Dependabot hardening and workflow pipeline cleanup#217
Open
lelia wants to merge 17 commits into
Open
Conversation
Both workflows failed on every Dependabot PR for reasons that don't apply to
dependency bumps:
- PR Preview publishes a dev build to Test PyPI + Docker Hub. On a dependency
bump there's no version change, so the publish 400s ("File already exists")
-- and it needs publish secrets a Dependabot PR shouldn't carry anyway.
- Version Check requires an incremented app version, but Dependabot PRs touch
uv.lock / pyproject.toml without bumping socketsecurity's version, so the
check always fails.
Add a job-level `if` to skip each on `dependabot[bot]`-authored PRs (same
pattern already used for e2e-test.yml). Job-level skips report as "skipped"
rather than blocking, and these stay required for human-authored PRs.
Follow-up to #207 (the Dependabot review hardening), addressing fallout
observed once that config went live on real Dependabot PRs.
Signed-off-by: lelia <2418071+lelia@users.noreply.github.com>
|
🚀 Preview package published! Install with: pip install --index-url https://test.pypi.org/simple/ --extra-index-url https://pypi.org/simple socketsecurity==2.3.0.dev22Docker image: |
lelia
changed the title
`sfw uv sync` is the intended way to route uv through Socket Firewall (per Socket's own uv-wrapper guidance), so the python-sfw-smoke job was already exercising the firewall -- uv's integration is just quieter than npm/pip (no "N packages fetched" footer), which made it look like a no-op. Add `--locked` so the check verifies the exact uv.lock set and fails on lockfile drift instead of silently re-resolving to newer versions than the PR locked. This makes the firewall inspect precisely what would be installed and aligns with the deterministic-verification guidance for uv-based repos. Signed-off-by: lelia <2418071+lelia@users.noreply.github.com>
Replace the hand-rolled `npm install -g sfw` in all three sfw smoke jobs with the official setup action (socketdev/action@v1.3.2, mode: firewall-free). Why: - It's the documented GitHub Actions integration for Socket Firewall Free and wires up sfw routing correctly, rather than relying on an ad-hoc global npm install. This is the right mitigation for the class of Wrapper-Mode routing gaps where sfw can fail to proxy fetches from files.pythonhosted.org (tracked upstream as ENG-4871) -- exactly the "no interception" symptom that made the python job look like a no-op. - The Python jobs no longer need actions/setup-node at all (the action provides sfw directly), so those steps are dropped; the npm fixture job keeps setup-node since `npm install` needs it. Setup mode is firewall-free (anonymous, no API token) -- unchanged, and the reason this is safe to run on Dependabot/untrusted PRs. Our setup is Wrapper Mode + free edition + no CodeArtifact, so the Registry Mode + CodeArtifact `uv sync`/`uv lock` issue (CE-171) does not apply. Signed-off-by: lelia <2418071+lelia@users.noreply.github.com>
lelia
changed the title
lelia
changed the title
sfw-action
The three sfw smoke jobs (python / npm-fixture / pypi-fixture) repeated the same setup: toolchain bootstrap + socketdev/action install. GitHub Actions doesn't support YAML anchors, so extract the shared setup into a local composite action instead. - New .github/actions/setup-sfw: optional Python/Node/uv toolchain inputs + the socketdev/action (firewall-free) install. - Each job now just declares the toolchain it needs (`uv`, `node`, or `python`) and runs its own distinct sfw command. Net effect: the pinned socketdev/action SHA now lives in ONE place (future bumps touch a single line), the per-job setup-python/setup-node duplication is gone, and each job body is reduced to its actual firewall check. No behavior change. Signed-off-by: lelia <2418071+lelia@users.noreply.github.com>
lelia
added
enhancement
