Harden Dependabot reviews and bundle dependency updates

lelia · claude · lelia · commit b77634dd10cf · 2026-06-01T14:29:32.000-04:00
Mirrors the Dependabot hardening done in socket-python-cli (#207/#217/#218), adapted to this SDK (no Dockerfile, no e2e fixtures, hatch/pip build path). Bundle dependency updates (supersedes 4 open Dependabot PRs): - idna 3.11 -> 3.17 (security: CVE-2026-45409 quadratic-time DoS fix) - cryptography 46.0.5 -> 46.0.7 - pygments 2.19.2 -> 2.20.0 - uv 0.9.21 -> 0.11.17 Verified via uv sync --locked, import smoke, and pytest tests/unit (102 passed). Adds grouped/cooldowned dependabot.yml (uv + github-actions), a dependabot-review workflow running anonymous Socket Firewall smoke jobs, Version Check / PR Preview skips for Dependabot PRs, and setup-sfw / setup-hatch composite actions. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
diff --git a/.github/actions/setup-hatch/action.yml b/.github/actions/setup-hatch/action.yml
@@ -0,0 +1,13 @@
+name: "Set up Hatch build tooling"
+description: >-
+  Install the pinned hatch / hatchling / virtualenv toolchain used to build
+  and publish the package. Assumes Python is already set up by the caller.
+
+runs:
+  using: "composite"
+  steps:
+    - shell: bash
+      run: |
+        python -m pip install --upgrade pip
+        pip install "virtualenv<20.36"
+        pip install hatchling==1.27.0 hatch==1.14.0
diff --git a/.github/actions/setup-sfw/action.yml b/.github/actions/setup-sfw/action.yml
@@ -0,0 +1,31 @@
+name: "Set up Socket Firewall (free)"
+description: >-
+  Set up the requested language toolchain and install Socket Firewall (free
+  edition) so subsequent steps can run package-manager commands wrapped with
+  `sfw`. Free/anonymous mode -- no API token, safe on untrusted/Dependabot PRs.
+
+inputs:
+  python:
+    description: "Set up Python 3.12"
+    default: "false"
+  uv:
+    description: "Install uv (implies Python)"
+    default: "false"
+
+runs:
+  using: "composite"
+  steps:
+    - if: ${{ inputs.python == 'true' || inputs.uv == 'true' }}
+      uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+      with:
+        python-version: "3.12"
+
+    # Official Socket setup action. Wires up sfw routing correctly.
+    - uses: socketdev/action@ba6de6cc0565af1f42295590380973573297e31f # v1.3.2
+      with:
+        mode: firewall-free
+
+    - if: ${{ inputs.uv == 'true' }}
+      name: Install uv
+      shell: bash
+      run: python -m pip install --upgrade pip uv
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,63 @@
+# Dependabot configuration for socket-sdk-python.
+#
+# Design notes:
+# - Python deps are grouped into a weekly PR (minor/patch), with a
+#   separate group for majors so breaking bumps stay reviewable.
+# - GitHub Actions are grouped similarly into one weekly PR, and Dependabot
+#   scans both the workflows and the local composite actions.
+# - 7-day cooldown enforced across all ecosystems.
+# - This repo ships no Dockerfile, so there is no docker ecosystem entry.
+
+version: 2
+updates:
+
+  # Python deps (uv-tracked via uv.lock)
+  - package-ecosystem: "uv"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 2
+    groups:
+      python-minor-patch:
+        patterns:
+          - "*"
+        update-types:
+          - "minor"
+          - "patch"
+      python-major:
+        patterns:
+          - "*"
+        update-types:
+          - "major"
+    labels:
+      - "dependencies"
+      - "python:uv"
+    commit-message:
+      prefix: "chore"
+      include: "scope"
+    cooldown:
+      default-days: 7
+
+  # GitHub Actions used in workflows and local composite actions.
+  - package-ecosystem: "github-actions"
+    directories:
+      - "/"
+      - "/.github/actions/*"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 2
+    groups:
+      github-actions-minor-patch:
+        patterns:
+          - "*"
+        update-types:
+          - "minor"
+          - "patch"
+    labels:
+      - "dependencies"
+      - "github-actions"
+    commit-message:
+      prefix: "ci"
+      include: "scope"
+    cooldown:
+      default-days: 7
diff --git a/.github/workflows/dependabot-review.yml b/.github/workflows/dependabot-review.yml
@@ -0,0 +1,126 @@
+name: dependabot-review
+
+# Dependency-update PR guardrails for Dependabot-authored PRs.
+#
+# Runs only on PRs opened by dependabot[bot]. Inspects which files
+# changed, then conditionally runs a Socket Firewall (sfw) install smoke
+# job for the Python dependency set. Because sfw uses the free, anonymous
+# Socket public-data path it needs NO API key, so we can run it from the
+# unprivileged `pull_request` context without pull_request_target or any
+# of its security tradeoffs.
+#
+# Pattern adapted from SocketDev/socket-python-cli.
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened, ready_for_review]
+
+permissions:
+  contents: read
+
+concurrency:
+  group: dependabot-review-${{ github.event.pull_request.number }}
+  cancel-in-progress: true
+
+jobs:
+  inspect:
+    if: github.event.pull_request.user.login == 'dependabot[bot]'
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    outputs:
+      python_deps_changed: ${{ steps.diff.outputs.python_deps_changed }}
+      workflow_or_action_changed: ${{ steps.diff.outputs.workflow_or_action_changed }}
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+
+      - name: Inspect changed files
+        id: diff
+        env:
+          BASE_SHA: ${{ github.event.pull_request.base.sha }}
+          HEAD_SHA: ${{ github.event.pull_request.head.sha }}
+        run: |
+          CHANGED_FILES="$(git diff --name-only "$BASE_SHA" "$HEAD_SHA")"
+
+          {
+            echo "## Changed files"
+            echo '```'
+            printf '%s\n' "$CHANGED_FILES"
+            echo '```'
+          } >> "$GITHUB_STEP_SUMMARY"
+
+          has_file() {
+            local pattern="$1"
+            if printf '%s\n' "$CHANGED_FILES" | grep -Eq "$pattern"; then
+              echo "true"
+            else
+              echo "false"
+            fi
+          }
+
+          {
+            echo "python_deps_changed=$(has_file '^(pyproject\.toml|uv\.lock)$')"
+            echo "workflow_or_action_changed=$(has_file '^\.github/workflows/|^\.github/actions/|^\.github/dependabot\.yml$')"
+          } >> "$GITHUB_OUTPUT"
+
+      - name: Summarize review expectations
+        env:
+          PR_URL: ${{ github.event.pull_request.html_url }}
+        run: |
+          {
+            echo "## Dependabot Review Checklist"
+            echo "- PR: $PR_URL"
+            echo "- Confirm upstream release notes before merge"
+            echo "- Do not treat a Dependabot PR as trusted solely because of the actor"
+            echo "- This workflow runs in pull_request context only; no publish secrets are exposed"
+          } >> "$GITHUB_STEP_SUMMARY"
+
+  python-sfw-smoke:
+    needs: inspect
+    if: needs.inspect.outputs.python_deps_changed == 'true'
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          fetch-depth: 1
+          persist-credentials: false
+
+      - uses: ./.github/actions/setup-sfw
+        with:
+          uv: "true"
+
+      - name: Sync project through Socket Firewall
+        # `sfw uv sync` is the intended way to route uv through Socket Firewall
+        # (per Socket's own uv wrapper guidance). --locked verifies the exact
+        # uv.lock set and fails on lockfile drift rather than silently
+        # re-resolving, so the firewall inspects precisely what would install.
+        # Note: uv's sfw integration is quieter than npm/pip -- it does not
+        # print the "N packages fetched" footer, but interception is active.
+        run: sfw uv sync --locked --extra test --extra dev
+
+      - name: Import smoke test
+        run: |
+          uv run python -c "
+          import socketdev
+          from socketdev import socketdev as SocketDevClient
+          from socketdev.core.api import API
+          from socketdev.version import __version__
+          print('import smoke OK', __version__)
+          "
+
+  workflow-notice:
+    needs: inspect
+    if: needs.inspect.outputs.workflow_or_action_changed == 'true'
+    runs-on: ubuntu-latest
+    timeout-minutes: 2
+    steps:
+      - name: Flag workflow-sensitive updates
+        run: |
+          {
+            echo "## Sensitive File Notice"
+            echo "This Dependabot PR changes workflow or dependabot config files."
+            echo "Require explicit human review before merge."
+          } >> "$GITHUB_STEP_SUMMARY"
diff --git a/.github/workflows/pr-preview.yml b/.github/workflows/pr-preview.yml
@@ -3,8 +3,21 @@ on:
   pull_request:
     types: [opened, synchronize, ready_for_review]
 
