ci: Pin yarn lockfile for security & dependency scanning

.github/workflows/ci-build-sdks.yml

@@ -92,7 +92,7 @@ jobs:
         with:
           node-version: ${{ fromJson(inputs.version-set).nodejs }}
           cache: yarn
-          cache-dependency-path: sdk/nodejs/*.json
+          cache-dependency-path: sdk/nodejs/yarn.lock
       - name: Install yarn
         run: |
           npm install -g yarn

.github/workflows/ci-lint.yml

@@ -73,7 +73,7 @@ jobs:
         with:
           node-version: ${{ fromJson(inputs.version-set).nodejs }}
           cache: yarn
-          cache-dependency-path: sdk/nodejs/package.json
+          cache-dependency-path: sdk/nodejs/yarn.lock
       - name: Install Python deps
         run: |
           python -m pip install --upgrade pip requests wheel urllib3 chardet

.github/workflows/ci-run-test.yml

@@ -157,7 +157,14 @@ jobs:
         with:
           node-version: ${{ fromJson(inputs.version-set).nodejs }}
           cache: yarn
-          cache-dependency-path: sdk/nodejs/*.json
+          cache-dependency-path: sdk/nodejs/yarn.lock
+      - name: Uninstall pre-installed Pulumi (windows)
+        if: inputs.platform == 'windows-latest'
+        run: |
+          if command -v pulumi.exe; then
+            echo "Deleting pulumi"
+            rm -rf "$(command -v pulumi.exe)/../pulumi*"
+          fi
       - name: Install yarn
         run: |
           npm install -g yarn

sdk/nodejs/.gitignore

@@ -5,3 +5,4 @@
 /custom_node/
 /runtime/native/node_dev/
 .nyc_output/
+!yarn.lock

sdk/nodejs/Makefile

@@ -24,7 +24,7 @@ GO_TEST_FAST = $(PYTHON) ../../scripts/go-test.py $(GO_TEST_FAST_FLAGS)
 
 ensure:: yarn.ensure node.ensure .ensure.phony
 .ensure.phony: package.json
-	yarn install
+	yarn install --frozen-lockfile
 	@touch .ensure.phony
 
 lint:: ensure