Harden dependency installs (#128)

kvz · web-flow · commit f6541b1deb7c · 2026-05-12T14:13:41.000+02:00
* Harden dependency installs

* Avoid release workflow dependency caches
diff --git a/.github/workflows/ci-monolib.yml b/.github/workflows/ci-monolib.yml
@@ -40,6 +40,6 @@ jobs:
             ${{ runner.os }}-
 
       - run: corepack yarn config set enableHardenedMode false
-      - run: corepack yarn install
+      - run: corepack yarn install --immutable
 
       - run: corepack yarn check
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -44,16 +44,6 @@ jobs:
           echo "npm ${version}"
           node -e "const version = process.argv[1]; const [major, minor, patch] = version.split('.').map(Number); if (major < 11 || (major === 11 && (minor < 5 || (minor === 5 && patch < 1)))) { throw new Error('npm 11.5.1 or newer is required for trusted publishing'); }" "$version"
 
-      - name: 🏗 Setup Caching
-        uses: actions/cache@v4
-        with:
-          path: |
-            **/node_modules
-            .yarn/cache
-          key: ${{ runner.os }}-${{ hashFiles('**/yarn.lock', '**/package.json') }}
-          restore-keys: |
-            ${{ runner.os }}-
-
       # Allow yarn to make changes during release
       - run: corepack yarn config set enableHardenedMode false
       - run: corepack yarn --mode=update-lockfile
diff --git a/.yarnrc.yml b/.yarnrc.yml
@@ -3,3 +3,5 @@ enableGlobalCache: true
 nodeLinker: node-modules
 
 npmRegistryServer: "https://registry.npmjs.org"
+
+npmMinimalAgeGate: 2880
diff --git a/package.json b/package.json
@@ -35,7 +35,7 @@
     "npm-run-all": "^4.1.5",
     "typescript": "^5.9.3"
   },
-  "packageManager": "yarn@4.9.4",
+  "packageManager": "yarn@4.12.0",
   "engines": {
     "node": ">= 18",
     "yarn": "4.2.1"
