Dependabot hardening and workflow pipeline cleanup#217
Open
lelia wants to merge 11 commits into
Open
Conversation
Both workflows failed on every Dependabot PR for reasons that don't apply to
dependency bumps:
- PR Preview publishes a dev build to Test PyPI + Docker Hub. On a dependency
bump there's no version change, so the publish 400s ("File already exists")
-- and it needs publish secrets a Dependabot PR shouldn't carry anyway.
- Version Check requires an incremented app version, but Dependabot PRs touch
uv.lock / pyproject.toml without bumping socketsecurity's version, so the
check always fails.
Add a job-level `if` to skip each on `dependabot[bot]`-authored PRs (same
pattern already used for e2e-test.yml). Job-level skips report as "skipped"
rather than blocking, and these stay required for human-authored PRs.
Follow-up to #207 (the Dependabot review hardening), addressing fallout
observed once that config went live on real Dependabot PRs.
Signed-off-by: lelia <2418071+lelia@users.noreply.github.com>
|
🚀 Preview package published! Install with: pip install --index-url https://test.pypi.org/simple/ --extra-index-url https://pypi.org/simple socketsecurity==2.3.0.dev19Docker image: |
lelia
changed the title
`sfw uv sync` is the intended way to route uv through Socket Firewall (per Socket's own uv-wrapper guidance), so the python-sfw-smoke job was already exercising the firewall -- uv's integration is just quieter than npm/pip (no "N packages fetched" footer), which made it look like a no-op. Add `--locked` so the check verifies the exact uv.lock set and fails on lockfile drift instead of silently re-resolving to newer versions than the PR locked. This makes the firewall inspect precisely what would be installed and aligns with the deterministic-verification guidance for uv-based repos. Signed-off-by: lelia <2418071+lelia@users.noreply.github.com>
Replace the hand-rolled `npm install -g sfw` in all three sfw smoke jobs with the official setup action (socketdev/action@v1.3.2, mode: firewall-free). Why: - It's the documented GitHub Actions integration for Socket Firewall Free and wires up sfw routing correctly, rather than relying on an ad-hoc global npm install. This is the right mitigation for the class of Wrapper-Mode routing gaps where sfw can fail to proxy fetches from files.pythonhosted.org (tracked upstream as ENG-4871) -- exactly the "no interception" symptom that made the python job look like a no-op. - The Python jobs no longer need actions/setup-node at all (the action provides sfw directly), so those steps are dropped; the npm fixture job keeps setup-node since `npm install` needs it. Setup mode is firewall-free (anonymous, no API token) -- unchanged, and the reason this is safe to run on Dependabot/untrusted PRs. Our setup is Wrapper Mode + free edition + no CodeArtifact, so the Registry Mode + CodeArtifact `uv sync`/`uv lock` issue (CE-171) does not apply. Signed-off-by: lelia <2418071+lelia@users.noreply.github.com>
lelia
changed the title
lelia
changed the title
sfw-action
The three sfw smoke jobs (python / npm-fixture / pypi-fixture) repeated the same setup: toolchain bootstrap + socketdev/action install. GitHub Actions doesn't support YAML anchors, so extract the shared setup into a local composite action instead. - New .github/actions/setup-sfw: optional Python/Node/uv toolchain inputs + the socketdev/action (firewall-free) install. - Each job now just declares the toolchain it needs (`uv`, `node`, or `python`) and runs its own distinct sfw command. Net effect: the pinned socketdev/action SHA now lives in ONE place (future bumps touch a single line), the per-job setup-python/setup-node duplication is gone, and each job body is reduced to its actual firewall check. No behavior change. Signed-off-by: lelia <2418071+lelia@users.noreply.github.com>
lelia
added
enhancement
