threshold-network · lionakhnazarov · May 25, 2026 · May 25, 2026 · Jun 4, 2026 · Jun 4, 2026
diff --git a/.github/actions/setup-git-for-yarn/action.yml b/.github/actions/setup-git-for-yarn/action.yml
@@ -0,0 +1,49 @@
+name: Setup Git for Yarn (git dependencies)
+description: >
+  Configure Git so Yarn can clone dependencies (e.g. thesis/eslint-config) on
+  GitHub-hosted runners. Sets GIT_CONFIG_GLOBAL and GIT_CONFIG_NOSYSTEM to avoid
+  broken system config ("invalid key core.autocrlf" / unable to write config).
+runs:
+  using: composite
+  steps:
+    - name: Configure Git for Yarn clones
+      shell: bash
+      run: |
+        set -euo pipefail
+        SAFE_TMP="${RUNNER_TEMP:-/tmp}"
+        WRAPPER_DIR="${RUNNER_TEMP:-/tmp}/git-clean-bin"
+        SAFE_HOME="${SAFE_TMP}/git-clean-home"
+        SAFE_XDG_CONFIG_HOME="${SAFE_TMP}/git-clean-xdg-config"
+        REAL_GIT="$(command -v git)"
+
+        mkdir -p "$WRAPPER_DIR" "$SAFE_HOME" "$SAFE_XDG_CONFIG_HOME"
+        printf '%s\n' \
+          '#!/usr/bin/env bash' \
+          'set -euo pipefail' \
+          'unset GIT_CONFIG_PARAMETERS' \
+          "while IFS='=' read -r key _; do" \
+          '  case "$key" in' \
+          '    GIT_CONFIG_*) unset "$key" ;;' \
+          '  esac' \
+          'done < <(env)' \
+          "export HOME=\"${SAFE_HOME}\"" \
+          "export XDG_CONFIG_HOME=\"${SAFE_XDG_CONFIG_HOME}\"" \
+          'export GIT_CONFIG_GLOBAL=/dev/null' \
+          'export GIT_CONFIG_NOSYSTEM=1' \
+          'export GIT_CONFIG_SYSTEM=/dev/null' \
+          'export GIT_CONFIG_COUNT=0' \
+          "if ! pwd >/dev/null 2>&1; then cd \"${SAFE_TMP}\"; fi" \
+          "exec \"${REAL_GIT}\" \"\$@\"" \
+          >"${WRAPPER_DIR}/git"
+        chmod +x "${WRAPPER_DIR}/git"
+        {
+          echo "GIT=${WRAPPER_DIR}/git"
+          echo "npm_config_git=${WRAPPER_DIR}/git"
+          echo "HOME=${SAFE_HOME}"
+          echo "XDG_CONFIG_HOME=${SAFE_XDG_CONFIG_HOME}"
+          echo "GIT_CONFIG_GLOBAL=/dev/null"
+          echo "GIT_CONFIG_NOSYSTEM=1"
+          echo "GIT_CONFIG_SYSTEM=/dev/null"
+          echo "GIT_CONFIG_COUNT=0"
+        } >> "$GITHUB_ENV"
+        echo "${WRAPPER_DIR}" >> "$GITHUB_PATH"
diff --git a/.github/workflows/contracts-ecdsa-docs.yml b/.github/workflows/contracts-ecdsa-docs.yml
@@ -42,7 +42,7 @@ jobs:
       needs.docs-detect-changes.outputs.path-filter == 'true'
         || github.event_name == 'push'
         || github.event_name == 'workflow_dispatch'
-    uses: keep-network/ci/.github/workflows/reusable-solidity-docs.yml@main
+    uses: ./.github/workflows/reusable-solidity-docs.yml
     with:
       projectDir: /solidity/ecdsa
       publish: false
@@ -71,7 +71,7 @@ jobs:
   contracts-docs-publish:
     name: Publish contracts documentation
     needs: contracts-docs-prepublish-wait
-    uses: keep-network/ci/.github/workflows/reusable-solidity-docs.yml@main
+    uses: ./.github/workflows/reusable-solidity-docs.yml
     with:
       projectDir: /solidity/ecdsa
       publish: true

diff --git a/.github/workflows/contracts-ecdsa.yml b/.github/workflows/contracts-ecdsa.yml
@@ -56,11 +56,32 @@ jobs:
           # artifacts generation during `hardhat compile` - see
           # https://github.com/NomicFoundation/hardhat/issues/3877
           node-version: "18.15.0"
-          cache: "yarn"
-          cache-dependency-path: solidity/ecdsa/yarn.lock
+
+      - uses: ./.github/actions/setup-git-for-yarn
 