Performance (PR preview, the iterative-feedback path): - Add a concurrency group with cancel-in-progress so pushing a PR again cancels the superseded (slow) preview run instead of letting it churn. - Build preview images amd64-only. arm64 under QEMU emulation was the slowest part of the job, and preview images are for quick testing; release/stable keep multi-arch. - Enable GitHub Actions Docker layer cache (type=gha) on all image builds so unchanged layers are reused across runs. De-duplication (GitHub Actions has no YAML anchors, so use composite actions): - New .github/actions/setup-docker-publish: the QEMU + Buildx + Docker Hub login trio, shared by release.yml, pr-preview.yml, and docker-stable.yml. These had drifted to three different pinned SHA sets; now there is one. (Docker Hub creds are passed as inputs since composite actions can't read secrets directly.) - New .github/actions/setup-hatch: the pinned virtualenv/hatchling/hatch install shared by release.yml and pr-preview.yml. No behavior change to what gets published; only how the pipelines are assembled and how fast/parallel they run. Stacked on #217 (lelia/fix-dependabot-checks) to avoid a pr-preview.yml conflict with that PR's Dependabot skip; rebase onto main once #217 lands. Signed-off-by: lelia <2418071+lelia@users.noreply.github.com>
5 tasks
Bump every third-party action to its latest git-tagged release, pinned to the resolved commit SHA with a trailing '# vX.Y.Z' comment for readability: actions/checkout -> v6.0.2 actions/setup-python -> v6.2.0 actions/setup-node -> v6.4.0 actions/github-script -> v9.0.0 pypa/gh-action-pypi-publish -> v1.14.0 docker/setup-qemu-action -> v4.1.0 docker/setup-buildx-action -> v4.1.0 docker/login-action -> v4.2.0 docker/build-push-action -> v7.2.0 socketdev/action -> v1.3.2 (comment only) Applied across the setup-sfw composite action and all workflows, including docker-stable.yml which previously used floating major-version comments. Signed-off-by: lelia <2418071+lelia@users.noreply.github.com>
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub. |
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
|
All alerts resolved. Learn more about Socket for GitHub. This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored. Ignoring alerts on:
|
…' into lelia/fix-dependabot-checks # Conflicts: # .github/workflows/docker-stable.yml # .github/workflows/pr-preview.yml # .github/workflows/release.yml
lelia
changed the title
sfw-action
Contributor
Author
|
@SocketSecurity-Staging ignore github/actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Follow-up to #207 and aligned with the newer
socket-sdk-pythondependency-review work in SocketDev/socket-sdk-python#84. Once the original Dependabot hardening ran on real PRs, it exposed a bigger gap: Socket Firewall checks only covered Dependabot-style dependency bumps, not dependency changes proposed by Socket maintainers. This PR now fixes that by running dependency review on every PR and upgrading trusted in-repo PRs to Socket Firewall Enterprise through thesocket-firewallGitHub Environment.This PR also folds in the workflow pipeline cleanup from #218 so there is one PR to review and merge.
Dependency Review / Socket Firewall
dependabot-review.ymltodependency-review.ymland runsinspecton every PR, not just Dependabot PRs.pyproject.toml/uv.locktests/e2e/fixtures/simple-npm/**tests/e2e/fixtures/simple-pypi/**firewall-enterprisefor any in-repo, non-fork PR that is not Dependabot's. This is the write-access boundary GitHub already uses for secret exposure and avoids misclassifying private org members whoseauthor_associationappears asCONTRIBUTOR.firewall-freefor Dependabot and all fork PRs.environment: socket-firewall.SOCKET_SFW_API_TOKENsecret only from Enterprise jobs. Free jobs do not touch that environment or token.pull_requestcontext; nopull_request_targetsecret exposure.UV_PYTHON=3.12andUV_PYTHON_DOWNLOADS=neverfor thesfw uv syncpath so SFW scans PyPI package installs rather than uv-managed interpreter downloads.Dependabot PR Behavior
uv.lock/pyproject.tomlbumps do not require an app-version increment..github/actions/**changes as workflow-sensitive in the dependency-review notice, alongside.github/workflows/**and.github/dependabot.yml.Workflow Pipeline Cleanup
.github/actions/setup-sfw.github/actions/setup-docker.github/actions/setup-hatchlinux/amd64; release and stable Docker publishing still buildlinux/amd64,linux/arm64.Dependabot Composite-Action Coverage
The
github-actionsDependabot entry usesdirectoriesso Dependabot scans workflow files and local composite actions:Per GitHub's Dependabot options reference,
/scans/.github/workflowsplus root action metadata, anddirectoriescan list additional locations with wildcard support.Test Plan
actionlint -shellcheck= .github/workflows/*.ymlactionlint .github/workflows/dependency-review.ymlzizmor .github --gh-token "$GITHUB_TOKEN" --min-severity medium.github/dependabot.yml, local compositeaction.ymlfiles, anddependency-review.ymlgit diff --checksocket-firewallenvironment andSOCKET_SFW_API_TOKENpreview+check_versionstill run as before