chore(security): remove GitHub Actions caching to prevent cache poisoning

.github/workflows/lint-build-test.yml

@@ -22,7 +22,6 @@ jobs:
         uses: actions/setup-node@v3
         with:
           node-version: ${{ matrix.node-version }}
-          cache: yarn
       - run: yarn --immutable
       - name: Fetch workspace package names
         id: workspace-package-names
@@ -43,8 +42,7 @@ jobs:
         uses: actions/setup-node@v3
         with:
           node-version: ${{ matrix.node-version }}
-          cache: yarn
-      - run: yarn --immutable --immutable-cache
+      - run: yarn --immutable
       - run: yarn lint
       - name: Require clean working directory
         shell: bash
@@ -68,8 +66,7 @@ jobs:
         uses: actions/setup-node@v3
         with:
           node-version: ${{ matrix.node-version }}
-          cache: yarn
-      - run: yarn --immutable --immutable-cache
+      - run: yarn --immutable
       - run: yarn workspace ${{ matrix.package-name }} lint:changelog
       - name: Require clean working directory
         shell: bash
@@ -93,8 +90,7 @@ jobs:
         uses: actions/setup-node@v3
         with:
           node-version: ${{ matrix.node-version }}
-          cache: yarn
-      - run: yarn --immutable --immutable-cache
+      - run: yarn --immutable
       - run: yarn build
       - name: Require clean working directory
         shell: bash
@@ -118,25 +114,22 @@ jobs:
         uses: actions/setup-node@v3
         with:
           node-version: ${{ matrix.node-version }}
-          cache: yarn
-      - run: yarn --immutable --immutable-cache
+      - run: yarn --immutable
       - run: yarn build
       - run: yarn workspace ${{ matrix.package-name }} run test:ci
       - name: Get coverage folder
         id: get-coverage-folder
         run: |
-          echo "Package Name: ${{ matrix.package-name }}"
-          echo "stub" >> stub
+          SANITIZED_NAME=$(echo "${{ matrix.package-name }}" | sed 's/\//-/g')
           echo "coverage-folder=$(yarn workspaces list --json | grep "\"name\":\"${{ matrix.package-name }}\"" | jq -r '.location')/coverage" >> "$GITHUB_OUTPUT"
+          echo "sanitized-name=$SANITIZED_NAME" >> "$GITHUB_OUTPUT"
         shell: bash
       - name: Upload coverage artifact
         if: ${{ matrix.node-version == '18.x' }}
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
-          name: coverage
-          path: |
-            stub
-            ${{ steps.get-coverage-folder.outputs.coverage-folder }}/**/coverage-final.json
+          name: coverage-${{ steps.get-coverage-folder.outputs.sanitized-name }}-${{ github.sha }}
+          path: packages/**/coverage-final.json
           if-no-files-found: warn
           retention-days: 1
       - name: Require clean working directory
@@ -152,11 +145,12 @@ jobs:
     runs-on: ubuntu-latest
     needs: test
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Download coverage artifact
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
         with:
-          name: coverage
+          pattern: 'coverage-*-${{ github.sha }}'
+          merge-multiple: true
       - name: Upload coverage results
         uses: codecov/codecov-action@6d798873df2b1b8e5846dba6fb86631229fbcb17
         with:

.github/workflows/publish-release.yml

@@ -14,62 +14,45 @@ jobs:
       contents: write
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           ref: ${{ github.sha }}
-      - name: Setup Node
-        uses: actions/setup-node@v3
+      - name: Install Corepack via Node
+        uses: actions/setup-node@v4
         with:
           node-version-file: '.nvmrc'
-          cache: yarn
-      - uses: actions/cache@v3
-        with:
-          path: |
-            ./packages/**/dist
-            ./node_modules/.yarn-state.yml
-          key: ${{ github.sha }}
-      - uses: MetaMask/action-publish-release@v3
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Install Yarn
+        run: corepack enable
       - run: yarn --immutable
       - run: yarn build
-
-  publish-npm-dry-run:
-    runs-on: ubuntu-latest
-    needs: publish-release
-    steps:
-      - uses: actions/checkout@v3
-        with:
-          ref: ${{ github.sha }}
-      - uses: actions/cache@v3
+      - name: Upload build artifacts
+        uses: actions/upload-artifact@v4
         with:
+          name: publish-release-artifacts-${{ github.sha }}
+          retention-days: 4
+          include-hidden-files: true
           path: |
-            ./packages/**/dist
+            ./dist
             ./node_modules/.yarn-state.yml
-          key: ${{ github.sha }}
-      - name: Dry Run Publish
-        # omit npm-token token to perform dry run publish
-        uses: MetaMask/action-npm-publish@v4
-        with:
-          slack-webhook-url: ${{ secrets.SLACK_WEBHOOK_URL }}
-          subteam: S042S7RE4AE # @metamask-npm-publishers
-        env:
-          SKIP_PREPACK: true
 
   publish-npm:
-    environment: npm-publish
+    needs: publish-release
     runs-on: ubuntu-latest
-    needs: publish-npm-dry-run
+    environment: npm-publish
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           ref: ${{ github.sha }}
-      - uses: actions/cache@v3
+      - name: Install Corepack via Node
+        uses: actions/setup-node@v4
         with:
-          path: |
-            ./packages/**/dist
-            ./node_modules/.yarn-state.yml
-          key: ${{ github.sha }}
+          node-version-file: '.nvmrc'
+      - name: Install Yarn
+        run: corepack enable
+      - name: Restore build artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: publish-release-artifacts-${{ github.sha }}
       - name: Publish
         uses: MetaMask/action-npm-publish@v4
         with: