ci: use official socketdev/action for Socket Firewall setup

lelia · lelia · commit c2bc561130cb · 2026-05-29T19:09:40.000-04:00
Replace the hand-rolled `npm install -g sfw` in all three sfw smoke jobs with the official setup action (socketdev/action@v1.3.2, mode: firewall-free). Why: - It's the documented GitHub Actions integration for Socket Firewall Free and wires up sfw routing correctly, rather than relying on an ad-hoc global npm install. This is the right mitigation for the class of Wrapper-Mode routing gaps where sfw can fail to proxy fetches from files.pythonhosted.org (tracked upstream as ENG-4871) -- exactly the "no interception" symptom that made the python job look like a no-op. - The Python jobs no longer need actions/setup-node at all (the action provides sfw directly), so those steps are dropped; the npm fixture job keeps setup-node since `npm install` needs it. Setup mode is firewall-free (anonymous, no API token) -- unchanged, and the reason this is safe to run on Dependabot/untrusted PRs. Our setup is Wrapper Mode + free edition + no CodeArtifact, so the Registry Mode + CodeArtifact `uv sync`/`uv lock` issue (CE-171) does not apply. Signed-off-by: lelia <2418071+lelia@users.noreply.github.com>
diff --git a/.github/workflows/dependabot-review.yml b/.github/workflows/dependabot-review.yml
@@ -98,12 +98,12 @@ jobs:
         with:
           python-version: "3.12"
 
-      - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af
+      # Official Socket setup action (free edition). Installs sfw and wires up
+      # routing correctly -- preferred over a hand-rolled `npm install -g sfw`.
+      - name: Set up Socket Firewall (free)
+        uses: socketdev/action@ba6de6cc0565af1f42295590380973573297e31f  # v1.3.2
         with:
-          node-version: "20"
-
-      - name: Install Socket Firewall
-        run: npm install -g sfw
+          mode: firewall-free
 
       - name: Install uv
         run: python -m pip install --upgrade pip uv
@@ -145,8 +145,10 @@ jobs:
         with:
           node-version: "20"
 
-      - name: Install Socket Firewall
-        run: npm install -g sfw
+      - name: Set up Socket Firewall (free)
+        uses: socketdev/action@ba6de6cc0565af1f42295590380973573297e31f  # v1.3.2
+        with:
+          mode: firewall-free
 
       - name: Install fixture through Socket Firewall
         working-directory: tests/e2e/fixtures/simple-npm
@@ -167,12 +169,10 @@ jobs:
         with:
           python-version: "3.12"
 
-      - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af
+      - name: Set up Socket Firewall (free)
+        uses: socketdev/action@ba6de6cc0565af1f42295590380973573297e31f  # v1.3.2
         with:
-          node-version: "20"
-
-      - name: Install Socket Firewall
-        run: npm install -g sfw
+          mode: firewall-free
 
       - name: Install fixture through Socket Firewall
         working-directory: tests/e2e/fixtures/simple-pypi
