@@ -7,13 +7,13 @@ name: dependency-review
77# install smoke jobs for the affected manifests, picking the firewall edition
88# per PR:
99#
10- # - Trusted SocketDev members on an in-repo (non-fork) PR, when
10+ # - SocketDev org members on an in-repo (non-fork) PR, when
1111# SOCKET_API_TOKEN or SOCKET_CLI_API_TOKEN is present -> Socket Firewall
1212# ENTERPRISE
1313# (authenticated, full org-policy enforcement).
14- # - Everything else -- Dependabot, forks, external contributors, or a
15- # missing token -> Socket Firewall FREE (anonymous, no API token), which
16- # is safe in the unprivileged `pull_request` context.
14+ # - Everything else -- Dependabot, forks, outside collaborators, external
15+ # contributors, or a missing token -> Socket Firewall FREE (anonymous, no
16+ # API token), which is safe in the unprivileged `pull_request` context.
1717#
1818# The mode degrades to free whenever the token is absent, so this workflow is
1919# safe to ship before the secret exists and starts using enterprise
@@ -91,13 +91,14 @@ jobs:
9191 SOCKET_API_TOKEN : ${{ secrets.SOCKET_API_TOKEN || secrets.SOCKET_CLI_API_TOKEN }}
9292 run : |
9393 mode=firewall-free
94- # Enterprise only for a trusted SocketDev member (OWNER/MEMBER) or
95- # repo collaborator on an in-repo PR, and only when the token is
96- # actually present. Anything else falls back to the free edition.
94+ # Enterprise only for a SocketDev org member (OWNER/MEMBER) on an
95+ # in-repo PR, and only when the token is actually present. Everything
96+ # else -- Dependabot, forks, outside collaborators, external
97+ # contributors, or a missing token -- uses the free edition.
9798 if [ "$IS_DEPENDABOT" != "true" ] \
9899 && [ "$IS_FORK" != "true" ] \
99100 && [ -n "$SOCKET_API_TOKEN" ] \
100- && printf '%s' "$AUTHOR_ASSOC" | grep -qE '^(OWNER|MEMBER|COLLABORATOR )$'; then
101+ && printf '%s' "$AUTHOR_ASSOC" | grep -qE '^(OWNER|MEMBER)$'; then
101102 mode=firewall-enterprise
102103 fi
103104
0 commit comments