Dependabot hardening and workflow pipeline cleanup #5
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: dependency-review | |
| # Supply-chain guardrails for dependency-update PRs -- for BOTH Dependabot | |
| # and maintainers. | |
| # | |
| # Inspects the changed files, then conditionally runs Socket Firewall (sfw) | |
| # install smoke jobs for the affected manifests, picking the firewall edition | |
| # per PR: | |
| # | |
| # - SocketDev org members on an in-repo (non-fork) PR -> Socket Firewall | |
| # ENTERPRISE through the socket-firewall environment and its | |
| # SOCKET_SFW_API_TOKEN secret (authenticated, full org-policy enforcement). | |
| # - Everything else -- Dependabot, forks, outside collaborators, or external | |
| # contributors -> Socket Firewall FREE (anonymous, no API token), which is | |
| # safe in the unprivileged `pull_request` context. | |
| # | |
| # Only Enterprise jobs declare the socket-firewall environment. Free jobs do | |
| # not touch that environment or its token. | |
| # | |
| # Pattern adapted from SocketDev/socket-basics. | |
| on: | |
| pull_request: | |
| types: [opened, synchronize, reopened, ready_for_review] | |
| permissions: | |
| contents: read | |
| concurrency: | |
| group: dependency-review-${{ github.event.pull_request.number }} | |
| cancel-in-progress: true | |
| jobs: | |
| inspect: | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 5 | |
| outputs: | |
| python_deps_changed: ${{ steps.diff.outputs.python_deps_changed }} | |
| fixture_npm_changed: ${{ steps.diff.outputs.fixture_npm_changed }} | |
| fixture_pypi_changed: ${{ steps.diff.outputs.fixture_pypi_changed }} | |
| dockerfile_changed: ${{ steps.diff.outputs.dockerfile_changed }} | |
| workflow_or_action_changed: ${{ steps.diff.outputs.workflow_or_action_changed }} | |
| sfw_mode: ${{ steps.mode.outputs.sfw_mode }} | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| fetch-depth: 0 | |
| persist-credentials: false | |
| - name: Inspect changed files | |
| id: diff | |
| env: | |
| BASE_SHA: ${{ github.event.pull_request.base.sha }} | |
| HEAD_SHA: ${{ github.event.pull_request.head.sha }} | |
| run: | | |
| CHANGED_FILES="$(git diff --name-only "$BASE_SHA" "$HEAD_SHA")" | |
| { | |
| echo "## Changed files" | |
| echo '```' | |
| printf '%s\n' "$CHANGED_FILES" | |
| echo '```' | |
| } >> "$GITHUB_STEP_SUMMARY" | |
| has_file() { | |
| local pattern="$1" | |
| if printf '%s\n' "$CHANGED_FILES" | grep -Eq "$pattern"; then | |
| echo "true" | |
| else | |
| echo "false" | |
| fi | |
| } | |
| { | |
| echo "python_deps_changed=$(has_file '^(pyproject\.toml|uv\.lock)$')" | |
| echo "fixture_npm_changed=$(has_file '^tests/e2e/fixtures/simple-npm/')" | |
| echo "fixture_pypi_changed=$(has_file '^tests/e2e/fixtures/simple-pypi/')" | |
| echo "dockerfile_changed=$(has_file '^Dockerfile$')" | |
| echo "workflow_or_action_changed=$(has_file '^\.github/workflows/|^\.github/actions/|^\.github/dependabot\.yml$')" | |
| } >> "$GITHUB_OUTPUT" | |
| - name: Determine Socket Firewall mode | |
| id: mode | |
| env: | |
| IS_DEPENDABOT: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }} | |
| IS_FORK: ${{ github.event.pull_request.head.repo.full_name != github.repository }} | |
| AUTHOR_ASSOC: ${{ github.event.pull_request.author_association }} | |
| run: | | |
| mode=firewall-free | |
| # Enterprise only for a SocketDev org member (OWNER/MEMBER) on an | |
| # in-repo PR. Everything else -- Dependabot, forks, outside | |
| # collaborators, and external contributors -- uses the free edition. | |
| if [ "$IS_DEPENDABOT" != "true" ] \ | |
| && [ "$IS_FORK" != "true" ] \ | |
| && printf '%s' "$AUTHOR_ASSOC" | grep -qE '^(OWNER|MEMBER)$'; then | |
| mode=firewall-enterprise | |
| fi | |
| echo "sfw_mode=$mode" >> "$GITHUB_OUTPUT" | |
| { | |
| echo "## Socket Firewall mode: \`$mode\`" | |
| echo "- author_association: \`$AUTHOR_ASSOC\`" | |
| echo "- dependabot: \`$IS_DEPENDABOT\` | fork: \`$IS_FORK\`" | |
