chore: Update workflows to use MetaMask/action-checkout-and-setup (#481)

## Description

This updates all workflows to remove the use of `actions/checkout`,
`actions/setup-node`, `actions/cache`. The implementation here is based
on MetaMask/core#5474

Key improvements:
1. Replaces manual Node.js setup and caching with a standardized action
2. Adds proper high-risk environment handling for sensitive workflows
3. Updates Node.js version matrix to include v22.x
4. Improves security by removing potentially vulnerable caching
mechanisms

## Related issues

Fixes: #377
-
https://github.com/MetaMask/metamask-design-system/security/code-scanning/3
-
https://github.com/MetaMask/metamask-design-system/security/code-scanning/2
-
https://github.com/MetaMask/metamask-design-system/security/code-scanning/1

## Manual testing steps

1. Review the changes MetaMask/core#5474 and
make sure it matches in this PR in each workflow:
   - `.github/workflows/lint-build-test.yml`
   - `.github/workflows/publish-release.yml`
   - `.github/workflows/publish-preview.yml`
   - `.github/workflows/ensure-blocking-pr-labels-absent.yml`
   - `.github/workflows/security-code-scanner.yml`
   - `.github/workflows/main.yml`

2. Verify that the workflows use the correct configuration:
   ```yaml
   - name: Checkout and setup environment
     uses: MetaMask/action-checkout-and-setup@v1
     with:
       is-high-risk-environment: true  # for publish workflows
       node-version: ${{ matrix.node-version }}  # when using matrix
   ```

3. Confirm CI passes on this PR with the updated workflows

4. For publish workflows, verify:
   - High-risk environment flag is set to `true`
   - Artifact handling is properly configured
- Node.js matrix strategy includes all required versions (18.x, 20.x,
22.x)

## Screenshots/Recordings

### After

Comparing code changes between this PR and the one in core
MetaMask/core#5474



https://github.com/user-attachments/assets/dfda14a7-2c90-4f12-bab5-ac78413552c3



## Pre-merge author checklist

- [x] I've followed [MetaMask Contributor
Docs](https://github.com/MetaMask/contributor-docs)
- [x] I've completed the PR template to the best of my ability
- [x] I've included tests if applicable
- [x] I've documented my code using [JSDoc](https://jsdoc.app/) format
if applicable
- [x] I've applied the right labels on the PR

## Pre-merge reviewer checklist

- [ ] I've manually tested the PR (e.g. pull and build branch, run the
app, test code being changed)
- [ ] I confirm that this PR addresses all acceptance criteria described
in the ticket it closes and includes the necessary testing evidence such
as recordings and or screenshots

Author: georgewrmarshall

.github/workflows/ensure-blocking-pr-labels-absent.yml

@@ -13,19 +13,10 @@ jobs:
     permissions:
       pull-requests: read
     steps:
-      - uses: actions/checkout@v4
-      - name: Use Node.js
-        uses: actions/setup-node@v4
+      - name: Checkout and setup environment
+        uses: MetaMask/action-checkout-and-setup@v1
         with:
-          node-version-file: '.nvmrc'
-      - name: Install Yarn
-        run: corepack enable
-      - name: Restore Yarn cache
-        uses: actions/setup-node@v4
-        with:
-          node-version-file: '.nvmrc'
-          cache: 'yarn'
-      - run: yarn --immutable
+          is-high-risk-environment: false
       - name: Run command
         uses: actions/github-script@v7
         with:

