Skip to content
dependency-review

Dependabot hardening and workflow pipeline cleanup #4

Sign in to view logs

Dependabot hardening and workflow pipeline cleanup

Dependabot hardening and workflow pipeline cleanup #4

Workflow file for this run

.github/workflows/dependency-review.yml at 41be66a
name: dependency-review
# Supply-chain guardrails for dependency-update PRs -- for BOTH Dependabot
# and maintainers.
#
# Inspects the changed files, then conditionally runs Socket Firewall (sfw)
# install smoke jobs for the affected manifests, picking the firewall edition
# per PR:
#
# - SocketDev org members on an in-repo (non-fork) PR, when
# SOCKET_SFW_API_TOKEN is present -> Socket Firewall ENTERPRISE
# (authenticated, full org-policy enforcement).
# - Everything else -- Dependabot, forks, outside collaborators, external
# contributors, or a missing token -> Socket Firewall FREE (anonymous, no
# API token), which is safe in the unprivileged `pull_request` context.
#
# The mode degrades to free whenever the token is absent, so this workflow is
# safe to ship before the secret exists and starts using enterprise
# automatically once a Socket API token secret is configured.
#
# Pattern adapted from SocketDev/socket-basics.
on:
pull_request:
types: [opened, synchronize, reopened, ready_for_review]
permissions:
contents: read
concurrency:
group: dependency-review-${{ github.event.pull_request.number }}
cancel-in-progress: true
jobs:
inspect:
runs-on: ubuntu-latest
timeout-minutes: 5
outputs:
python_deps_changed: ${{ steps.diff.outputs.python_deps_changed }}
fixture_npm_changed: ${{ steps.diff.outputs.fixture_npm_changed }}
fixture_pypi_changed: ${{ steps.diff.outputs.fixture_pypi_changed }}
dockerfile_changed: ${{ steps.diff.outputs.dockerfile_changed }}
workflow_or_action_changed: ${{ steps.diff.outputs.workflow_or_action_changed }}
sfw_mode: ${{ steps.mode.outputs.sfw_mode }}
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
persist-credentials: false
- name: Inspect changed files
id: diff
env:
BASE_SHA: ${{ github.event.pull_request.base.sha }}
HEAD_SHA: ${{ github.event.pull_request.head.sha }}
run: |
CHANGED_FILES="$(git diff --name-only "$BASE_SHA" "$HEAD_SHA")"
{
echo "## Changed files"
echo '```'
printf '%s\n' "$CHANGED_FILES"
echo '```'
} >> "$GITHUB_STEP_SUMMARY"
has_file() {
local pattern="$1"
if printf '%s\n' "$CHANGED_FILES" | grep -Eq "$pattern"; then
echo "true"
else
echo "false"
fi
}
{
echo "python_deps_changed=$(has_file '^(pyproject\.toml|uv\.lock)$')"
echo "fixture_npm_changed=$(has_file '^tests/e2e/fixtures/simple-npm/')"
echo "fixture_pypi_changed=$(has_file '^tests/e2e/fixtures/simple-pypi/')"
echo "dockerfile_changed=$(has_file '^Dockerfile$')"
echo "workflow_or_action_changed=$(has_file '^\.github/workflows/|^\.github/actions/|^\.github/dependabot\.yml$')"
} >> "$GITHUB_OUTPUT"
- name: Determine Socket Firewall mode
id: mode
env:
IS_DEPENDABOT: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }}
IS_FORK: ${{ github.event.pull_request.head.repo.full_name != github.repository }}
AUTHOR_ASSOC: ${{ github.event.pull_request.author_association }}
# Empty for fork PRs (secrets withheld) and until a token secret is added.
SOCKET_SFW_API_TOKEN: ${{ secrets.SOCKET_SFW_API_TOKEN }}
run: |
mode=firewall-free
# Enterprise only for a SocketDev org member (OWNER/MEMBER) on an
# in-repo PR, and only when the token is actually present. Everything
# else -- Dependabot, forks, outside collaborators, external
# contributors, or a missing token -- uses the free edition.
if [ "$IS_DEPENDABOT" != "true" ] \
&& [ "$IS_FORK" != "true" ] \
&& [ -n "$SOCKET_SFW_API_TOKEN" ] \
&& printf '%s' "$AUTHOR_ASSOC" | grep -qE '^(OWNER|MEMBER)$'; then
mode=firewall-enterprise
fi
echo "sfw_mode=$mode" >> "$GITHUB_OUTPUT"
{
echo "## Socket Firewall mode: \`$mode\`"
echo "- author_association: \`$AUTHOR_ASSOC\`"
