Dependabot hardening: Fix CI checks, adopt sfw-action
#14
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: dependabot-review | |
| # Dependency-update PR guardrails for Dependabot-authored PRs. | |
| # | |
| # Runs only on PRs opened by dependabot[bot]. Inspects which files | |
| # changed, then conditionally runs Socket Firewall (sfw) install smoke | |
| # jobs for the affected manifests. Because sfw uses the free, anonymous | |
| # Socket public-data path it needs NO API key, so we can run it from | |
| # the unprivileged `pull_request` context without pull_request_target | |
| # or any of its security tradeoffs. | |
| # | |
| # Pattern adapted from SocketDev/socket-basics. | |
| on: | |
| pull_request: | |
| types: [opened, synchronize, reopened, ready_for_review] | |
| permissions: | |
| contents: read | |
| concurrency: | |
| group: dependabot-review-${{ github.event.pull_request.number }} | |
| cancel-in-progress: true | |
| jobs: | |
| inspect: | |
| if: github.event.pull_request.user.login == 'dependabot[bot]' | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 5 | |
| outputs: | |
| python_deps_changed: ${{ steps.diff.outputs.python_deps_changed }} | |
| fixture_npm_changed: ${{ steps.diff.outputs.fixture_npm_changed }} | |
| fixture_pypi_changed: ${{ steps.diff.outputs.fixture_pypi_changed }} | |
| dockerfile_changed: ${{ steps.diff.outputs.dockerfile_changed }} | |
| workflow_or_action_changed: ${{ steps.diff.outputs.workflow_or_action_changed }} | |
| steps: | |
| - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 | |
| with: | |
| fetch-depth: 0 | |
| persist-credentials: false | |
| - name: Inspect changed files | |
| id: diff | |
| env: | |
| BASE_SHA: ${{ github.event.pull_request.base.sha }} | |
| HEAD_SHA: ${{ github.event.pull_request.head.sha }} | |
| run: | | |
| CHANGED_FILES="$(git diff --name-only "$BASE_SHA" "$HEAD_SHA")" | |
| { | |
| echo "## Changed files" | |
| echo '```' | |
| printf '%s\n' "$CHANGED_FILES" | |
| echo '```' | |
| } >> "$GITHUB_STEP_SUMMARY" | |
| has_file() { | |
| local pattern="$1" | |
| if printf '%s\n' "$CHANGED_FILES" | grep -Eq "$pattern"; then | |
| echo "true" | |
| else | |
| echo "false" | |
| fi | |
| } | |
| { | |
| echo "python_deps_changed=$(has_file '^(pyproject\.toml|uv\.lock)$')" | |
| echo "fixture_npm_changed=$(has_file '^tests/e2e/fixtures/simple-npm/')" | |
| echo "fixture_pypi_changed=$(has_file '^tests/e2e/fixtures/simple-pypi/')" | |
| echo "dockerfile_changed=$(has_file '^Dockerfile$')" | |
| echo "workflow_or_action_changed=$(has_file '^\.github/workflows/|^\.github/dependabot\.yml$')" | |
| } >> "$GITHUB_OUTPUT" | |
| - name: Summarize review expectations | |
| env: | |
| PR_URL: ${{ github.event.pull_request.html_url }} | |
| run: | | |
| { | |
| echo "## Dependabot Review Checklist" | |
| echo "- PR: $PR_URL" | |
| echo "- Confirm upstream release notes before merge" | |
| echo "- Do not treat a Dependabot PR as trusted solely because of the actor" | |
| echo "- This workflow runs in pull_request context only; no publish secrets are exposed" | |
| } >> "$GITHUB_STEP_SUMMARY" | |
| python-sfw-smoke: | |
| needs: inspect | |
| if: needs.inspect.outputs.python_deps_changed == 'true' | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 15 | |
| steps: | |
| - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 | |
| with: | |
| fetch-depth: 1 | |
| persist-credentials: false | |
| - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 | |
| with: | |
| python-version: "3.12" | |
| # Official Socket setup action (free edition). Installs sfw and wires up | |
| # routing correctly -- preferred over a hand-rolled `npm install -g sfw`. | |
