chore(deps): bundle Dependabot updates + harden dependency review workflows#78
Open
lelia wants to merge 1 commit into
Open
chore(deps): bundle Dependabot updates + harden dependency review workflows#78lelia wants to merge 1 commit into
lelia wants to merge 1 commit into
Conversation
Bundles 8 open Dependabot PRs into one verified change and hardens the Dependabot config + dependency-review workflows, mirroring the work in socket-sdk-python#84 and socket-python-cli#207/#217. Adds a supply-chain watch for the four core OSS tools Dependabot cannot cleanly track. - uv.lock: idna 3.10->3.18 (CVE-2026-45409), pygments 2.19.2->2.20.0, pytest 8.4.2->9.0.3, urllib3 2.6.3->2.7.0 - _docker-pipeline.yml: bump 4 docker/* actions (setup-buildx, login, metadata, build-push) - dependabot.yml: add uv ecosystem, group every ecosystem into minor/patch + major bundles, scan composite actions - dependency-review.yml (was dependabot-review.yml): runs on every PR; free/enterprise sfw split; report artifacts; app_tests docker smoke - core-tool-watch.yml + scripts/check_core_tools.py: discover latest versions of opengrep/trufflehog/trivy/socketdev and score them through the Socket API (socketdev SDK purl.post); drift issue + report artifact - python-tests.yml: uv.lock drift guard Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
lelia
changed the title
lelia
changed the title
lelia
added
dependencies
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Mirrors the Dependabot hardening patterns established in the Python SDK (SocketDev/socket-sdk-python#84) and Python CLI (SocketDev/socket-python-cli#207 + SocketDev/socket-python-cli#217), adapted to Socket Basics workflows. This adaptation includes support for both
uv.lockand Dockerfiles, plus supply chain monitoring for the core OSS tools that Basics leverages. There are four components:uvecosystem and groups every ecosystem into one minor/patch bundle + a separate major PR.1. Dependencies (supersedes 8 Dependabot PRs)
The four Python bumps are transitive/dev deps — runtime constraints in
pyproject.tomlare unchanged; targeteduv lock --upgrade-packageonly (no unrelated lock churn). The fourdocker/*action SHAs all live in_docker-pipeline.yml. The three major action bumps are pin-by-SHA and validated by the smoke/publish builds. GitHub closing keywords don't close PRs, so the 8 Dependabot PRs must be closed manually after merge.2. Dependabot config (
.github/dependabot.yml)uvecosystem — the gap that let theidna/pygments/urllib3/pytestPRs pile up ungrouped./.github/actions/*(the new composite action).3. Dependency review (
.github/workflows/dependency-review.yml)Renamed from
dependabot-review.ymland now runs on every PR (not just Dependabot's).inspectclassifies the PR; exactly one Socket Firewall job runs when Python deps change:firewall-enterprise+socket-token) — trusted in-repo (non-fork) non-Dependabot PRs. Token is scoped to thesocket-firewallenvironment, so only this job can read it.firewall-free, anonymous, no token) — Dependabot, forks, external contributors, or whenever the token is absent.Degrades to free whenever the token is missing, so it's safe to ship today and auto-upgrades to enterprise once the
socket-firewallenvironment secret exists — no follow-up PR. Both jobs upload theirsfwoutput as an artifact (sfw-report-free/sfw-report-enterprise). Docker dep changes: the main image is already build-smoke-tested bysmoke-test.yml, so only the app_tests image (uncovered elsewhere) is built here.4. Core-tool supply-chain watch (
core-tool-watch.yml+scripts/check_core_tools.py)The critical addition for socket-basics. Three of its four core tools — OpenGrep (SAST), TruffleHog (secrets), Trivy (containers) — ship as binaries / container images / GitHub releases that Dependabot can't track; the fourth, Socket SCA (
socketdev), is a PyPI package. The watcher:ARGs +uv.lock).socketdevSDK'spurl.post()that socket-basics already depends on:pkg:pypi/socketdev@…,pkg:golang/github.com/trufflesecurity/trufflehog/v3@…,pkg:golang/github.com/aquasecurity/trivy@…,pkg:github/opengrep/opengrep@…(best-effort; a missing result is reported, not failed).watch: analyze pinned and latest, report drift, upsert acore-tool-drifttracking issue.build: analyze the versions a build would bake in; fail on a malware/critical alert.core-tools-reportartifact (markdown + JSON) and degrades to discovery-only when no token is present (e.g. fork PRs).Live run today (no token yet) discovered: OpenGrep
v1.16.5→v1.22.0, TruffleHog3.93.8→v3.95.5, Trivy0.69.3→v0.71.0, socketdev3.0.29→3.1.1— all flagged as drift. (Adopting those bumps is intentionally not part of this PR.)5. Workflow plumbing
.github/actions/setup-sfwcomposite action (Python 3.12 + uv + Socket Firewall, free/enterprise).python-tests.ymlgains auv lock --lockeddrift guard.python-tests,smoke-test, andcommit-lintall behave correctly on dep bumps as-is.Test plan
Local (all green):
uv lock --locked(clean) ·uv sync --locked --extra dev· import smokepytest tests/— 139 passedactionlint .github/workflows/*.yml— cleanzizmor --offline .github/workflows .github/actions— no findings.githubfilesscripts/check_core_tools.pyin bothwatchandbuildmode (token-absent degradation)Pending (needs the
socket-firewallenvironment secret):python-sfw-smoke-enterpriseruns with the env-scoped tokenpython-sfw-smoke-freeruns without itcore-tool-watchscheduled run scores all four PURLs through the Socket API