,0 +1,48 @@
+name: Setup Git for Yarn (git dependencies)
+description: >
+  Configure Git so Yarn can clone dependencies (e.g. thesis/eslint-config) on
+  GitHub-hosted runners. Sets GIT_CONFIG_GLOBAL and GIT_CONFIG_NOSYSTEM to avoid
+  broken system config ("invalid key core.autocrlf" / unable to write config).
+runs:
+  using: composite
+  steps:
+    - name: Configure Git for Yarn clones
+      shell: bash
+      run: |
+        set -euo pipefail
+        SAFE_TMP="${RUNNER_TEMP:-/tmp}"
+        WRAPPER_DIR="${RUNNER_TEMP:-/tmp}/git-clean-bin"
+        SAFE_HOME="${SAFE_TMP}/git-clean-home"
+        SAFE_XDG_CONFIG_HOME="${SAFE_TMP}/git-clean-xdg-config"
+        REAL_GIT="$(command -v git)"
+
+        mkdir -p "$WRAPPER_DIR" "$SAFE_HOME" "$SAFE_XDG_CONFIG_HOME"
+        printf '%s\n' \
+          '#!/usr/bin/env bash' \
+          'set -euo pipefail' \
+          'unset GIT_CONFIG_PARAMETERS' \
+          "while IFS='=' read -r key _; do" \
+          '  case "$key" in' \
+          '    GIT_CONFIG_*) unset "$key" ;;' \
+          '  esac' \
+          'done < <(env)' \
+          "export HOME=\"${SAFE_HOME}\"" \
+          "export XDG_CONFIG_HOME=\"${SAFE_XDG_CONFIG_HOME}\"" \
+          'export GIT_CONFIG_GLOBAL=/dev/null' \
+          'export GIT_CONFIG_NOSYSTEM=1' \
+          'export GIT_CONFIG_SYSTEM=/dev/null' \
+          'export GIT_CONFIG_COUNT=0' \
+          "if ! pwd >/dev/null 2>&1; then cd \"${SAFE_TMP}\"; fi" \
+          "exec \"${REAL_GIT}\" \"\$@\"" \
+          >"${WRAPPER_DIR}/git"
+        chmod +x "${WRAPPER_DIR}/git"
+        # Only export the git-binary indirection vars to the job env. The
+        # wrapper itself re-creates a clean GIT_CONFIG_* environment on every
+        # invocation, so downstream steps that legitimately need to write
+        # global git config (e.g. docs publish setting user.email/name) are
+        # not silently redirected to /dev/null.
+        {
+          echo "GIT=${WRAPPER_DIR}/git"
+          echo "npm_config_git=${WRAPPER_DIR}/git"
+        } >> "$GITHUB_ENV"
+        echo "${WRAPPER_DIR}" >> "$GITHUB_PATH"

.github/workflows/contracts-ecdsa-docs.yml

@@ -42,7 +42,7 @@ jobs:
       needs.docs-detect-changes.outputs.path-filter == 'true'
         || github.event_name == 'push'
         || github.event_name == 'workflow_dispatch'
-    uses: keep-network/ci/.github/workflows/reusable-solidity-docs.yml@main
+    uses: ./.github/workflows/reusable-solidity-docs.yml
     with:
       projectDir: /solidity/ecdsa
       publish: false
@@ -71,7 +71,7 @@ jobs:
   contracts-docs-publish:
     name: Publish contracts documentation
     needs: contracts-docs-prepublish-wait
-    uses: keep-network/ci/.github/workflows/reusable-solidity-docs.yml@main
+    uses: ./.github/workflows/reusable-solidity-docs.yml
     with:
       projectDir: /solidity/ecdsa
       publish: true

.github/workflows/contracts-ecdsa.yml

@@ -56,11 +56,10 @@ jobs:
           # artifacts generation during `hardhat compile` - see
           # https://github.com/NomicFoundation/hardhat/issues/3877
           node-version: "18.15.0"
-          cache: "yarn"
-          cache-dependency-path: solidity/ecdsa/yarn.lock
 
-      - name: Install dependencies
-        run: yarn install
+      - uses: ./.github/actions/install-yarn-deps
+        with:
+          working-directory: ./solidity/ecdsa
 
       - name: Build
         run: yarn build
@@ -83,8 +82,6 @@ jobs:
           # artifacts generation during `hardhat compile` - see
           # https://github.com/NomicFoundation/hardhat/issues/3877
           node-version: "18.15.0"
-          cache: "yarn"
-          cache-dependency-path: solidity/ecdsa/yarn.lock
 
       - uses: actions/setup-python@v4
         with:
@@ -103,8 +100,9 @@ jobs:
           SLITHER_VERSION: 0.8.3
         run: pip3 install slither-analyzer==$SLITHER_VERSION
 