| - name: Set up Socket Firewall (free) | |
| uses: socketdev/action@ba6de6cc0565af1f42295590380973573297e31f # v1.3.2 | |
| with: | |
| mode: firewall-free | |
| - name: Install uv | |
| run: python -m pip install --upgrade pip uv | |
| - name: Sync project through Socket Firewall | |
| # `sfw uv sync` is the intended way to route uv through Socket Firewall | |
| # (per Socket's own uv wrapper guidance). --locked verifies the exact | |
| # uv.lock set and fails on lockfile drift rather than silently | |
| # re-resolving, so the firewall inspects precisely what would install. | |
| # Note: uv's sfw integration is quieter than npm/pip -- it does not | |
| # print the "N packages fetched" footer, but interception is active. | |
| run: sfw uv sync --locked --extra test --extra dev | |
| - name: Import smoke test | |
| run: | | |
| uv run python -c " | |
| from socketsecurity.socketcli import cli, build_socket_sdk | |
| from socketsecurity.core import Core | |
| from socketsecurity.core.exceptions import ( | |
| APIFailure, RequestTimeoutExceeded, APIResourceNotFound, | |
| ) | |
| from socketsecurity.core.git_interface import Git | |
| from socketsecurity.config import CliConfig | |
| print('import smoke OK') | |
| " | |
| fixture-npm-sfw-smoke: | |
| needs: inspect | |
| if: needs.inspect.outputs.fixture_npm_changed == 'true' | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 15 | |
| steps: | |
| - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 | |
| with: | |
| fetch-depth: 1 | |
| persist-credentials: false | |
| - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af | |
| with: | |
| node-version: "20" | |
| - name: Set up Socket Firewall (free) | |
| uses: socketdev/action@ba6de6cc0565af1f42295590380973573297e31f # v1.3.2 | |
| with: | |
| mode: firewall-free | |
| - name: Install fixture through Socket Firewall | |
| working-directory: tests/e2e/fixtures/simple-npm | |
| run: sfw npm install --no-audit --no-fund --ignore-scripts | |
| fixture-pypi-sfw-smoke: | |
| needs: inspect | |
| if: needs.inspect.outputs.fixture_pypi_changed == 'true' | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 15 | |
| steps: | |
| - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 | |
| with: | |
| fetch-depth: 1 | |
| persist-credentials: false | |
| - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 | |
| with: | |
| python-version: "3.12" | |
| - name: Set up Socket Firewall (free) | |
| uses: socketdev/action@ba6de6cc0565af1f42295590380973573297e31f # v1.3.2 | |
| with: | |
| mode: firewall-free | |
| - name: Install fixture through Socket Firewall | |
| working-directory: tests/e2e/fixtures/simple-pypi | |
| run: | | |
| python -m venv .venv | |
| # shellcheck disable=SC1091 | |
| source .venv/bin/activate | |
| sfw pip install -r requirements.txt | |
| dockerfile-smoke: | |
| needs: inspect | |
| if: needs.inspect.outputs.dockerfile_changed == 'true' | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 20 | |
| steps: | |
| - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 | |
| with: | |
| fetch-depth: 1 | |
| persist-credentials: false | |
| - name: Build the Dockerfile (no push) | |
| run: docker build --pull -t socket-python-cli:dependabot-smoke . | |
| workflow-notice: | |
| needs: inspect | |
| if: needs.inspect.outputs.workflow_or_action_changed == 'true' | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 2 | |
| steps: | |
| - name: Flag workflow-sensitive updates | |
| run: | | |
| { | |
| echo "## Sensitive File Notice" | |
| echo "This Dependabot PR changes workflow or dependabot config files." | |
| echo "Require explicit human review before merge." | |
| } >> "$GITHUB_STEP_SUMMARY" |