Use CLI Socket token for enterprise dependency review

lelia · lelia · commit 1ca3aa73d928 · 2026-06-01T16:06:54.000-04:00
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
@@ -7,16 +7,17 @@ name: dependency-review
 # install smoke jobs for the affected manifests, picking the firewall edition
 # per PR:
 #
-#   - Trusted SocketDev members on an in-repo (non-fork) PR, when the
-#     SOCKET_API_TOKEN secret is present -> Socket Firewall ENTERPRISE
+#   - Trusted SocketDev members on an in-repo (non-fork) PR, when
+#     SOCKET_API_TOKEN or SOCKET_CLI_API_TOKEN is present -> Socket Firewall
+#     ENTERPRISE
 #     (authenticated, full org-policy enforcement).
 #   - Everything else -- Dependabot, forks, external contributors, or a
 #     missing token -> Socket Firewall FREE (anonymous, no API token), which
 #     is safe in the unprivileged `pull_request` context.
 #
 # The mode degrades to free whenever the token is absent, so this workflow is
 # safe to ship before the secret exists and starts using enterprise
-# automatically once SOCKET_API_TOKEN is configured.
+# automatically once a Socket API token secret is configured.
 #
 # Pattern adapted from SocketDev/socket-basics.
 
@@ -86,8 +87,8 @@ jobs:
           IS_DEPENDABOT: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }}
           IS_FORK: ${{ github.event.pull_request.head.repo.full_name != github.repository }}
           AUTHOR_ASSOC: ${{ github.event.pull_request.author_association }}
-          # Empty for fork PRs (secrets withheld) and until the secret is added.
-          SOCKET_API_TOKEN: ${{ secrets.SOCKET_API_TOKEN }}
+          # Empty for fork PRs (secrets withheld) and until a token secret is added.
+          SOCKET_API_TOKEN: ${{ secrets.SOCKET_API_TOKEN || secrets.SOCKET_CLI_API_TOKEN }}
         run: |
           mode=firewall-free
           # Enterprise only for a trusted SocketDev member (OWNER/MEMBER) or
@@ -134,7 +135,7 @@ jobs:
         with:
           uv: "true"
           mode: ${{ needs.inspect.outputs.sfw_mode }}
-          socket-token: ${{ secrets.SOCKET_API_TOKEN }}
+          socket-token: ${{ secrets.SOCKET_API_TOKEN || secrets.SOCKET_CLI_API_TOKEN }}
 
       - name: Sync project through Socket Firewall
         # `sfw uv sync` is the intended way to route uv through Socket Firewall
@@ -183,7 +184,7 @@ jobs:
         with:
           node: "true"
           mode: ${{ needs.inspect.outputs.sfw_mode }}
-          socket-token: ${{ secrets.SOCKET_API_TOKEN }}
+          socket-token: ${{ secrets.SOCKET_API_TOKEN || secrets.SOCKET_CLI_API_TOKEN }}
 
       - name: Install fixture through Socket Firewall
         working-directory: tests/e2e/fixtures/simple-npm
@@ -204,7 +205,7 @@ jobs:
         with:
           python: "true"
           mode: ${{ needs.inspect.outputs.sfw_mode }}
-          socket-token: ${{ secrets.SOCKET_API_TOKEN }}
+          socket-token: ${{ secrets.SOCKET_API_TOKEN || secrets.SOCKET_CLI_API_TOKEN }}
 
       - name: Install fixture through Socket Firewall
         working-directory: tests/e2e/fixtures/simple-pypi