| } >> "$GITHUB_STEP_SUMMARY" | |
| - name: Summarize review expectations | |
| env: | |
| PR_URL: ${{ github.event.pull_request.html_url }} | |
| run: | | |
| { | |
| echo "## Dependency Review Checklist" | |
| echo "- PR: $PR_URL" | |
| echo "- Confirm upstream release notes before merge" | |
| echo "- Do not treat a dependency PR as trusted solely because of the actor" | |
| echo "- This workflow runs in pull_request context only; no publish secrets are exposed" | |
| } >> "$GITHUB_STEP_SUMMARY" | |
| python-sfw-smoke-free: | |
| needs: inspect | |
| if: | | |
| needs.inspect.outputs.python_deps_changed == 'true' && | |
| needs.inspect.outputs.sfw_mode == 'firewall-free' | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 15 | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| fetch-depth: 1 | |
| persist-credentials: false | |
| - uses: ./.github/actions/setup-sfw | |
| with: | |
| uv: "true" | |
| mode: firewall-free | |
| - name: Sync project through Socket Firewall | |
| # `sfw uv sync` is the intended way to route uv through Socket Firewall | |
| # (per Socket's own uv wrapper guidance). --locked verifies the exact | |
| # uv.lock set and fails on lockfile drift rather than silently | |
| # re-resolving, so the firewall inspects precisely what would install. | |
| # Note: uv's sfw integration is quieter than npm/pip -- it does not | |
| # print the "N packages fetched" footer, but interception is active. | |
| # | |
| # Use the runner's setup-python interpreter and forbid managed-Python | |
| # downloads. The firewall is here to vet PyPI installs, not the | |
| # interpreter/toolchain download path. | |
| env: | |
| UV_PYTHON: "3.12" | |
| UV_PYTHON_DOWNLOADS: never | |
| run: sfw uv sync --locked --extra test --extra dev | |
| - name: Import smoke test | |
| env: | |
| UV_PYTHON: "3.12" | |
| UV_PYTHON_DOWNLOADS: never | |
| run: | | |
| uv run python -c " | |
| from socketsecurity.socketcli import cli, build_socket_sdk | |
| from socketsecurity.core import Core | |
| from socketsecurity.core.exceptions import ( | |
| APIFailure, RequestTimeoutExceeded, APIResourceNotFound, | |
| ) | |
| from socketsecurity.core.git_interface import Git | |
| from socketsecurity.config import CliConfig | |
| print('import smoke OK') | |
| " | |
| python-sfw-smoke-enterprise: | |
| needs: inspect | |
| if: | | |
| needs.inspect.outputs.python_deps_changed == 'true' && | |
| needs.inspect.outputs.sfw_mode == 'firewall-enterprise' | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 15 | |
| environment: socket-firewall | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| fetch-depth: 1 | |
| persist-credentials: false | |
| - uses: ./.github/actions/setup-sfw | |
| with: | |
| uv: "true" | |
| mode: firewall-enterprise | |
| socket-token: ${{ secrets.SOCKET_SFW_API_TOKEN }} | |
| - name: Sync project through Socket Firewall | |
| # `sfw uv sync` is the intended way to route uv through Socket Firewall | |
| # (per Socket's own uv wrapper guidance). --locked verifies the exact | |
| # uv.lock set and fails on lockfile drift rather than silently | |
| # re-resolving, so the firewall inspects precisely what would install. | |
| # Note: uv's sfw integration is quieter than npm/pip -- it does not | |
| # print the "N packages fetched" footer, but interception is active. | |
| # | |
| # Use the runner's setup-python interpreter and forbid managed-Python | |
| # downloads. The firewall is here to vet PyPI installs, not the | |
| # interpreter/toolchain download path. | |
| env: | |
| UV_PYTHON: "3.12" | |
| UV_PYTHON_DOWNLOADS: never | |
| run: sfw uv sync --locked --extra test --extra dev | |
| - name: Import smoke test | |
| env: | |
| UV_PYTHON: "3.12" | |
| UV_PYTHON_DOWNLOADS: never | |
| run: | | |
| uv run python -c " | |
| from socketsecurity.socketcli import cli, build_socket_sdk | |
| from socketsecurity.core import Core | |
| from socketsecurity.core.exceptions import ( | |