       - name: Install dependencies
-        run: yarn install
+        run: |
+          export PATH="${RUNNER_TEMP:-/tmp}/git-clean-bin:$PATH"
+          unset GIT_CONFIG_PARAMETERS
+          export GIT_CONFIG_NOSYSTEM=1
+          export GIT_CONFIG_SYSTEM=/dev/null
+          export GIT_CONFIG_COUNT=0
+          export YARN_ENABLE_HARDENED_MODE=0
+          export YARN_CHECKSUM_BEHAVIOR=ignore
+          corepack enable
+          corepack prepare yarn@4.8.1 --activate
+          yarn --version
+          unset_args=()
+          while IFS='=' read -r key _; do
+            case "$key" in
+              GIT_CONFIG_*) unset_args+=("-u" "$key") ;;
+            esac
+          done < <(env)
+          env "${unset_args[@]}" \
+            GIT_CONFIG_NOSYSTEM=1 \
+            GIT_CONFIG_SYSTEM=/dev/null \
+            GIT_CONFIG_COUNT=0 \
+            yarn install --immutable
 
       - name: Build
         run: yarn build
@@ -83,8 +104,6 @@ jobs:
           # artifacts generation during `hardhat compile` - see
           # https://github.com/NomicFoundation/hardhat/issues/3877
           node-version: "18.15.0"
-          cache: "yarn"
-          cache-dependency-path: solidity/ecdsa/yarn.lock
 
       - uses: actions/setup-python@v4
         with:
@@ -103,8 +122,31 @@ jobs:
           SLITHER_VERSION: 0.8.3
         run: pip3 install slither-analyzer==$SLITHER_VERSION
 
+      - uses: ./.github/actions/setup-git-for-yarn
+
       - name: Install dependencies
-        run: yarn install
+        run: |
+          export PATH="${RUNNER_TEMP:-/tmp}/git-clean-bin:$PATH"
+          unset GIT_CONFIG_PARAMETERS
+          export GIT_CONFIG_NOSYSTEM=1
+          export GIT_CONFIG_SYSTEM=/dev/null
+          export GIT_CONFIG_COUNT=0
+          export YARN_ENABLE_HARDENED_MODE=0
+          export YARN_CHECKSUM_BEHAVIOR=ignore
+          corepack enable
+          corepack prepare yarn@4.8.1 --activate
+          yarn --version
+          unset_args=()
+          while IFS='=' read -r key _; do
+            case "$key" in
+              GIT_CONFIG_*) unset_args+=("-u" "$key") ;;
+            esac
+          done < <(env)
+          env "${unset_args[@]}" \
+            GIT_CONFIG_NOSYSTEM=1 \
+            GIT_CONFIG_SYSTEM=/dev/null \
+            GIT_CONFIG_COUNT=0 \
+            yarn install --immutable
 
       # As a workaround for a slither issue https://github.com/crytic/slither/issues/1140
       # we disable compilation of dependencies when running slither.
@@ -126,11 +168,32 @@ jobs:
           # artifacts generation during `hardhat compile` - see
           # https://github.com/NomicFoundation/hardhat/issues/3877
           node-version: "18.15.0"
-          cache: "yarn"
-          cache-dependency-path: solidity/ecdsa/yarn.lock
+
+      - uses: ./.github/actions/setup-git-for-yarn
 
       - name: Install dependencies
-        run: yarn install
+        run: |
+          export PATH="${RUNNER_TEMP:-/tmp}/git-clean-bin:$PATH"
+          unset GIT_CONFIG_PARAMETERS
+          export GIT_CONFIG_NOSYSTEM=1
+          export GIT_CONFIG_SYSTEM=/dev/null
+          export GIT_CONFIG_COUNT=0
+          export YARN_ENABLE_HARDENED_MODE=0
+          export YARN_CHECKSUM_BEHAVIOR=ignore
+          corepack enable
+          corepack prepare yarn@4.8.1 --activate
+          yarn --version
+          unset_args=()
+          while IFS='=' read -r key _; do
+            case "$key" in
+              GIT_CONFIG_*) unset_args+=("-u" "$key") ;;
+            esac
+          done < <(env)
+          env "${unset_args[@]}" \
+            GIT_CONFIG_NOSYSTEM=1 \
+            GIT_CONFIG_SYSTEM=/dev/null \
+            GIT_CONFIG_COUNT=0 \
+            yarn install --immutable
 
       - name: Build solidity contracts
         run: yarn build
@@ -154,11 +217,32 @@ jobs:
           # artifacts generation during `hardhat compile` - see
           # https://github.com/NomicFoundation/hardhat/issues/3877
           node-version: "18.15.0"
-          cache: "yarn"
-          cache-dependency-path: solidity/ecdsa/yarn.lock
+
+      - uses: ./.github/actions/setup-git-for-yarn
 
