feat: add ability to support yarn berry projects (#200)

This adds the ability to support Yarn berry projects in the pipeline

build-and-test-with-yarn/action.yaml

@@ -126,7 +126,12 @@ runs:
         FILE=yarn.lock
         if [ -f "$FILE" ]
         then
-          yarn --frozen-lockfile 
+          if [ -f .yarnrc.yml ]
+          then
+            yarn --immutable
+          else
+            yarn --frozen-lockfile
+          fi
         else
           echo "$FILE does not exist - ignoring"
           echo "no-yarn=true" >> "$GITHUB_OUTPUT"

check-code-compliance/action.yaml

@@ -43,9 +43,21 @@ runs:
         fi
         echo "node-project=true" >> "$GITHUB_OUTPUT"
 
+        # Check for Yarnrc file
+        if [ -f .yarnrc.yml ]; then
+          echo "Yarn v4 PnP detected"
+          echo "yarn-pnp=true" >> "$GITHUB_OUTPUT"
+        fi
+
     - name: Install dependencies
       run: yarn --frozen-lockfile
-      if: steps.check_node.outputs.node-project == 'true'
+      if: steps.check_node.outputs.node-project == 'true' && steps.check_node.outputs.yarn-pnp != 'true'
+      working-directory: ./
+      shell: bash
+
+    - name: Install dependencies with Yarn v4 PnP
+      run: yarn --immutable
+      if: steps.check_node.outputs.node-project == 'true' && steps.check_node.outputs.yarn-pnp == 'true'
       working-directory: ./
       shell: bash
 
@@ -82,7 +94,7 @@ runs:
     - name: Load global audit-ci config
       shell: bash
       working-directory: /tmp
-      if: steps.check_node.outputs.node-project == 'true'
+      if: steps.check_node.outputs.node-project == 'true' && steps.check_node.outputs.yarn-pnp != 'true'
       env:
         GIT_SSH_COMMAND: "ssh -i /tmp/audit_ci_key -o IdentitiesOnly=yes"
       run: |
@@ -117,7 +129,7 @@ runs:
         mv config/audit-ci.json /tmp/common_audit_ci.json
 
     - name: Audit dependencies
-      if: steps.check_node.outputs.node-project == 'true'
+      if: steps.check_node.outputs.node-project == 'true' && steps.check_node.outputs.yarn-pnp != 'true'
       run: |
         LOCAL_FILE=${{ inputs.audit-ci-config }}
         GLOBAL_FILE=/tmp/common_audit_ci.json
@@ -151,6 +163,13 @@ runs:
       shell: bash
       working-directory: ./
 
+    - name: Audit dependencies with Yarn v4 PnP
+      if: steps.check_node.outputs.node-project == 'true' && steps.check_node.outputs.yarn-pnp == 'true'
+      run: |
+        yarn npm audit --severity high
+      shell: bash
+      working-directory: ./
+
     - name: Check Licenses
       working-directory: ./
       shell: bash
@@ -188,12 +207,18 @@ runs:
         path: ./licenses.csv
         retention-days: 30
 
-    - name: Generate CycloneDX SBOM
+    - name: Generate CycloneDX SBOM (Yarn 1)
       working-directory: ./
-      if: steps.check_node.outputs.node-project == 'true'
+      if: steps.check_node.outputs.node-project == 'true' && steps.check_node.outputs.yarn-pnp != 'true'
       run: npx @cyclonedx/bom@3 -o bom.xml
       shell: bash
 
+    - name: Generate CycloneDX SBOM (Yarn >= 3)
+      working-directory: ./
+      if: steps.check_node.outputs.node-project == 'true' && steps.check_node.outputs.yarn-pnp == 'true'
+      run: yarn dlx -q @cyclonedx/yarn-plugin-cyclonedx --output-format XML --output-file bom.xml
+      shell: bash
+
     - name: Upload SBOM
       uses: actions/upload-artifact@v4
       if: steps.check_node.outputs.node-project == 'true'

semantic-release/action.yaml

@@ -66,7 +66,12 @@ runs:
 
         if [ $(jq -r .private package.json) = "false" ] && [ -f "$FILE" ]
         then
-          yarn --frozen-lockfile -D;
+          if [ -f "yarnrc.yml" ]
+          then
+            yarn install --immutable
+          else
+            yarn install --frozen-lockfile
+          fi
           npx tsc -p "$FILE"
         else
           echo "Project is private or $FILE does not exist - ignoring"