echo "- dependabot: \`$IS_DEPENDABOT\` | fork: \`$IS_FORK\`"
} >> "$GITHUB_STEP_SUMMARY"
- name: Summarize review expectations
env:
PR_URL: ${{ github.event.pull_request.html_url }}
run: |
{
echo "## Dependency Review Checklist"
echo "- PR: $PR_URL"
echo "- Confirm upstream release notes before merge"
echo "- Do not treat a dependency PR as trusted solely because of the actor"
echo "- This workflow runs in pull_request context only; no publish secrets are exposed"
} >> "$GITHUB_STEP_SUMMARY"
python-sfw-smoke:
needs: inspect
if: needs.inspect.outputs.python_deps_changed == 'true'
runs-on: ubuntu-latest
timeout-minutes: 15
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 1
persist-credentials: false
- uses: ./.github/actions/setup-sfw
with:
uv: "true"
mode: ${{ needs.inspect.outputs.sfw_mode }}
socket-token: ${{ secrets.SOCKET_SFW_API_TOKEN }}
- name: Sync project through Socket Firewall
# `sfw uv sync` is the intended way to route uv through Socket Firewall
# (per Socket's own uv wrapper guidance). --locked verifies the exact
# uv.lock set and fails on lockfile drift rather than silently
# re-resolving, so the firewall inspects precisely what would install.
# Note: uv's sfw integration is quieter than npm/pip -- it does not
# print the "N packages fetched" footer, but interception is active.
#
# Use the runner's setup-python interpreter and forbid managed-Python
# downloads. The firewall is here to vet PyPI installs, not the
# interpreter/toolchain download path.
env:
UV_PYTHON: "3.12"
UV_PYTHON_DOWNLOADS: never
run: sfw uv sync --locked --extra test --extra dev
- name: Import smoke test
env:
UV_PYTHON: "3.12"
UV_PYTHON_DOWNLOADS: never
run: |
uv run python -c "
from socketsecurity.socketcli import cli, build_socket_sdk
from socketsecurity.core import Core
from socketsecurity.core.exceptions import (
APIFailure, RequestTimeoutExceeded, APIResourceNotFound,
)
from socketsecurity.core.git_interface import Git
from socketsecurity.config import CliConfig
print('import smoke OK')
"
fixture-npm-sfw-smoke:
needs: inspect
if: needs.inspect.outputs.fixture_npm_changed == 'true'
runs-on: ubuntu-latest
timeout-minutes: 15
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 1
persist-credentials: false
- uses: ./.github/actions/setup-sfw
with:
node: "true"
mode: ${{ needs.inspect.outputs.sfw_mode }}
socket-token: ${{ secrets.SOCKET_SFW_API_TOKEN }}
- name: Install fixture through Socket Firewall
working-directory: tests/e2e/fixtures/simple-npm
run: sfw npm install --no-audit --no-fund --ignore-scripts
fixture-pypi-sfw-smoke:
needs: inspect
if: needs.inspect.outputs.fixture_pypi_changed == 'true'
runs-on: ubuntu-latest
timeout-minutes: 15
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 1
persist-credentials: false
- uses: ./.github/actions/setup-sfw
with:
python: "true"
mode: ${{ needs.inspect.outputs.sfw_mode }}
socket-token: ${{ secrets.SOCKET_SFW_API_TOKEN }}
- name: Install fixture through Socket Firewall
working-directory: tests/e2e/fixtures/simple-pypi
run: |
python -m venv .venv
# shellcheck disable=SC1091
source .venv/bin/activate
sfw pip install -r requirements.txt
dockerfile-smoke:
needs: inspect
if: needs.inspect.outputs.dockerfile_changed == 'true'
runs-on: ubuntu-latest
timeout-minutes: 20
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 1
persist-credentials: false
- name: Build the Dockerfile (no push)
run: docker build --pull -t socket-python-cli:dependabot-smoke .
workflow-notice:
needs: inspect
if: needs.inspect.outputs.workflow_or_action_changed == 'true'
runs-on: ubuntu-latest
timeout-minutes: 2
steps:
- name: Flag workflow-sensitive updates
run: |
{
echo "## Sensitive File Notice"
echo "This PR changes workflow, composite-action, or dependabot config files."
echo "Require explicit human review before merge."
} >> "$GITHUB_STEP_SUMMARY"