       - name: Install dependencies
-        run: yarn install --frozen-lockfile
+        run: |
+          export PATH="${RUNNER_TEMP:-/tmp}/git-clean-bin:$PATH"
+          unset GIT_CONFIG_PARAMETERS
+          export GIT_CONFIG_NOSYSTEM=1
+          export GIT_CONFIG_SYSTEM=/dev/null
+          export GIT_CONFIG_COUNT=0
+          export YARN_ENABLE_HARDENED_MODE=0
+          export YARN_CHECKSUM_BEHAVIOR=ignore
+          corepack enable
+          corepack prepare yarn@4.8.1 --activate
+          yarn --version
+          unset_args=()
+          while IFS='=' read -r key _; do
+            case "$key" in
+              GIT_CONFIG_*) unset_args+=("-u" "$key") ;;
+            esac
+          done < <(env)
+          env "${unset_args[@]}" \
+            GIT_CONFIG_NOSYSTEM=1 \
+            GIT_CONFIG_SYSTEM=/dev/null \
+            GIT_CONFIG_COUNT=0 \
+            yarn install --immutable
 
       - name: Deploy contracts
         run: yarn deploy:test
@@ -188,12 +272,33 @@ jobs:
           # artifacts generation during `hardhat compile` - see
           # https://github.com/NomicFoundation/hardhat/issues/3877
           node-version: "18.15.0"
-          cache: "yarn"
-          cache-dependency-path: solidity/ecdsa/yarn.lock
           registry-url: "https://registry.npmjs.org"
 
+      - uses: ./.github/actions/setup-git-for-yarn
+
       - name: Install dependencies
-        run: yarn install --frozen-lockfile
+        run: |
+          export PATH="${RUNNER_TEMP:-/tmp}/git-clean-bin:$PATH"
+          unset GIT_CONFIG_PARAMETERS
+          export GIT_CONFIG_NOSYSTEM=1
+          export GIT_CONFIG_SYSTEM=/dev/null
+          export GIT_CONFIG_COUNT=0
+          export YARN_ENABLE_HARDENED_MODE=0
+          export YARN_CHECKSUM_BEHAVIOR=ignore
+          corepack enable
+          corepack prepare yarn@4.8.1 --activate
+          yarn --version
+          unset_args=()
+          while IFS='=' read -r key _; do
+            case "$key" in
+              GIT_CONFIG_*) unset_args+=("-u" "$key") ;;
+            esac
+          done < <(env)
+          env "${unset_args[@]}" \
+            GIT_CONFIG_NOSYSTEM=1 \
+            GIT_CONFIG_SYSTEM=/dev/null \
+            GIT_CONFIG_COUNT=0 \
+            yarn install --immutable
 
       - name: Get upstream packages versions
         uses: keep-network/ci/actions/upstream-builds-query@v2
@@ -289,12 +394,33 @@ jobs:
           # artifacts generation during `hardhat compile` - see
           # https://github.com/NomicFoundation/hardhat/issues/3877
           node-version: "18.15.0"
-          cache: "yarn"
-          cache-dependency-path: solidity/ecdsa/yarn.lock
           registry-url: "https://registry.npmjs.org"
 
+      - uses: ./.github/actions/setup-git-for-yarn
+
       - name: Install dependencies
-        run: yarn install --frozen-lockfile
+        run: |
+          export PATH="${RUNNER_TEMP:-/tmp}/git-clean-bin:$PATH"
+          unset GIT_CONFIG_PARAMETERS
+          export GIT_CONFIG_NOSYSTEM=1
+          export GIT_CONFIG_SYSTEM=/dev/null
+          export GIT_CONFIG_COUNT=0
+          export YARN_ENABLE_HARDENED_MODE=0
+          export YARN_CHECKSUM_BEHAVIOR=ignore
+          corepack enable
+          corepack prepare yarn@4.8.1 --activate
+          yarn --version
+          unset_args=()
+          while IFS='=' read -r key _; do
+            case "$key" in
+              GIT_CONFIG_*) unset_args+=("-u" "$key") ;;
+            esac
+          done < <(env)
+          env "${unset_args[@]}" \
+            GIT_CONFIG_NOSYSTEM=1 \
+            GIT_CONFIG_SYSTEM=/dev/null \
+            GIT_CONFIG_COUNT=0 \
+            yarn install --immutable
 
       - name: Get upstream packages versions
         uses: keep-network/ci/actions/upstream-builds-query@v2

diff --git a/.github/workflows/contracts-random-beacon-docs.yml b/.github/workflows/contracts-random-beacon-docs.yml
@@ -42,7 +42,7 @@ jobs:
       needs.docs-detect-changes.outputs.path-filter == 'true'
         || github.event_name == 'push'
         || github.event_name == 'workflow_dispatch'
-    uses: keep-network/ci/.github/workflows/reusable-solidity-docs.yml@main
+    uses: ./.github/workflows/reusable-solidity-docs.yml
     with:
       projectDir: /solidity/random-beacon
       publish: false
@@ -60,7 +60,7 @@ jobs:
     name: Publish contracts documentation
     needs: docs-detect-changes
     if: github.event_name == 'release' && startsWith(github.ref, 'refs/tags/solidity/')
-    uses: keep-network/ci/.github/workflows/reusable-solidity-docs.yml@main
+    uses: ./.github/workflows/reusable-solidity-docs.yml
     with:
       projectDir: /solidity/random-beacon
       publish: true