threshold-network · lrsaturnino · Jun 6, 2026 · Jun 4, 2026 · Jun 4, 2026 · Jun 4, 2026
diff --git a/.github/actions/install-yarn-deps/action.yml b/.github/actions/install-yarn-deps/action.yml
@@ -0,0 +1,56 @@
+name: Install Yarn dependencies (Yarn 4 / Corepack)
+description: >
+  Enable Corepack, set up the Git-for-Yarn wrapper, and run
+  `yarn install --immutable` in the given workspace. Centralises the
+  install incantation so each workflow does not need to re-export PATH,
+  GIT_CONFIG_*, or pin the Corepack-managed Yarn version.
+inputs:
+  working-directory:
+    description: "Workspace directory containing package.json and yarn.lock."
+    required: true
+runs:
+  using: composite
+  steps:
+    - name: Set up Git wrapper for Yarn git dependencies
+      uses: ./.github/actions/setup-git-for-yarn
+
+    - name: Cache Yarn artifacts
+      uses: actions/cache@v4
+      with:
+        path: |
+          ${{ inputs.working-directory }}/.yarn/cache
+          ${{ inputs.working-directory }}/.yarn/install-state.gz
+          ${{ inputs.working-directory }}/node_modules
+        key: yarn-${{ runner.os }}-${{ hashFiles(format('{0}/yarn.lock', inputs.working-directory)) }}
+        restore-keys: |
+          yarn-${{ runner.os }}-
+
+    - name: Install dependencies
+      shell: bash
+      working-directory: ${{ inputs.working-directory }}
+      run: |
+        set -euo pipefail
+        export PATH="${RUNNER_TEMP:-/tmp}/git-clean-bin:$PATH"
+        # Opt out of Yarn 4 hardened mode. Yarn auto-enables it on public PR
+        # contexts; we cannot use it here because the lockfiles contain
+        # legitimate npm-descriptor -> git-URL remaps (e.g. ethereumjs-abi
+        # @npm:0.6.8 -> github.com/ethereumjs/ethereumjs-abi.git#<commit>,
+        # because npm 0.6.8 was published broken). Hardened mode rejects all
+        # such remaps as potential supply-chain attacks, even when the
+        # remap is internally consistent with the rest of the lockfile.
+        # Note: lockfile checksums remain enforced (YARN_CHECKSUM_BEHAVIOR
+        # is left at its default), so per-package integrity is still checked.
+        export YARN_ENABLE_HARDENED_MODE=0
+        corepack enable
+        yarn --version
+        unset_args=()
+        while IFS='=' read -r key _; do
+          case "$key" in
+            GIT_CONFIG_*) unset_args+=("-u" "$key") ;;
+          esac
+        done < <(env)
+        env "${unset_args[@]}" \
+          GIT_CONFIG_NOSYSTEM=1 \
+          GIT_CONFIG_SYSTEM=/dev/null \
+          GIT_CONFIG_COUNT=0 \
+          yarn install --immutable
diff --git a/.github/actions/setup-git-for-yarn/action.yml b/.github/actions/setup-git-for-yarn/action.yml
@@ -36,14 +36,13 @@ runs:
           "exec \"${REAL_GIT}\" \"\$@\"" \
           >"${WRAPPER_DIR}/git"
         chmod +x "${WRAPPER_DIR}/git"
+        # Only export the git-binary indirection vars to the job env. The
+        # wrapper itself re-creates a clean GIT_CONFIG_* environment on every
+        # invocation, so downstream steps that legitimately need to write
+        # global git config (e.g. docs publish setting user.email/name) are
+        # not silently redirected to /dev/null.
         {
           echo "GIT=${WRAPPER_DIR}/git"
           echo "npm_config_git=${WRAPPER_DIR}/git"
-          echo "HOME=${SAFE_HOME}"
-          echo "XDG_CONFIG_HOME=${SAFE_XDG_CONFIG_HOME}"
-          echo "GIT_CONFIG_GLOBAL=/dev/null"
-          echo "GIT_CONFIG_NOSYSTEM=1"
-          echo "GIT_CONFIG_SYSTEM=/dev/null"
-          echo "GIT_CONFIG_COUNT=0"
         } >> "$GITHUB_ENV"
         echo "${WRAPPER_DIR}" >> "$GITHUB_PATH"
diff --git a/.github/workflows/contracts-ecdsa.yml b/.github/workflows/contracts-ecdsa.yml
@@ -57,31 +57,9 @@ jobs:
           # https://github.com/NomicFoundation/hardhat/issues/3877
           node-version: "18.15.0"
 
