Dependabot hardening: Fix CI checks, adopt sfw-action#217
Open
lelia wants to merge 3 commits into
Open
Conversation
Both workflows failed on every Dependabot PR for reasons that don't apply to
dependency bumps:
- PR Preview publishes a dev build to Test PyPI + Docker Hub. On a dependency
bump there's no version change, so the publish 400s ("File already exists")
-- and it needs publish secrets a Dependabot PR shouldn't carry anyway.
- Version Check requires an incremented app version, but Dependabot PRs touch
uv.lock / pyproject.toml without bumping socketsecurity's version, so the
check always fails.
Add a job-level `if` to skip each on `dependabot[bot]`-authored PRs (same
pattern already used for e2e-test.yml). Job-level skips report as "skipped"
rather than blocking, and these stay required for human-authored PRs.
Follow-up to #207 (the Dependabot review hardening), addressing fallout
observed once that config went live on real Dependabot PRs.
Signed-off-by: lelia <2418071+lelia@users.noreply.github.com>
|
🚀 Preview package published! Install with: pip install --index-url https://test.pypi.org/simple/ --extra-index-url https://pypi.org/simple socketsecurity==2.3.0.dev13Docker image: |
lelia
changed the title
`sfw uv sync` is the intended way to route uv through Socket Firewall (per Socket's own uv-wrapper guidance), so the python-sfw-smoke job was already exercising the firewall -- uv's integration is just quieter than npm/pip (no "N packages fetched" footer), which made it look like a no-op. Add `--locked` so the check verifies the exact uv.lock set and fails on lockfile drift instead of silently re-resolving to newer versions than the PR locked. This makes the firewall inspect precisely what would be installed and aligns with the deterministic-verification guidance for uv-based repos. Signed-off-by: lelia <2418071+lelia@users.noreply.github.com>
Replace the hand-rolled `npm install -g sfw` in all three sfw smoke jobs with the official setup action (socketdev/action@v1.3.2, mode: firewall-free). Why: - It's the documented GitHub Actions integration for Socket Firewall Free and wires up sfw routing correctly, rather than relying on an ad-hoc global npm install. This is the right mitigation for the class of Wrapper-Mode routing gaps where sfw can fail to proxy fetches from files.pythonhosted.org (tracked upstream as ENG-4871) -- exactly the "no interception" symptom that made the python job look like a no-op. - The Python jobs no longer need actions/setup-node at all (the action provides sfw directly), so those steps are dropped; the npm fixture job keeps setup-node since `npm install` needs it. Setup mode is firewall-free (anonymous, no API token) -- unchanged, and the reason this is safe to run on Dependabot/untrusted PRs. Our setup is Wrapper Mode + free edition + no CodeArtifact, so the Registry Mode + CodeArtifact `uv sync`/`uv lock` issue (CE-171) does not apply. Signed-off-by: lelia <2418071+lelia@users.noreply.github.com>
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
lelia
changed the title
lelia
changed the title
sfw-action
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Follow-up to #207. Once the Dependabot review hardening went live on real Dependabot PRs (#212, #213, #215, #216), a few CI issues surfaced. This PR fixes them.
1. Skip PR Preview + Version Check on Dependabot PRs
Both failed on every Dependabot PR for reasons that don't apply to dependency bumps:
File already exists), and it needs publish secrets a Dependabot PR shouldn't carry.uv.lock/pyproject.tomlwithout bumpingsocketsecurity's version, so the check always fails.Fix: job-level
if: github.event.pull_request.user.login != 'dependabot[bot]'on each (same pattern as the existinge2e-test.ymlskip). They report "skipped" (not failing/blocking) and stay fully in force for human PRs. No branch-protection changes.2. Use the official Socket Firewall setup action
Replaced the hand-rolled
npm install -g sfwin all three sfw smoke jobs with the officialsocketdev/action(SHA-pinned to v1.3.2,mode: firewall-free) — the documented GitHub Actions integration.This is the right fix for the symptom where
python-sfw-smokelooked like a no-op (no firewall output): the previous ad-hoc global install is prone to the Wrapper-Mode routing gap where sfw fails to proxyfiles.pythonhosted.orgfetches (tracked upstream as ENG-4871). The official action wires routing up correctly.firewall-freeis anonymous (no API token), which is what makes it safe on untrusted/Dependabot PRs.Also pinned
sfw uv sync --lockedso the Python job verifies the exactuv.lockset and fails on drift rather than silently re-resolving.Bonus: the Python jobs no longer need
actions/setup-node(the action providessfwdirectly); the npm-fixture job keeps it sincenpm installneeds node.Not changed
The per-ecosystem gating in
dependabot-review.ymlis correct as-is: a Python-deps PR runspython-sfw-smokeand skips the npm/pypi-fixture/docker jobs (they only run when those manifests change). GitHub Actions bumps getworkflow-noticerather than an sfw job, since sfw gates package-manager installs, not Action pins.Test plan
socketdev/actionref resolves to a real commit (v1.3.2 =ba6de6c)preview+check_versionshow "skipped";python-sfw-smokeruns via the official action; verify Socket Firewall output is now visiblepreview+check_versionstill run as before