fix(workflows): use frozen lockfile and ignore scripts for all installs

sserrata · claude · sserrata · commit c2301d9989e5 · 2026-03-31T10:31:46.000-04:00
Standardizes yarn install flags across all CI workflows:
- --frozen-lockfile: ensures lockfile is the authoritative source (equivalent to npm ci)
- --prefer-offline: prefer cache to reduce network overhead
- --ignore-scripts: skip postinstall lifecycle scripts for security (validated locally)

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/build-perf.yml b/.github/workflows/build-perf.yml
@@ -46,7 +46,7 @@ jobs:
           node-version: "22"
           cache: yarn
       - name: Installation
-        run: yarn
+        run: yarn --frozen-lockfile --prefer-offline --ignore-scripts
 
       # Ensure build with a cold cache does not increase too much
       - name: Build (cold cache)
diff --git a/.github/workflows/canary-beta-release.yml b/.github/workflows/canary-beta-release.yml
@@ -35,7 +35,7 @@ jobs:
         env:
           NPM_AUTH_TOKEN: ${{ secrets.NPM_AUTH_TOKEN }}
       - name: Installation
-        run: yarn && yarn build-packages
+        run: yarn --frozen-lockfile --prefer-offline --ignore-scripts && yarn build-packages
       - name: Publish Canary release
         run: |
           yarn canaryBeta
diff --git a/.github/workflows/deploy-live.yml b/.github/workflows/deploy-live.yml
@@ -23,7 +23,7 @@ jobs:
           cache: "yarn"
 
       - name: Install dependencies
-        run: yarn --prefer-offline
+        run: yarn --frozen-lockfile --prefer-offline --ignore-scripts
 
       - name: Build packages
         run: yarn build-packages
diff --git a/.github/workflows/deploy-preview.yml b/.github/workflows/deploy-preview.yml
@@ -112,7 +112,7 @@ jobs:
           cache: "yarn"
 
       - name: Install dependencies
-        run: yarn --prefer-offline --ignore-scripts
+        run: yarn --frozen-lockfile --prefer-offline --ignore-scripts
 
       - name: Build packages
         run: yarn build-packages
@@ -202,7 +202,7 @@ jobs:
           cache: "yarn"
 
       - name: Install dependencies
-        run: yarn --prefer-offline
+        run: yarn --frozen-lockfile --prefer-offline --ignore-scripts
 
       - name: Install Playwright
         run: npx playwright install --with-deps chromium