-      - uses: ./.github/actions/setup-git-for-yarn
-
-      - name: Install dependencies
-        run: |
-          export PATH="${RUNNER_TEMP:-/tmp}/git-clean-bin:$PATH"
-          unset GIT_CONFIG_PARAMETERS
-          export GIT_CONFIG_NOSYSTEM=1
-          export GIT_CONFIG_SYSTEM=/dev/null
-          export GIT_CONFIG_COUNT=0
-          export YARN_ENABLE_HARDENED_MODE=0
-          export YARN_CHECKSUM_BEHAVIOR=ignore
-          corepack enable
-          corepack prepare yarn@4.8.1 --activate
-          yarn --version
-          unset_args=()
-          while IFS='=' read -r key _; do
-            case "$key" in
-              GIT_CONFIG_*) unset_args+=("-u" "$key") ;;
-            esac
-          done < <(env)
-          env "${unset_args[@]}" \
-            GIT_CONFIG_NOSYSTEM=1 \
-            GIT_CONFIG_SYSTEM=/dev/null \
-            GIT_CONFIG_COUNT=0 \
-            yarn install --immutable
+      - uses: ./.github/actions/install-yarn-deps
+        with:
+          working-directory: ./solidity/ecdsa
 
       - name: Build
         run: yarn build
@@ -122,31 +100,9 @@ jobs:
           SLITHER_VERSION: 0.8.3
         run: pip3 install slither-analyzer==$SLITHER_VERSION
 
-      - uses: ./.github/actions/setup-git-for-yarn
-
-      - name: Install dependencies
-        run: |
-          export PATH="${RUNNER_TEMP:-/tmp}/git-clean-bin:$PATH"
-          unset GIT_CONFIG_PARAMETERS
-          export GIT_CONFIG_NOSYSTEM=1
-          export GIT_CONFIG_SYSTEM=/dev/null
-          export GIT_CONFIG_COUNT=0
-          export YARN_ENABLE_HARDENED_MODE=0
-          export YARN_CHECKSUM_BEHAVIOR=ignore
-          corepack enable
-          corepack prepare yarn@4.8.1 --activate
-          yarn --version
-          unset_args=()
-          while IFS='=' read -r key _; do
-            case "$key" in
-              GIT_CONFIG_*) unset_args+=("-u" "$key") ;;
-            esac
-          done < <(env)
-          env "${unset_args[@]}" \
-            GIT_CONFIG_NOSYSTEM=1 \
-            GIT_CONFIG_SYSTEM=/dev/null \
-            GIT_CONFIG_COUNT=0 \
-            yarn install --immutable
+      - uses: ./.github/actions/install-yarn-deps
+        with:
+          working-directory: ./solidity/ecdsa
 
       # As a workaround for a slither issue https://github.com/crytic/slither/issues/1140
       # we disable compilation of dependencies when running slither.
@@ -169,31 +125,9 @@ jobs:
           # https://github.com/NomicFoundation/hardhat/issues/3877
           node-version: "18.15.0"
 
-      - uses: ./.github/actions/setup-git-for-yarn
-
-      - name: Install dependencies
-        run: |
-          export PATH="${RUNNER_TEMP:-/tmp}/git-clean-bin:$PATH"
-          unset GIT_CONFIG_PARAMETERS
-          export GIT_CONFIG_NOSYSTEM=1
-          export GIT_CONFIG_SYSTEM=/dev/null
-          export GIT_CONFIG_COUNT=0
-          export YARN_ENABLE_HARDENED_MODE=0
-          export YARN_CHECKSUM_BEHAVIOR=ignore
-          corepack enable
-          corepack prepare yarn@4.8.1 --activate
-          yarn --version
-          unset_args=()
-          while IFS='=' read -r key _; do
-            case "$key" in
-              GIT_CONFIG_*) unset_args+=("-u" "$key") ;;
-            esac
-          done < <(env)
-          env "${unset_args[@]}" \
-            GIT_CONFIG_NOSYSTEM=1 \
-            GIT_CONFIG_SYSTEM=/dev/null \
-            GIT_CONFIG_COUNT=0 \
-            yarn install --immutable
+      - uses: ./.github/actions/install-yarn-deps
+        with:
+          working-directory: ./solidity/ecdsa
 
