ci: factor Socket Firewall setup into a composite action

The three sfw smoke jobs (python / npm-fixture / pypi-fixture) repeated the
same setup: toolchain bootstrap + socketdev/action install. GitHub Actions
doesn't support YAML anchors, so extract the shared setup into a local
composite action instead.

- New .github/actions/setup-sfw: optional Python/Node/uv toolchain inputs +
  the socketdev/action (firewall-free) install.
- Each job now just declares the toolchain it needs (`uv`, `node`, or
  `python`) and runs its own distinct sfw command.

Net effect: the pinned socketdev/action SHA now lives in ONE place (future
bumps touch a single line), the per-job setup-python/setup-node duplication
is gone, and each job body is reduced to its actual firewall check. No
behavior change.

Signed-off-by: lelia <2418071+lelia@users.noreply.github.com>

Author: lelia

.github/actions/setup-sfw/action.yml

@@ -0,0 +1,40 @@
+name: "Set up Socket Firewall (free)"
+description: >-
+  Set up the requested language toolchain and install Socket Firewall (free
+  edition) so subsequent steps can run package-manager commands wrapped with
+  `sfw`. Free/anonymous mode -- no API token, safe on untrusted/Dependabot PRs.
+
+inputs:
+  python:
+    description: "Set up Python 3.12"
+    default: "false"
+  node:
+    description: "Set up Node 20 (needed for npm-wrapped checks)"
+    default: "false"
+  uv:
+    description: "Install uv (implies Python)"
+    default: "false"
+
+runs:
+  using: "composite"
+  steps:
+    - if: ${{ inputs.python == 'true' || inputs.uv == 'true' }}
+      uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3
+      with:
+        python-version: "3.12"
+
+    - if: ${{ inputs.node == 'true' }}
+      uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af
+      with:
+        node-version: "20"
+
+    # Official Socket setup action. Wires up sfw routing correctly -- preferred
+    # over a hand-rolled `npm install -g sfw`. Pinned to a commit SHA (v1.3.2).
+    - uses: socketdev/action@ba6de6cc0565af1f42295590380973573297e31f
+      with:
+        mode: firewall-free
+
+    - if: ${{ inputs.uv == 'true' }}
+      name: Install uv
+      shell: bash
+      run: python -m pip install --upgrade pip uv

.github/workflows/dependabot-review.yml

@@ -94,19 +94,9 @@ jobs:
           fetch-depth: 1
           persist-credentials: false
 
-      - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3
+      - uses: ./.github/actions/setup-sfw
         with:
-          python-version: "3.12"
-
-      # Official Socket setup action (free edition). Installs sfw and wires up
-      # routing correctly -- preferred over a hand-rolled `npm install -g sfw`.
-      - name: Set up Socket Firewall (free)
-        uses: socketdev/action@ba6de6cc0565af1f42295590380973573297e31f  # v1.3.2
-        with:
-          mode: firewall-free
-
-      - name: Install uv
-        run: python -m pip install --upgrade pip uv
+          uv: "true"
 
       - name: Sync project through Socket Firewall
         # `sfw uv sync` is the intended way to route uv through Socket Firewall
@@ -141,14 +131,9 @@ jobs:
           fetch-depth: 1
           persist-credentials: false
 
-      - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af
+      - uses: ./.github/actions/setup-sfw
         with:
-          node-version: "20"
-
-      - name: Set up Socket Firewall (free)
-        uses: socketdev/action@ba6de6cc0565af1f42295590380973573297e31f  # v1.3.2
-        with:
-          mode: firewall-free
+          node: "true"
 
       - name: Install fixture through Socket Firewall
         working-directory: tests/e2e/fixtures/simple-npm
@@ -165,14 +150,9 @@ jobs:
           fetch-depth: 1
           persist-credentials: false
 
-      - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3
-        with:
-          python-version: "3.12"
-
-      - name: Set up Socket Firewall (free)
-        uses: socketdev/action@ba6de6cc0565af1f42295590380973573297e31f  # v1.3.2
+      - uses: ./.github/actions/setup-sfw
         with:
-          mode: firewall-free
+          python: "true"
 
       - name: Install fixture through Socket Firewall
         working-directory: tests/e2e/fixtures/simple-pypi