Skip to content
dependency-review

Dependabot hardening + dependency update bundle #3

Sign in to view logs

Dependabot hardening + dependency update bundle

Dependabot hardening + dependency update bundle #3

Workflow file for this run

.github/workflows/dependency-review.yml at b0e50b0
name: dependency-review
# Supply-chain guardrails for dependency-update PRs -- for BOTH Dependabot
# and maintainers. Inspects the changed files, then runs a Socket Firewall
# (sfw) install smoke job for Python dependency changes, picking the firewall
# edition per-PR:
#
# - Trusted SocketDev members on an in-repo (non-fork) PR, when the
# SOCKET_API_TOKEN secret is present -> Socket Firewall ENTERPRISE
# (authenticated, full org-policy enforcement).
# - Everything else -- Dependabot, forks, external contributors, or a
# missing token -> Socket Firewall FREE (anonymous, no API token), which
# is safe in the unprivileged `pull_request` context.
#
# The mode is computed in `inspect` and degrades to free whenever the token is
# absent (e.g. before it has been added to the repo/org, or on fork PRs where
# GitHub withholds secrets), so this workflow is safe to ship as-is and starts
# using the enterprise edition automatically once the secret exists.
#
# Pattern adapted from SocketDev/socket-python-cli.
on:
pull_request:
types: [opened, synchronize, reopened, ready_for_review]
permissions:
contents: read
concurrency:
group: dependency-review-${{ github.event.pull_request.number }}
cancel-in-progress: true
jobs:
inspect:
runs-on: ubuntu-latest
timeout-minutes: 5
outputs:
python_deps_changed: ${{ steps.diff.outputs.python_deps_changed }}
workflow_or_action_changed: ${{ steps.diff.outputs.workflow_or_action_changed }}
sfw_mode: ${{ steps.mode.outputs.sfw_mode }}
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
persist-credentials: false
- name: Inspect changed files
id: diff
env:
BASE_SHA: ${{ github.event.pull_request.base.sha }}
HEAD_SHA: ${{ github.event.pull_request.head.sha }}
run: |
CHANGED_FILES="$(git diff --name-only "$BASE_SHA" "$HEAD_SHA")"
{
echo "## Changed files"
echo '```'
printf '%s\n' "$CHANGED_FILES"
echo '```'
} >> "$GITHUB_STEP_SUMMARY"
has_file() {
local pattern="$1"
if printf '%s\n' "$CHANGED_FILES" | grep -Eq "$pattern"; then
echo "true"
else
echo "false"
fi
}
{
echo "python_deps_changed=$(has_file '^(pyproject\.toml|uv\.lock)$')"
echo "workflow_or_action_changed=$(has_file '^\.github/workflows/|^\.github/actions/|^\.github/dependabot\.yml$')"
} >> "$GITHUB_OUTPUT"
- name: Determine Socket Firewall mode
id: mode
env:
IS_DEPENDABOT: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }}
IS_FORK: ${{ github.event.pull_request.head.repo.full_name != github.repository }}
AUTHOR_ASSOC: ${{ github.event.pull_request.author_association }}
# Empty for fork PRs (secrets withheld) and until the secret is added.
SOCKET_API_TOKEN: ${{ secrets.SOCKET_API_TOKEN }}
run: |
mode=firewall-free
# Enterprise only for a SocketDev org member (OWNER/MEMBER) on an
# in-repo PR, and only when the token is actually present. Everything
# else -- Dependabot, forks, outside collaborators, external
# contributors, or a missing token -- uses the free edition.
if [ "$IS_DEPENDABOT" != "true" ] \
&& [ "$IS_FORK" != "true" ] \
&& [ -n "$SOCKET_API_TOKEN" ] \
&& printf '%s' "$AUTHOR_ASSOC" | grep -qE '^(OWNER|MEMBER)$'; then
mode=firewall-enterprise
fi
echo "sfw_mode=$mode" >> "$GITHUB_OUTPUT"
{
echo "## Socket Firewall mode: \`$mode\`"
echo "- author_association: \`$AUTHOR_ASSOC\`"
echo "- dependabot: \`$IS_DEPENDABOT\` | fork: \`$IS_FORK\`"
} >> "$GITHUB_STEP_SUMMARY"
- name: Summarize review expectations
env:
PR_URL: ${{ github.event.pull_request.html_url }}
run: |
{
echo "## Dependency Review Checklist"
echo "- PR: $PR_URL"
echo "- Confirm upstream release notes before merge"
echo "- Do not treat a dependency PR as trusted solely because of the actor"
echo "- This workflow runs in pull_request context only; no publish secrets are exposed"
} >> "$GITHUB_STEP_SUMMARY"
python-sfw-smoke:
needs: inspect
if: needs.inspect.outputs.python_deps_changed == 'true'
runs-on: ubuntu-latest
timeout-minutes: 15
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 1
persist-credentials: false
- uses: ./.github/actions/setup-sfw
with:
uv: "true"
mode: ${{ needs.inspect.outputs.sfw_mode }}
socket-token: ${{ secrets.SOCKET_API_TOKEN }}
- name: Sync project through Socket Firewall
# `sfw uv sync` is the intended way to route uv through Socket Firewall
# (per Socket's own uv wrapper guidance). --locked verifies the exact
# uv.lock set and fails on lockfile drift rather than silently
# re-resolving, so the firewall inspects precisely what would install.
# Note: uv's sfw integration is quieter than npm/pip -- it does not
# print the "N packages fetched" footer, but interception is active.
#
# Use the runner's setup-python interpreter and forbid managed-Python
# downloads: .python-version pins an exact patch (3.12.7) that uv would
# otherwise fetch from GitHub, which the firewall's TLS interception
# blocks. The firewall is here to vet PyPI installs, not the toolchain.
env:
UV_PYTHON: "3.12"
UV_PYTHON_DOWNLOADS: never
run: sfw uv sync --locked --extra test --extra dev
- name: Import smoke test
run: |
uv run python -c "
import socketdev
from socketdev import socketdev as SocketDevClient
from socketdev.core.api import API
from socketdev.version import __version__
print('import smoke OK', __version__)
"
workflow-notice:
needs: inspect
if: needs.inspect.outputs.workflow_or_action_changed == 'true'
runs-on: ubuntu-latest
timeout-minutes: 2
steps:
- name: Flag workflow-sensitive updates
run: |
{
echo "## Sensitive File Notice"
echo "This PR changes workflow, composite-action, or dependabot config files."
echo "Require explicit human review before merge."
} >> "$GITHUB_STEP_SUMMARY"