Configure Dependabot for composite actions

lelia · lelia · commit ba9b94692b37 · 2026-05-31T00:44:07.000-04:00
diff --git a/.github/actions/setup-docker-publish/action.yml b/.github/actions/setup-docker-publish/action.yml
@@ -0,0 +1,23 @@
+name: "Set up Docker publish"
+description: >-
+  Set up QEMU + Docker Buildx and authenticate to Docker Hub for multi-arch
+  image builds. Centralizes the QEMU/Buildx/login trio used by release,
+  preview, and stable workflows.
+
+inputs:
+  dockerhub-username:
+    description: "Docker Hub username (pass from secrets)"
+    required: true
+  dockerhub-token:
+    description: "Docker Hub token/password (pass from secrets)"
+    required: true
+
+runs:
+  using: "composite"
+  steps:
+    - uses: docker/setup-qemu-action@06116385d9baf250c9f4dcb4858b16962ea869c3 # v4.1.0
+    - uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
+    - uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
+      with:
+        username: ${{ inputs.dockerhub-username }}
+        password: ${{ inputs.dockerhub-token }}
diff --git a/.github/actions/setup-sfw/action.yml b/.github/actions/setup-sfw/action.yml
@@ -0,0 +1,39 @@
+name: "Set up Socket Firewall (free)"
+description: >-
+  Set up the requested language toolchain and install Socket Firewall (free
+  edition) so subsequent steps can run package-manager commands wrapped with
+  `sfw`. Free/anonymous mode -- no API token, safe on untrusted/Dependabot PRs.
+
+inputs:
+  python:
+    description: "Set up Python 3.12"
+    default: "false"
+  node:
+    description: "Set up Node 20 (needed for npm-wrapped checks)"
+    default: "false"
+  uv:
+    description: "Install uv (implies Python)"
+    default: "false"
+
+runs:
+  using: "composite"
+  steps:
+    - if: ${{ inputs.python == 'true' || inputs.uv == 'true' }}
+      uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+      with:
+        python-version: "3.12"
+
+    - if: ${{ inputs.node == 'true' }}
+      uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+      with:
+        node-version: "20"
+
+    # Official Socket setup action. Wires up sfw routing correctly.
+    - uses: socketdev/action@ba6de6cc0565af1f42295590380973573297e31f # v1.3.2
+      with:
+        mode: firewall-free
+
+    - if: ${{ inputs.uv == 'true' }}
+      name: Install uv
+      shell: bash
+      run: python -m pip install --upgrade pip uv
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -38,7 +38,9 @@ updates:
 
   # GitHub Actions used in workflows
   - package-ecosystem: "github-actions"
-    directory: "/"
+    directories:
+      - "/"
+      - "/.github/actions/*"
     schedule:
       interval: "weekly"
     open-pull-requests-limit: 2
diff --git a/.github/workflows/dependabot-review.yml b/.github/workflows/dependabot-review.yml
@@ -94,16 +94,9 @@ jobs:
           fetch-depth: 1
           persist-credentials: false
 
-      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+      - uses: ./.github/actions/setup-sfw
         with:
-          python-version: "3.12"
-
-      - uses: socketdev/action@ba6de6cc0565af1f42295590380973573297e31f # v1.3.2
-        with:
-          mode: firewall-free
-
-      - name: Install uv
-        run: python -m pip install --upgrade pip uv
+          uv: "true"
 
       - name: Sync project through Socket Firewall
         # `sfw uv sync` is the intended way to route uv through Socket Firewall
@@ -138,13 +131,9 @@ jobs:
           fetch-depth: 1
           persist-credentials: false
 
-      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+      - uses: ./.github/actions/setup-sfw
         with:
-          node-version: "20"
-
-      - uses: socketdev/action@ba6de6cc0565af1f42295590380973573297e31f # v1.3.2
-        with:
-          mode: firewall-free
+          node: "true"
 
       - name: Install fixture through Socket Firewall
         working-directory: tests/e2e/fixtures/simple-npm
@@ -161,13 +150,9 @@ jobs:
           fetch-depth: 1
           persist-credentials: false
 
-      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
-        with:
-          python-version: "3.12"
-
-      - uses: socketdev/action@ba6de6cc0565af1f42295590380973573297e31f # v1.3.2
+      - uses: ./.github/actions/setup-sfw
         with:
-          mode: firewall-free
+          python: "true"
 
       - name: Install fixture through Socket Firewall
         working-directory: tests/e2e/fixtures/simple-pypi
diff --git a/.github/workflows/docker-stable.yml b/.github/workflows/docker-stable.yml
@@ -28,17 +28,11 @@ jobs:
           fi
           echo "Version ${INPUT_VERSION} found on PyPI - proceeding with release"
 
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@06116385d9baf250c9f4dcb4858b16962ea869c3 # v4.1.0
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
-
-      - name: Login to Docker Hub with Organization Token
-        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
+      - name: Set up Docker publishing
+        uses: ./.github/actions/setup-docker-publish
         with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
+          dockerhub-username: ${{ secrets.DOCKERHUB_USERNAME }}
+          dockerhub-token: ${{ secrets.DOCKERHUB_TOKEN }}
 
       - name: Build & Push Stable Docker
         uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0
diff --git a/.github/workflows/pr-preview.yml b/.github/workflows/pr-preview.yml
@@ -141,18 +141,12 @@ jobs:
           echo "success=false" >> $GITHUB_OUTPUT
           exit 1
 
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@06116385d9baf250c9f4dcb4858b16962ea869c3 # v4.1.0
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
-
-      - name: Login to Docker Hub with Organization Token
+      - name: Set up Docker publishing
         if: steps.verify_package.outputs.success == 'true'
-        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
+        uses: ./.github/actions/setup-docker-publish
         with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
+          dockerhub-username: ${{ secrets.DOCKERHUB_USERNAME }}
+          dockerhub-token: ${{ secrets.DOCKERHUB_TOKEN }}
 
       - name: Build & Push Docker Preview
         if: steps.verify_package.outputs.success == 'true'
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -68,17 +68,11 @@ jobs:
         if: steps.version_check.outputs.pypi_exists != 'true'
         uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0
 
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@06116385d9baf250c9f4dcb4858b16962ea869c3 # v4.1.0
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
-
-      - name: Login to Docker Hub with Organization Token
-        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
+      - name: Set up Docker publishing
+        uses: ./.github/actions/setup-docker-publish
         with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
+          dockerhub-username: ${{ secrets.DOCKERHUB_USERNAME }}
+          dockerhub-token: ${{ secrets.DOCKERHUB_TOKEN }}
 
       - name: Verify package is installable
         id: verify_package