       - name: Build solidity contracts
         run: yarn build
@@ -218,31 +152,9 @@ jobs:
           # https://github.com/NomicFoundation/hardhat/issues/3877
           node-version: "18.15.0"
 
-      - uses: ./.github/actions/setup-git-for-yarn
-
-      - name: Install dependencies
-        run: |
-          export PATH="${RUNNER_TEMP:-/tmp}/git-clean-bin:$PATH"
-          unset GIT_CONFIG_PARAMETERS
-          export GIT_CONFIG_NOSYSTEM=1
-          export GIT_CONFIG_SYSTEM=/dev/null
-          export GIT_CONFIG_COUNT=0
-          export YARN_ENABLE_HARDENED_MODE=0
-          export YARN_CHECKSUM_BEHAVIOR=ignore
-          corepack enable
-          corepack prepare yarn@4.8.1 --activate
-          yarn --version
-          unset_args=()
-          while IFS='=' read -r key _; do
-            case "$key" in
-              GIT_CONFIG_*) unset_args+=("-u" "$key") ;;
-            esac
-          done < <(env)
-          env "${unset_args[@]}" \
-            GIT_CONFIG_NOSYSTEM=1 \
-            GIT_CONFIG_SYSTEM=/dev/null \
-            GIT_CONFIG_COUNT=0 \
-            yarn install --immutable
+      - uses: ./.github/actions/install-yarn-deps
+        with:
+          working-directory: ./solidity/ecdsa
 
       - name: Deploy contracts
         run: yarn deploy:test
@@ -274,31 +186,9 @@ jobs:
           node-version: "18.15.0"
           registry-url: "https://registry.npmjs.org"
 
-      - uses: ./.github/actions/setup-git-for-yarn
-
-      - name: Install dependencies
-        run: |
-          export PATH="${RUNNER_TEMP:-/tmp}/git-clean-bin:$PATH"
-          unset GIT_CONFIG_PARAMETERS
-          export GIT_CONFIG_NOSYSTEM=1
-          export GIT_CONFIG_SYSTEM=/dev/null
-          export GIT_CONFIG_COUNT=0
-          export YARN_ENABLE_HARDENED_MODE=0
-          export YARN_CHECKSUM_BEHAVIOR=ignore
-          corepack enable
-          corepack prepare yarn@4.8.1 --activate
-          yarn --version
-          unset_args=()
-          while IFS='=' read -r key _; do
-            case "$key" in
-              GIT_CONFIG_*) unset_args+=("-u" "$key") ;;
-            esac
-          done < <(env)
-          env "${unset_args[@]}" \
-            GIT_CONFIG_NOSYSTEM=1 \
-            GIT_CONFIG_SYSTEM=/dev/null \
-            GIT_CONFIG_COUNT=0 \
-            yarn install --immutable
+      - uses: ./.github/actions/install-yarn-deps
+        with:
+          working-directory: ./solidity/ecdsa
 
       - name: Get upstream packages versions
         uses: keep-network/ci/actions/upstream-builds-query@v2
@@ -396,31 +286,9 @@ jobs:
           node-version: "18.15.0"
           registry-url: "https://registry.npmjs.org"
 
-      - uses: ./.github/actions/setup-git-for-yarn
-
-      - name: Install dependencies
-        run: |
-          export PATH="${RUNNER_TEMP:-/tmp}/git-clean-bin:$PATH"
-          unset GIT_CONFIG_PARAMETERS
-          export GIT_CONFIG_NOSYSTEM=1
-          export GIT_CONFIG_SYSTEM=/dev/null
-          export GIT_CONFIG_COUNT=0
-          export YARN_ENABLE_HARDENED_MODE=0
-          export YARN_CHECKSUM_BEHAVIOR=ignore
-          corepack enable
-          corepack prepare yarn@4.8.1 --activate
-          yarn --version
-          unset_args=()
-          while IFS='=' read -r key _; do
-            case "$key" in
-              GIT_CONFIG_*) unset_args+=("-u" "$key") ;;
-            esac
-          done < <(env)
-          env "${unset_args[@]}" \
-            GIT_CONFIG_NOSYSTEM=1 \
-            GIT_CONFIG_SYSTEM=/dev/null \
-            GIT_CONFIG_COUNT=0 \
-            yarn install --immutable
+      - uses: ./.github/actions/install-yarn-deps
+        with:
+          working-directory: ./solidity/ecdsa
 
       - name: Get upstream packages versions
         uses: keep-network/ci/actions/upstream-builds-query@v2