fix(ci): use socket-registry setup action, remove pnpm/action-setup, update SHAs#1174
Open
fix(ci): use socket-registry setup action, remove pnpm/action-setup, update SHAs#1174
Conversation
jdalton
force-pushed
the
chore/bump-socket-registry-refs
branch
3 times, most recently
from
3300846 to
881f666
Compare
jdalton
force-pushed
the
chore/bump-socket-registry-refs
branch
from
881f666 to
04c42a2
Compare
jdalton
changed the title
…update SHAs Replace pnpm/action-setup with socket-registry's setup action which provides checksum-verified native pnpm and sfw-free with shims for all supported ecosystems (npm, yarn, pnpm, pip, uv, cargo). Remove cache: pnpm from actions/setup-node to eliminate cache-poisoning vectors. Update all socket-registry action SHAs to latest post-cascade main (4edf2e3c).
jdalton
force-pushed
the
chore/bump-socket-registry-refs
branch
from
0eba3f1 to
dce71c4
Compare
Replace separate setup + install steps with a single setup-and-install action call (checkout: false since we handle checkout ourselves). This removes all third-party setup actions: - pnpm/action-setup (replaced by socket-registry/setup's native pnpm) - actions/setup-node (replaced by socket-registry/setup's Node.js) Node version defaults to 25.9.0 from socket-registry. Test matrix jobs override with node-version input.
jdalton
force-pushed
the
chore/bump-socket-registry-refs
branch
from
129c70f to
56f7795
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Modernize CI workflows on main to use the socket-registry shared actions for pnpm and sfw-free setup, replacing the third-party
pnpm/action-setupaction. All socket-registry action SHAs updated to latest post-cascade main.What changed
Replaced
pnpm/action-setupwithSocketDev/socket-registry/.github/actions/setup, which installs:Removed
cache: 'pnpm'fromactions/setup-nodeto eliminate cache-poisoning vectors flagged by zizmorUpdated all socket-registry SHAs to
4edf2e3c(latest main after full Layer 1-4 cascade with native pnpm, native zizmor, sfw checksums, Windows fixes)Files changed
ci.ymlprovenance.ymlweekly-update.ymlThird-party actions removed
pnpm/action-setup@v5SocketDev/socket-registry/.github/actions/setupWhy this matters
Every
pnpm installnow runs through the Socket Firewall, which checks packages for malware before they reach the project. The sfw-free binary is downloaded once, checksum-verified, and creates transparent shims sopnpm,npm,yarn,pip,uv, andcargoall route through the firewall automatically. No code changes needed in workflows — the shims are invisible to the package managers.Test plan