Bundle dependency updates, harden Dependabot reviews #1
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: dependabot-review | |
| # Dependency-update PR guardrails for Dependabot-authored PRs. | |
| # | |
| # Runs only on PRs opened by dependabot[bot]. Inspects which files | |
| # changed, then conditionally runs Socket Firewall (sfw) install smoke | |
| # jobs for the affected manifests. Because sfw uses the free, anonymous | |
| # Socket public-data path it needs NO API key, so we can run it from | |
| # the unprivileged `pull_request` context without pull_request_target | |
| # or any of its security tradeoffs. | |
| # | |
| # Pattern adapted from SocketDev/socket-basics. | |
| on: | |
| pull_request: | |
| types: [opened, synchronize, reopened, ready_for_review] | |
| permissions: | |
| contents: read | |
| concurrency: | |
| group: dependabot-review-${{ github.event.pull_request.number }} | |
| cancel-in-progress: true | |
| jobs: | |
| inspect: | |
| if: github.event.pull_request.user.login == 'dependabot[bot]' | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 5 | |
| outputs: | |
| python_deps_changed: ${{ steps.diff.outputs.python_deps_changed }} | |
| fixture_npm_changed: ${{ steps.diff.outputs.fixture_npm_changed }} | |
| fixture_pypi_changed: ${{ steps.diff.outputs.fixture_pypi_changed }} | |
| dockerfile_changed: ${{ steps.diff.outputs.dockerfile_changed }} | |
| workflow_or_action_changed: ${{ steps.diff.outputs.workflow_or_action_changed }} | |
| steps: | |
| - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 | |
| with: | |
| fetch-depth: 0 | |
| persist-credentials: false | |
| - name: Inspect changed files | |
| id: diff | |
| env: | |
| BASE_SHA: ${{ github.event.pull_request.base.sha }} | |
| HEAD_SHA: ${{ github.event.pull_request.head.sha }} | |
| run: | | |
| CHANGED_FILES="$(git diff --name-only "$BASE_SHA" "$HEAD_SHA")" | |
| { | |
| echo "## Changed files" | |
| echo '```' | |
| printf '%s\n' "$CHANGED_FILES" | |
| echo '```' | |
| } >> "$GITHUB_STEP_SUMMARY" | |
| has_file() { | |
| local pattern="$1" | |
| if printf '%s\n' "$CHANGED_FILES" | grep -Eq "$pattern"; then | |
| echo "true" | |
| else | |
| echo "false" | |
| fi | |
| } | |
| { | |
| echo "python_deps_changed=$(has_file '^(pyproject\.toml|uv\.lock)$')" | |
| echo "fixture_npm_changed=$(has_file '^tests/e2e/fixtures/simple-npm/')" | |
| echo "fixture_pypi_changed=$(has_file '^tests/e2e/fixtures/simple-pypi/')" | |
| echo "dockerfile_changed=$(has_file '^Dockerfile$')" | |
| echo "workflow_or_action_changed=$(has_file '^\.github/workflows/|^\.github/dependabot\.yml$')" | |
| } >> "$GITHUB_OUTPUT" | |
| - name: Summarize review expectations | |
| env: | |
| PR_URL: ${{ github.event.pull_request.html_url }} | |
| run: | | |
| { | |
| echo "## Dependabot Review Checklist" | |
| echo "- PR: $PR_URL" | |
| echo "- Confirm upstream release notes before merge" | |
| echo "- Do not treat a Dependabot PR as trusted solely because of the actor" | |
| echo "- This workflow runs in pull_request context only; no publish secrets are exposed" | |
| } >> "$GITHUB_STEP_SUMMARY" | |
| python-sfw-smoke: | |
| needs: inspect | |
| if: needs.inspect.outputs.python_deps_changed == 'true' | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 15 | |
| steps: | |
| - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 | |
| with: | |
| fetch-depth: 1 | |
| persist-credentials: false | |
| - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 | |
| with: | |
| python-version: "3.12" | |
| - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af | |
| with: | |
| node-version: "20" | |
| - name: Install Socket Firewall | |
| run: npm install -g sfw | |
| - name: Install uv | |
| run: python -m pip install --upgrade pip uv | |
| - name: Sync project through Socket Firewall | |
| run: sfw uv sync --extra test --extra dev | |
| - name: Import smoke test | |
| run: | | |
| uv run python -c " | |
| from socketsecurity.socketcli import cli, build_socket_sdk | |
| from socketsecurity.core import Core | |
| from socketsecurity.core.exceptions import ( | |
| APIFailure, RequestTimeoutExceeded, APIResourceNotFound, | |
| ) | |
| from socketsecurity.core.git_interface import Git | |
| from socketsecurity.config import CliConfig | |
| print('import smoke OK') | |
| " | |
| fixture-npm-sfw-smoke: | |
| needs: inspect | |
| if: needs.inspect.outputs.fixture_npm_changed == 'true' | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 15 | |
| steps: | |
| - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 | |
| with: | |
| fetch-depth: 1 | |
| persist-credentials: false | |
| - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af | |
| with: | |
| node-version: "20" | |
| - name: Install Socket Firewall | |
| run: npm install -g sfw | |
| - name: Install fixture through Socket Firewall | |
| working-directory: tests/e2e/fixtures/simple-npm | |
| run: sfw npm install --no-audit --no-fund --ignore-scripts | |
| fixture-pypi-sfw-smoke: | |
| needs: inspect | |
| if: needs.inspect.outputs.fixture_pypi_changed == 'true' | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 15 | |
| steps: | |
| - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 | |
| with: | |
| fetch-depth: 1 | |
| persist-credentials: false | |
| - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 | |
| with: | |
| python-version: "3.12" | |
| - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af | |
| with: | |
| node-version: "20" | |
| - name: Install Socket Firewall | |
| run: npm install -g sfw | |
| - name: Install fixture through Socket Firewall | |
| working-directory: tests/e2e/fixtures/simple-pypi | |
| run: | | |
| python -m venv .venv | |
| # shellcheck disable=SC1091 | |
| source .venv/bin/activate | |
| sfw pip install -r requirements.txt | |
| dockerfile-smoke: | |
| needs: inspect | |
| if: needs.inspect.outputs.dockerfile_changed == 'true' | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 20 | |
| steps: | |
| - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 | |
| with: | |
| fetch-depth: 1 | |
| persist-credentials: false | |
| - name: Build the Dockerfile (no push) | |
| run: docker build --pull -t socket-python-cli:dependabot-smoke . | |
| workflow-notice: | |
| needs: inspect | |
| if: needs.inspect.outputs.workflow_or_action_changed == 'true' | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 2 | |
| steps: | |
| - name: Flag workflow-sensitive updates | |
| run: | | |
| { | |
| echo "## Sensitive File Notice" | |
| echo "This Dependabot PR changes workflow or dependabot config files." | |
| echo "Require explicit human review before merge." | |
| } >> "$GITHUB_STEP_SUMMARY" |