| APIFailure, RequestTimeoutExceeded, APIResourceNotFound, | |
| ) | |
| from socketsecurity.core.git_interface import Git | |
| from socketsecurity.config import CliConfig | |
| print('import smoke OK') | |
| " | |
| fixture-npm-sfw-smoke-free: | |
| needs: inspect | |
| if: | | |
| needs.inspect.outputs.fixture_npm_changed == 'true' && | |
| needs.inspect.outputs.sfw_mode == 'firewall-free' | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 15 | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| fetch-depth: 1 | |
| persist-credentials: false | |
| - uses: ./.github/actions/setup-sfw | |
| with: | |
| node: "true" | |
| mode: firewall-free | |
| - name: Install fixture through Socket Firewall | |
| working-directory: tests/e2e/fixtures/simple-npm | |
| run: sfw npm install --no-audit --no-fund --ignore-scripts | |
| fixture-npm-sfw-smoke-enterprise: | |
| needs: inspect | |
| if: | | |
| needs.inspect.outputs.fixture_npm_changed == 'true' && | |
| needs.inspect.outputs.sfw_mode == 'firewall-enterprise' | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 15 | |
| environment: socket-firewall | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| fetch-depth: 1 | |
| persist-credentials: false | |
| - uses: ./.github/actions/setup-sfw | |
| with: | |
| node: "true" | |
| mode: firewall-enterprise | |
| socket-token: ${{ secrets.SOCKET_SFW_API_TOKEN }} | |
| - name: Install fixture through Socket Firewall | |
| working-directory: tests/e2e/fixtures/simple-npm | |
| run: sfw npm install --no-audit --no-fund --ignore-scripts | |
| fixture-pypi-sfw-smoke-free: | |
| needs: inspect | |
| if: | | |
| needs.inspect.outputs.fixture_pypi_changed == 'true' && | |
| needs.inspect.outputs.sfw_mode == 'firewall-free' | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 15 | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| fetch-depth: 1 | |
| persist-credentials: false | |
| - uses: ./.github/actions/setup-sfw | |
| with: | |
| python: "true" | |
| mode: firewall-free | |
| - name: Install fixture through Socket Firewall | |
| working-directory: tests/e2e/fixtures/simple-pypi | |
| run: | | |
| python -m venv .venv | |
| # shellcheck disable=SC1091 | |
| source .venv/bin/activate | |
| sfw pip install -r requirements.txt | |
| fixture-pypi-sfw-smoke-enterprise: | |
| needs: inspect | |
| if: | | |
| needs.inspect.outputs.fixture_pypi_changed == 'true' && | |
| needs.inspect.outputs.sfw_mode == 'firewall-enterprise' | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 15 | |
| environment: socket-firewall | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| fetch-depth: 1 | |
| persist-credentials: false | |
| - uses: ./.github/actions/setup-sfw | |
| with: | |
| python: "true" | |
| mode: firewall-enterprise | |
| socket-token: ${{ secrets.SOCKET_SFW_API_TOKEN }} | |
| - name: Install fixture through Socket Firewall | |
| working-directory: tests/e2e/fixtures/simple-pypi | |
| run: | | |
| python -m venv .venv | |
| # shellcheck disable=SC1091 | |
| source .venv/bin/activate | |
| sfw pip install -r requirements.txt | |
| dockerfile-smoke: | |
| needs: inspect | |
| if: needs.inspect.outputs.dockerfile_changed == 'true' | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 20 | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| fetch-depth: 1 | |
| persist-credentials: false | |
| - name: Build the Dockerfile (no push) | |
| run: docker build --pull -t socket-python-cli:dependabot-smoke . | |
| workflow-notice: | |
| needs: inspect | |
| if: needs.inspect.outputs.workflow_or_action_changed == 'true' | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 2 | |
| steps: | |
| - name: Flag workflow-sensitive updates | |
| run: | | |
| { | |
| echo "## Sensitive File Notice" | |
| echo "This PR changes workflow, composite-action, or dependabot config files." | |
| echo "Require explicit human review before merge." | |
| } >> "$GITHUB_STEP_SUMMARY" |