ci: Upgrade Yarn to 4.16.0 and align workflows with module template

[Mrtenz]

Summary

• Upgrades Yarn from 3.2.1 to 4.16.0 and aligns .yarnrc.yml with the module template (Corepack, approvedGitRepositories: [], npmMinimalAgeGate: 4320, npmPreapprovedPackages)
• Updates action-npm-publish from v1 to v6
• Fully aligns CI workflows with the metamask-module-template:
  • Added main.yml — top-level orchestration workflow (actionlint, security scan, build/lint/test, release gating)
  • Added build-lint-test.yml — reusable workflow with prepare/build/lint/test/compatibility-test jobs on Node 20/22/24 using action-checkout-and-setup@v3
  • Rewrote publish-release.yml as a reusable workflow_call — restructured as build → publish-npm-dry-run → publish-npm → publish-release; GitHub release now happens after npm publish; uses action-publish-release@v3
  • Updated create-release-pr.yml — uses action-checkout-and-setup@v3, action-create-release-pr@v5, release-type is now a choice input
  • Updated publish-preview.yml — action-checkout-and-setup@v1 → v3
  • Deleted build-test.yml and security-code-scanner.yml — consolidated into main.yml
  • Added actionlint-matcher.json and actionlint.yml
• Adds lint:changelog script (auto-changelog validate --formatter prettier) and wires it into lint and lint:fix

---

Note

Medium Risk
Changes npm publish ordering, release gating, and Node matrix coverage, which can block merges or alter how/when packages ship if misconfigured.

Overview
Replaces the monolithic build-test.yml CI with a main.yml entrypoint that runs actionlint (with a GitHub problem matcher), invokes the reusable MetaMask security scan workflow, and calls a new reusable build-lint-test.yml for prepare/build/lint/test plus a lockfile-free compatibility test on Node 20/22/24 via MetaMask/action-checkout-and-setup@v3.

Release and publish behavior shifts: publish-release.yml is now workflow_call-only and runs build → npm dry-run → npm publish → GitHub release (GitHub release after npm), using artifact upload/download instead of commit-keyed cache and action-npm-publish@v6 / action-publish-release@v3. main.yml gates publishing on all-jobs-pass, action-is-release@v2, and push events whose head commit author is github-actions.

create-release-pr.yml moves to action-create-release-pr@v5, makes release-type a choice input (including empty), and drops the release-authors artifact upload. publish-preview.yml bumps checkout/setup to v3. Adds actionlint.yml to ignore the intentional empty release-type option.

^{Reviewed by Cursor Bugbot for commit 9e17710. Bugbot is set up for automated code reviews on this repo. Configure here.}

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.