ci: remove borales and BerniWittmann third-party actions#133
Merged
Conversation
Drops two third-party actions from .github/workflows/: - borales/actions-yarn (in all five workflow files): replaced with corepack + yarn install --frozen-lockfile, using setup-node's built-in yarn cache. - BerniWittmann/background-server-action (in integration-tests-V2.yml and integration-tests-V3.yml): replaced with explicit background shell steps. Each one launches the Hardhat node (`npm run node` / `npx hardhat node`) in the background, polls localhost:8545 over JSON-RPC until ready (matching the action's wait-on behaviour), runs the deploy + test steps, then kills the recorded PID in an `if: always()` cleanup step so the node never leaks past the job. Reduces CI supply-chain surface: every workflow either runs with the npm OIDC token in scope (publish) or checks out the private Railgun-Privacy/contract repo (integration tests), so removing each third-party action removes a path a compromised action could use to exfiltrate those credentials.
The engine and contract repos are checked out into ./engine/ and ./contract/ subdirectories, so there is no yarn.lock at the workspace root. setup-node's `cache: 'yarn'` fails with "Dependencies lock file is not found" before any install step runs. Removing the cache directive unblocks the workflow. If caching is wanted later, the right approach is `cache-dependency-path` set to each subdir's lockfile - but for integration tests that's arguably not worth the extra complexity.
mesquka
approved these changes
May 12, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Removes every non-
actions/*action from.github/workflows/:borales/actions-yarninpublish-npmjs.yml,unit-tests-V2.yml,unit-tests-V3.yml,integration-tests-V2.yml,integration-tests-V3.yml→corepack enable+yarn install --frozen-lockfile, with setup-node's built-in yarn cache where there's a workspace-root lockfile.BerniWittmann/background-server-actioninintegration-tests-V2.ymlandintegration-tests-V3.yml→ an explicit background shell pattern that mirrors the action's three behaviours: start the Hardhat node in the background, pollhttp://localhost:8545over JSON-RPC until it responds (replacing the action'swait-on), run the deploy + test steps, then kill the recorded PID in anif: always()cleanup step so the node never leaks past the job.Drops
cache: 'yarn'fromsetup-nodein the two integration workflows: engine and contract are checked out into./engine/and./contract/subdirectories, so the workspace root has noyarn.lockfor setup-node to hash a cache key from.Why
Every workflow in this repo either runs with the npm OIDC publish token in scope or checks out the private
Railgun-Privacy/contractrepo for integration tests. Each third-party action layered into those workflows is a separate item on our supply-chain attack surface. Thecorepackreplacement pins the yarn version (viapackageManagerinpackage.json) more strictly than the previous action did. The hardhat-server replacement makes startup-wait and teardown explicit instead of relying on an unmaintained third-party wrapper.CI note
🧪 Integration Testsincludes a perf benchmark (WASM should be 5x-10x faster than JavaScriptinkeys-utils-perf.test.ts) that occasionally fails on noisy CI runners when WASM lands just under the 5x threshold (e.g. 4.86x). 164 of 165 integration tests pass; this is not caused by this PR — the perf test is sensitive to runner load and has been flaky onmaintoo. Re-running usually clears it.