update to yarn 3.6.3

[crazy-max]

closes #102

update to Yarn 3.6.3 now that Dependabot supports Yarn v2/v3: dependabot/dependabot-core#1297 (comment)

For migration steps see https://yarnpkg.com/getting-started/migration

Also use corepack similar to docker/actions-toolkit#323 to download yarn on-fly.

$ corepack enable
# https://yarnpkg.com/getting-started/install#updating-to-the-latest-versions
$ yarn set version stable
$ yarn --version
3.6.3

Also install plugin-interactive-tools yarn pkg: https://yarnpkg.com/api/modules/plugin_interactive_tools.html

$ yarn plugin import interactive-tools

[tonistiigi]

Why is yarn itself committed to the repository? We don't even store the modules we use in the repo.

[crazy-max]

Why is yarn itself committed to the repository? We don't even store the modules we use in the repo.

Yarn Modern (v2/v3) has some breaking changes with old v1 and therefore requires Yarn releases to be kept versioned: https://yarnpkg.com/getting-started/qa#which-files-should-be-gitignored. This prevents potential issues if, say, two engineers use different Yarn versions with different features.

[crazy-max]

@tonistiigi Setting yarn version in the Dockerfile works: master...crazy-max:docker-bake-action:yarn-update-2#diff-3ed65642ec1610de6b0f162c77dc8499662ebeb7057d3f6c89108952d1cb33deR10-R14 but Dependabot will still use Yarn v1 and corrupt the lock file 😞.

Unfortunately we can't define yarn version in the yarnrc config, just the yarnPath: https://yarnpkg.com/configuration/yarnrc#yarnPath

The yarnPath setting is currently the preferred way to install Yarn within a project, as it ensures that your whole team will use the exact same Yarn version, without having to individually keep it up-to-date.

[crazy-max]

@tonistiigi Switching back to npm looks to be the only alternative we have if you still don't want yarn installed within the repo:

• Switch to npm #102

[crazy-max]

@tonistiigi Now using corepack to avoid having yarn in the repo.