Performance (PR preview, the iterative-feedback path): - Add a concurrency group with cancel-in-progress so pushing a PR again cancels the superseded (slow) preview run instead of letting it churn. - Build preview images amd64-only. arm64 under QEMU emulation was the slowest part of the job, and preview images are for quick testing; release/stable keep multi-arch. - Enable GitHub Actions Docker layer cache (type=gha) on all image builds so unchanged layers are reused across runs. De-duplication (GitHub Actions has no YAML anchors, so use composite actions): - New .github/actions/setup-docker-publish: the QEMU + Buildx + Docker Hub login trio, shared by release.yml, pr-preview.yml, and docker-stable.yml. These had drifted to three different pinned SHA sets; now there is one. (Docker Hub creds are passed as inputs since composite actions can't read secrets directly.) - New .github/actions/setup-hatch: the pinned virtualenv/hatchling/hatch install shared by release.yml and pr-preview.yml. No behavior change to what gets published; only how the pipelines are assembled and how fast/parallel they run. Stacked on #217 (lelia/fix-dependabot-checks) to avoid a pr-preview.yml conflict with that PR's Dependabot skip; rebase onto main once #217 lands. Signed-off-by: lelia <2418071+lelia@users.noreply.github.com>
5 tasks
Bump every third-party action to its latest git-tagged release, pinned to the resolved commit SHA with a trailing '# vX.Y.Z' comment for readability: actions/checkout -> v6.0.2 actions/setup-python -> v6.2.0 actions/setup-node -> v6.4.0 actions/github-script -> v9.0.0 pypa/gh-action-pypi-publish -> v1.14.0 docker/setup-qemu-action -> v4.1.0 docker/setup-buildx-action -> v4.1.0 docker/login-action -> v4.2.0 docker/build-push-action -> v7.2.0 socketdev/action -> v1.3.2 (comment only) Applied across the setup-sfw composite action and all workflows, including docker-stable.yml which previously used floating major-version comments. Signed-off-by: lelia <2418071+lelia@users.noreply.github.com>
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub. |
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
|
All alerts resolved. Learn more about Socket for GitHub. This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored. Ignoring alerts on:
|
…' into lelia/fix-dependabot-checks # Conflicts: # .github/workflows/docker-stable.yml # .github/workflows/pr-preview.yml # .github/workflows/release.yml
lelia
changed the title
sfw-action
Contributor
Author
|
@SocketSecurity-Staging ignore github/actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Follow-up to #207. Once the Dependabot review hardening ran on real Dependabot PRs (#212, #213, #215, #216), a few CI issues surfaced. This PR fixes those checks and also folds in the workflow pipeline cleanup from #218 so there is one PR to review and merge.
Dependabot PR behavior
uv.lock/pyproject.tomlbumps do not require an app-version increment.dependabot-review.ymlas the unprivilegedpull_requestguardrail for Dependabot-authored dependency changes..github/actions/**changes as workflow-sensitive in the Dependabot review notice, alongside.github/workflows/**and.github/dependabot.yml.Socket Firewall smoke checks
socketdev/actionsetup infirewall-freemode instead ofnpm install -g sfw..github/actions/setup-sfw.sfw uv sync --locked --extra test --extra devso the Python smoke check verifies the checked-inuv.lockset instead of silently re-resolving.Workflow pipeline cleanup
.github/actions/setup-sfw.github/actions/setup-docker-publish.github/actions/setup-hatchlinux/amd64; release and stable Docker publishing still buildlinux/amd64,linux/arm64.Dependabot composite-action coverage
The
github-actionsDependabot entry now usesdirectoriesinstead of a singledirectory:Per GitHub's Dependabot options reference,
/scans/.github/workflowsplus root action metadata, anddirectoriescan list additional locations with wildcard support. That lets Dependabot scan action pins inside our local composite actions too.Test plan
actionlint -shellcheck= .github/workflows/*.ymlactionlint .github/workflows/dependabot-review.yml.github/dependabot.ymland local compositeaction.ymlfilesgit diff --checkpreview+check_versionshow skipped; relevantdependabot-reviewsmoke job runs.github/actions/*action pins are considered for updatespreview+check_versionstill run as before