+# Cancel an in-flight preview when the PR is pushed again -- previews publish
+# to Test PyPI, so superseded runs shouldn't keep churning.
+concurrency:
+  group: pr-preview-${{ github.event.pull_request.number }}
+  cancel-in-progress: true
+
 jobs:
   preview:
+    # Skip on:
+    #  - PRs from forks (no access to publish secrets / OIDC)
+    #  - Dependabot PRs: preview-publishing a dependency bump to Test PyPI is
+    #    pointless (no package version bump) and would fail the version check.
+    if: >-
+      github.event.pull_request.head.repo.full_name == github.repository &&
+      github.event.pull_request.user.login != 'dependabot[bot]'
     runs-on: ubuntu-latest
     permissions:
       id-token: write
@@ -19,13 +32,8 @@ jobs:
         with:
           python-version: '3.13'
 
-      # Install all dependencies from pyproject.toml
-      - name: Install dependencies
-        run: |
-          python -m pip install --upgrade pip
-          pip install "virtualenv<20.36"
-          pip install hatchling==1.27.0
-          pip install hatch==1.14.0
+      - name: Install build tooling
+        uses: ./.github/actions/setup-hatch
 
       - name: Inject full dynamic version
         run: python .hooks/sync_version.py --dev
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -18,14 +18,9 @@ jobs:
         with:
           python-version: '3.13'
 
-      # Install all dependencies from pyproject.toml
-      - name: Install dependencies
-        run: |
-          python -m pip install --upgrade pip
-          pip install "virtualenv<20.36"
-          pip install hatchling==1.27.0
-          pip install hatch==1.14.0
-          
+      - name: Install build tooling
+        uses: ./.github/actions/setup-hatch
+
       - name: Get Version
         id: version
         env:
diff --git a/.github/workflows/version-check.yml b/.github/workflows/version-check.yml
@@ -14,6 +14,10 @@ permissions:
 
 jobs:
   check_version:
+    # Skip on Dependabot PRs: they bump dependencies (touching uv.lock /
+    # pyproject.toml) without bumping the package version, so the increment
+    # check would always fail. Package-version bumps come from maintainer PRs.
+    if: github.event.pull_request.user.login != 'dependabot[bot]'
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
diff --git a/uv.lock b/uv.lock
