docker
update to yarn 3.6.3
closes #102
update to Yarn 3.6.3 now that Dependabot supports Yarn v2/v3: https://github.com/dependabot/dependabot-core/issues/1297#issuecomment-1285998196
For migration steps see https://yarnpkg.com/getting-started/migration
Also use corepack similar to https://github.com/docker/actions-toolkit/pull/323 to download yarn on-fly.
$ corepack enable
# https://yarnpkg.com/getting-started/install#updating-to-the-latest-versions
$ yarn set version stable
$ yarn --version
3.6.3
Also install plugin-interactive-tools yarn pkg: https://yarnpkg.com/api/modules/plugin_interactive_tools.html
$ yarn plugin import interactive-tools
Why is yarn itself committed to the repository? We don't even store the modules we use in the repo.
Yarn Modern (v2/v3) has some breaking changes with old v1 and therefore requires Yarn releases to be kept versioned: https://yarnpkg.com/getting-started/qa#which-files-should-be-gitignored. This prevents potential issues if, say, two engineers use different Yarn versions with different features.
@tonistiigi Setting yarn version in the Dockerfile works: https://github.com/docker/bake-action/compare/master...crazy-max:docker-bake-action:yarn-update-2#diff-3ed65642ec1610de6b0f162c77dc8499662ebeb7057d3f6c89108952d1cb33deR10-R14 but Dependabot will still use Yarn v1 and corrupt the lock file :disappointed:.
Unfortunately we can't define yarn version in the yarnrc config, just the yarnPath: https://yarnpkg.com/configuration/yarnrc#yarnPath
The yarnPath setting is currently the preferred way to install Yarn within a project, as it ensures that your whole team will use the exact same Yarn version, without having to individually keep it up-to-date.
@tonistiigi Switching back to npm looks to be the only alternative we have if you still don't want yarn installed within the repo:
- https://github.com/docker/bake-action/pull/102