-      - name: Install dependencies
-        run: yarn install
+      - uses: ./.github/actions/install-yarn-deps
+        with:
+          working-directory: ./solidity/ecdsa
 
       # As a workaround for a slither issue https://github.com/crytic/slither/issues/1140
       # we disable compilation of dependencies when running slither.
@@ -126,11 +124,10 @@ jobs:
           # artifacts generation during `hardhat compile` - see
           # https://github.com/NomicFoundation/hardhat/issues/3877
           node-version: "18.15.0"
-          cache: "yarn"
-          cache-dependency-path: solidity/ecdsa/yarn.lock
 
-      - name: Install dependencies
-        run: yarn install
+      - uses: ./.github/actions/install-yarn-deps
+        with:
+          working-directory: ./solidity/ecdsa
 
       - name: Build solidity contracts
         run: yarn build
@@ -154,11 +151,10 @@ jobs:
           # artifacts generation during `hardhat compile` - see
           # https://github.com/NomicFoundation/hardhat/issues/3877
           node-version: "18.15.0"
-          cache: "yarn"
-          cache-dependency-path: solidity/ecdsa/yarn.lock
 
-      - name: Install dependencies
-        run: yarn install --frozen-lockfile
+      - uses: ./.github/actions/install-yarn-deps
+        with:
+          working-directory: ./solidity/ecdsa
 
       - name: Deploy contracts
         run: yarn deploy:test
@@ -188,12 +184,11 @@ jobs:
           # artifacts generation during `hardhat compile` - see
           # https://github.com/NomicFoundation/hardhat/issues/3877
           node-version: "18.15.0"
-          cache: "yarn"
-          cache-dependency-path: solidity/ecdsa/yarn.lock
           registry-url: "https://registry.npmjs.org"
 
-      - name: Install dependencies
-        run: yarn install --frozen-lockfile
+      - uses: ./.github/actions/install-yarn-deps
+        with:
+          working-directory: ./solidity/ecdsa
 
       - name: Get upstream packages versions
         uses: keep-network/ci/actions/upstream-builds-query@v2
@@ -206,7 +201,7 @@ jobs:
 
       - name: Resolve latest contracts
         run: |
-          yarn upgrade \
+          yarn up \
             @threshold-network/solidity-contracts@${{ steps.upstream-builds-query.outputs.threshold-contracts-version }} \
             @keep-network/random-beacon@${{ steps.upstream-builds-query.outputs.random-beacon-version }} \
             @keep-network/sortition-pools
@@ -217,7 +212,7 @@ jobs:
       # test environment it should be used temporarily only.
       - name: Use Sortition Pool forked contracts
         run: |
-          yarn upgrade @keep-network/sortition-pools@github:keep-network/sortition-pools#test-fork
+          yarn up @keep-network/sortition-pools@github:keep-network/sortition-pools#test-fork
 
       - name: Configure tenderly
         env:
@@ -289,12 +284,11 @@ jobs:
           # artifacts generation during `hardhat compile` - see
           # https://github.com/NomicFoundation/hardhat/issues/3877
           node-version: "18.15.0"
-          cache: "yarn"
-          cache-dependency-path: solidity/ecdsa/yarn.lock
           registry-url: "https://registry.npmjs.org"
 
-      - name: Install dependencies
-        run: yarn install --frozen-lockfile
+      - uses: ./.github/actions/install-yarn-deps
+        with:
+          working-directory: ./solidity/ecdsa
 
       - name: Get upstream packages versions
         uses: keep-network/ci/actions/upstream-builds-query@v2
@@ -307,7 +301,7 @@ jobs:
 
       - name: Resolve latest contracts
         run: |
-          yarn upgrade \
+          yarn up \
             @threshold-network/solidity-contracts@${{ steps.upstream-builds-query.outputs.threshold-contracts-version }} \
             @keep-network/random-beacon@${{ steps.upstream-builds-query.outputs.random-beacon-version }} \
             @keep-network/sortition-pools

.github/workflows/contracts-random-beacon-docs.yml

@@ -42,7 +42,7 @@ jobs:
       needs.docs-detect-changes.outputs.path-filter == 'true'
         || github.event_name == 'push'
         || github.event_name == 'workflow_dispatch'
-    uses: keep-network/ci/.github/workflows/reusable-solidity-docs.yml@main
+    uses: ./.github/workflows/reusable-solidity-docs.yml
     with:
       projectDir: /solidity/random-beacon
       publish: false
@@ -60,7 +60,7 @@ jobs:
     name: Publish contracts documentation
     needs: docs-detect-changes
     if: github.event_name == 'release' && startsWith(github.ref, 'refs/tags/solidity/')
-    uses: keep-network/ci/.github/workflows/reusable-solidity-docs.yml@main
+    uses: ./.github/workflows/reusable-solidity-docs.yml
     with:
       projectDir: /solidity/random-beacon
       publish: true

.github/workflows/contracts-random-beacon.yml

@@ -56,11 +56,10 @@ jobs:
           # artifacts generation during `hardhat compile` - see
           # https://github.com/NomicFoundation/hardhat/issues/3877
           node-version: "18.15.0"
-          cache: "yarn"
-          cache-dependency-path: solidity/random-beacon/yarn.lock
 
-      - name: Install dependencies
-        run: yarn install --network-concurrency 1
+      - uses: ./.github/actions/install-yarn-deps
+        with:
+          working-directory: ./solidity/random-beacon
 
       - name: Build
         run: yarn build
@@ -83,8 +82,6 @@ jobs:
           # artifacts generation during `hardhat compile` - see
           # https://github.com/NomicFoundation/hardhat/issues/3877
           node-version: "18.15.0"
-          cache: "yarn"
-          cache-dependency-path: solidity/random-beacon/yarn.lock
 
       - uses: actions/setup-python@v4
         with:
@@ -103,8 +100,9 @@ jobs:
           SLITHER_VERSION: 0.8.3
         run: pip3 install slither-analyzer==$SLITHER_VERSION
 
-      - name: Install dependencies
-        run: yarn install --network-concurrency 1
+      - uses: ./.github/actions/install-yarn-deps
+        with:
+          working-directory: ./solidity/random-beacon
 
       - name: Run Slither
         run: slither .
@@ -124,11 +122,10 @@ jobs:
           # artifacts generation during `hardhat compile` - see
           # https://github.com/NomicFoundation/hardhat/issues/3877
           node-version: "18.15.0"
-          cache: "yarn"
-          cache-dependency-path: solidity/random-beacon/yarn.lock
 
-      - name: Install dependencies
-        run: yarn install --network-concurrency 1
+      - uses: ./.github/actions/install-yarn-deps
+        with:
+          working-directory: ./solidity/random-beacon
 
       - name: Build solidity contracts
         run: yarn build
@@ -152,11 +149,10 @@ jobs:
           # artifacts generation during `hardhat compile` - see
           # https://github.com/NomicFoundation/hardhat/issues/3877
           node-version: "18.15.0"
-          cache: "yarn"
-          cache-dependency-path: solidity/random-beacon/yarn.lock
 
-      - name: Install dependencies
-        run: yarn install --network-concurrency 1 --frozen-lockfile
+      - uses: ./.github/actions/install-yarn-deps
+        with:
+          working-directory: ./solidity/random-beacon
 
       - name: Deploy contracts
         run: yarn deploy:test
@@ -186,12 +182,11 @@ jobs:
           # artifacts generation during `hardhat compile` - see
           # https://github.com/NomicFoundation/hardhat/issues/3877
           node-version: "18.15.0"
-          cache: "yarn"
-          cache-dependency-path: solidity/random-beacon/yarn.lock
           registry-url: "https://registry.npmjs.org"
 
-      - name: Install dependencies
-        run: yarn install --network-concurrency 1 --frozen-lockfile
+      - uses: ./.github/actions/install-yarn-deps
+        with:
+          working-directory: ./solidity/random-beacon
 
       - name: Get upstream packages versions
         uses: keep-network/ci/actions/upstream-builds-query@v2
@@ -203,7 +198,7 @@ jobs:
 
       - name: Resolve latest contracts
         run: |
-          yarn upgrade \
+          yarn up \
             @threshold-network/solidity-contracts@${{ steps.upstream-builds-query.outputs.threshold-contracts-version }} \
             @keep-network/sortition-pools
 
@@ -213,7 +208,7 @@ jobs:
       # test environment it should be used temporarily only.
       - name: Use Sortition Pool forked contracts
         run: |
-          yarn upgrade @keep-network/sortition-pools@github:keep-network/sortition-pools#test-fork
+          yarn up @keep-network/sortition-pools@github:keep-network/sortition-pools#test-fork
 
       - name: Configure tenderly
         env:
@@ -285,12 +280,11 @@ jobs:
           # artifacts generation during `hardhat compile` - see
           # https://github.com/NomicFoundation/hardhat/issues/3877
           node-version: "18.15.0"
-          cache: "yarn"
-          cache-dependency-path: solidity/random-beacon/yarn.lock
           registry-url: "https://registry.npmjs.org"
 
-      - name: Install dependencies
-        run: yarn install --network-concurrency 1 --frozen-lockfile
+      - uses: ./.github/actions/install-yarn-deps
+        with:
+          working-directory: ./solidity/random-beacon
 
       - name: Get upstream packages versions
         uses: keep-network/ci/actions/upstream-builds-query@v2
@@ -302,7 +296,7 @@ jobs:
 
       - name: Resolve latest contracts
         run: |
-          yarn upgrade \
+          yarn up \
             @threshold-network/solidity-contracts@${{ steps.upstream-builds-query.outputs.threshold-contracts-version }} \
             @keep-network/sortition-pools