.github/workflows/lint-build-test.yml

@@ -9,23 +9,15 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        node-version: [18.x, 20.x]
+        node-version: [18.x, 20.x, 22.x]
     outputs:
       child-workspace-package-names: ${{ steps.workspace-package-names.outputs.child-workspace-package-names }}
     steps:
-      - uses: actions/checkout@v4
-      - name: Install Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@v4
+      - name: Checkout and setup environment
+        uses: MetaMask/action-checkout-and-setup@v1
         with:
-          node-version: ${{ matrix.node-version }}
-      - name: Install Yarn
-        run: corepack enable
-      - name: Restore Yarn cache
-        uses: actions/setup-node@v4
-        with:
-          node-version: ${{ matrix.node-version }}
-          cache: yarn
-      - run: yarn --immutable
+          is-high-risk-environment: false
+          cache-node-modules: ${{ matrix.node-version == '22.x' }}
       - name: Fetch workspace package names
         id: workspace-package-names
         run: |
@@ -38,21 +30,12 @@ jobs:
     needs: prepare
     strategy:
       matrix:
-        node-version: [20.x]
+        node-version: [22.x]
     steps:
-      - uses: actions/checkout@v4
-      - name: Install Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@v4
-        with:
-          node-version: ${{ matrix.node-version }}
-      - name: Install Yarn
-        run: corepack enable
-      - name: Restore Yarn cache
-        uses: actions/setup-node@v4
+      - name: Checkout and setup environment
+        uses: MetaMask/action-checkout-and-setup@v1
         with:
-          node-version: ${{ matrix.node-version }}
-          cache: yarn
-      - run: yarn --immutable
+          is-high-risk-environment: false
       - run: yarn lint
       - name: Require clean working directory
         shell: bash
@@ -68,22 +51,13 @@ jobs:
     needs: prepare
     strategy:
       matrix:
-        node-version: [20.x]
+        node-version: [22.x]
         package-name: ${{ fromJson(needs.prepare.outputs.child-workspace-package-names) }}
     steps:
-      - uses: actions/checkout@v4
-      - name: Install Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@v4
-        with:
-          node-version: ${{ matrix.node-version }}
-      - name: Install Yarn
-        run: corepack enable
-      - name: Restore Yarn cache
-        uses: actions/setup-node@v4
+      - name: Checkout and setup environment
+        uses: MetaMask/action-checkout-and-setup@v1
         with:
-          node-version: ${{ matrix.node-version }}
-          cache: yarn
-      - run: yarn --immutable
+          is-high-risk-environment: false
       - run: yarn workspace ${{ matrix.package-name }} changelog:validate
       - name: Require clean working directory
         shell: bash
@@ -99,21 +73,12 @@ jobs:
     needs: prepare
     strategy:
       matrix:
-        node-version: [20.x]
+        node-version: [22.x]
     steps:
-      - uses: actions/checkout@v4
-      - name: Install Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@v4
+      - name: Checkout and setup environment
+        uses: MetaMask/action-checkout-and-setup@v1
         with:
-          node-version: ${{ matrix.node-version }}
-      - name: Install Yarn
-        run: corepack enable
-      - name: Restore Yarn cache
-        uses: actions/setup-node@v4
-        with:
-          node-version: ${{ matrix.node-version }}
-          cache: yarn
-      - run: yarn --immutable
+          is-high-risk-environment: false
       - run: yarn build
       - name: Require clean working directory
         shell: bash
@@ -129,22 +94,13 @@ jobs:
     needs: prepare
     strategy:
       matrix:
-        node-version: [18.x, 20.x]
+        node-version: [18.x, 20.x, 22.x]
         package-name: ${{ fromJson(needs.prepare.outputs.child-workspace-package-names) }}
     steps:
-      - uses: actions/checkout@v4
-      - name: Install Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@v4
-        with:
-          node-version: ${{ matrix.node-version }}
-      - name: Install Yarn
-        run: corepack enable
-      - name: Restore Yarn cache
-        uses: actions/setup-node@v4
+      - name: Checkout and setup environment
+        uses: MetaMask/action-checkout-and-setup@v1
         with:
-          node-version: ${{ matrix.node-version }}
-          cache: yarn
-      - run: yarn --immutable
+          is-high-risk-environment: false
       - run: yarn test:scripts
       - run: yarn workspace ${{ matrix.package-name }} run test
       - name: Require clean working directory

.github/workflows/main.yml

@@ -10,7 +10,7 @@ jobs:
     name: Check workflows
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Download actionlint
         id: download-actionlint
         run: bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/7fdc9630cc360ea1a469eed64ac6d78caeda1234/scripts/download-actionlint.bash) 1.6.25
@@ -19,6 +19,18 @@ jobs:
         run: ${{ steps.download-actionlint.outputs.executable }} -color
         shell: bash
 
+  analyse-code:
+    name: Code scanner
+    needs: check-workflows
+    uses: ./.github/workflows/security-code-scanner.yml
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    secrets:
+      SECURITY_SCAN_METRICS_TOKEN: ${{ secrets.SECURITY_SCAN_METRICS_TOKEN }}
+      APPSEC_BOT_SLACK_WEBHOOK: ${{ secrets.APPSEC_BOT_SLACK_WEBHOOK }}
+
   lint-build-test:
     name: Lint, build, and test
     needs: check-workflows
@@ -35,7 +47,7 @@ jobs:
       - id: is-release
         uses: MetaMask/action-is-release@dc4672b05e3b1d464cdaf783579b04a4e43f8b02
         with:
-          commit-starts-with: 'Release [version],Release v[version],Release/[version],Release/v[version]'
+          commit-starts-with: 'Release [version],Release v[version],Release/[version],Release/v[version],Release `[version]`'
 
   publish-release:
     name: Publish release
@@ -51,7 +63,9 @@ jobs:
   all-jobs-complete:
     name: All jobs complete
     runs-on: ubuntu-latest
-    needs: lint-build-test
+    needs:
+      - analyse-code
+      - lint-build-test
     outputs:
       passed: ${{ steps.set-output.outputs.passed }}
     steps:

.github/workflows/publish-preview.yml

@@ -1,5 +1,3 @@
-# TODO: Publish a preview build doesn't work and needs to be fixed https://github.com/MetaMask/metamask-design-system/issues/38
-
 name: Publish a preview build
 
 on:
@@ -37,18 +35,10 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           PR_NUMBER: ${{ github.event.issue.number }}
-      - name: Install Node
-        uses: actions/setup-node@v4
-        with:
-          node-version-file: '.nvmrc'
-      - name: Install Yarn
-        run: corepack enable
-      - name: Restore Yarn cache
-        uses: actions/setup-node@v4
+      - name: Checkout and setup environment
+        uses: MetaMask/action-checkout-and-setup@v1
         with:
-          node-version-file: '.nvmrc'
-          cache: yarn
-      - run: yarn --immutable
+          is-high-risk-environment: true
       - name: Get commit SHA
         id: commit-sha
         run: echo "COMMIT_SHA=$(git rev-parse --short HEAD)" >> "$GITHUB_OUTPUT"

.github/workflows/publish-release.yml

@@ -14,85 +14,60 @@ jobs:
       contents: write
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - name: Checkout and setup environment
+        uses: MetaMask/action-checkout-and-setup@v1
         with:
-          ref: ${{ github.sha }}
-      - name: Install Node
-        uses: actions/setup-node@v4
-        with:
-          node-version-file: '.nvmrc'
-      - name: Install Yarn
-        run: corepack enable
-      - name: Restore Yarn cache
-        uses: actions/setup-node@v4
-        with:
-          node-version-file: '.nvmrc'
-          cache: yarn
-      - uses: actions/cache@v4
-        with:
-          path: |
-            ./packages/**/dist
-            ./node_modules/.yarn-state.yml
-          key: ${{ github.sha }}
+          is-high-risk-environment: true
       - uses: MetaMask/action-publish-release@v3
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      - run: yarn --immutable
       - run: yarn build
+      - name: Upload build artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: publish-release-artifacts-${{ github.sha }}
+          include-hidden-files: true
+          retention-days: 4
+          path: |
+            ./packages/**/dist
+            ./node_modules/.yarn-state.yml
 
   publish-npm-dry-run:
+    name: Dry run publish to NPM
     runs-on: ubuntu-latest
     needs: publish-release
     steps:
-      - uses: actions/checkout@v4
+      - name: Checkout and setup environment
+        uses: MetaMask/action-checkout-and-setup@v1
         with:
+          is-high-risk-environment: true
           ref: ${{ github.sha }}
-      - name: Install Node
-        uses: actions/setup-node@v4
+      - name: Restore build artifacts
+        uses: actions/download-artifact@v4
         with:
-          node-version-file: '.nvmrc'
-      - name: Install Yarn
-        run: corepack enable
-      - uses: actions/cache@v4
-        with:
-          path: |
-            ./packages/**/dist
-            ./node_modules/.yarn-state.yml
-          key: ${{ github.sha }}
-          fail-on-cache-miss: true
-      - name: Dry Run Publish
-        # omit npm-token token to perform dry run publish
+          name: publish-release-artifacts-${{ github.sha }}
+      - name: Dry run publish to NPM
         uses: MetaMask/action-npm-publish@v5
         with:
           slack-webhook-url: ${{ secrets.SLACK_WEBHOOK_URL }}
           subteam: S042S7RE4AE # @metamask-npm-publishers
-        env:
-          SKIP_PREPACK: true
 
   publish-npm:
+    name: Publish to NPM
     environment: npm-publish
     runs-on: ubuntu-latest
     needs: publish-npm-dry-run
     steps:
-      - uses: actions/checkout@v4
+      - name: Checkout and setup environment
+        uses: MetaMask/action-checkout-and-setup@v1
         with:
+          is-high-risk-environment: true
           ref: ${{ github.sha }}
-      - name: Install Node
-        uses: actions/setup-node@v4
+      - name: Restore build artifacts
+        uses: actions/download-artifact@v4
         with:
-          node-version-file: '.nvmrc'
-      - name: Install Yarn
-        run: corepack enable
-      - uses: actions/cache@v4
-        with:
-          path: |
-            ./packages/**/dist
-            ./node_modules/.yarn-state.yml
-          key: ${{ github.sha }}
-          fail-on-cache-miss: true
-      - name: Publish
+          name: publish-release-artifacts-${{ github.sha }}
+      - name: Publish to NPM
         uses: MetaMask/action-npm-publish@v5
         with:
           npm-token: ${{ secrets.NPM_TOKEN }}
-        env:
-          SKIP_PREPACK: true