fix(setup-action): set SFW_UNKNOWN_HOST_ACTION=ignore in generated shims

jdalton · jdalton · commit d511098453bf · 2026-05-18T16:58:20.000-04:00
sfw-enterprise's built-in default for unknownHostAction is 'block' —
which rejects every host outside the registries[] allowlist, breaking
dev/CI workflows that hit api.anthropic.com, github.com, telemetry
endpoints, etc. sfw-free hardcodes 'ignore' internally and ignores the
env var, so setting it unconditionally is safe — free mode is a no-op,
enterprise picks it up.

The host allowlist (registries[]) is still required — it's what gets
ACTIVELY SCORED by Socket. unknownHostAction only changes the default
for non-allowlisted hosts from "block" to "pass through unscored."

Covers both bash and Windows .cmd shim variants. Source-of-truth check:
firewall/src/lib/firewall/connect.ts handleConnect.

Sibling change in socket-wheelhouse template/docs/references/sfw-local-
install.md updates the local-install doc to instruct users to add the
same export when hand-rolling their regenerate-shims.sh.
diff --git a/.github/actions/setup/action.yml b/.github/actions/setup/action.yml
@@ -327,12 +327,22 @@ runs:
           REAL="$(PATH="$CLEAN_PATH" command -v "$CMD" 2>/dev/null || true)"
           if [ -n "$REAL" ]; then
             REAL="$(msys_to_win_path "$REAL")"
+            # SFW_UNKNOWN_HOST_ACTION=ignore: only sfw-enterprise reads this
+            # env var (sfw-free hardcodes 'ignore' internally). Enterprise's
+            # built-in default is 'block', which fails dev workflows that hit
+            # hosts outside the registries[] allowlist (Anthropic API, GitHub
+            # clones, telemetry, etc.). Setting 'ignore' lets non-allowlisted
+            # traffic pass unscored while still scanning the registries we
+            # care about. Free mode ignores the var, so we set it
+            # unconditionally — no branching needed. See
+            # firewall/src/lib/firewall/connect.ts.
             SHIM_LINES=('#!/bin/bash' "export PATH=\"\$(echo \"\$PATH\" | tr ':' '\n' | grep -vxF '${SHIM_DIR}' | paste -sd: -)\"")
+            SHIM_LINES+=('export SFW_UNKNOWN_HOST_ACTION=ignore')
             SHIM_LINES+=("exec \"${SFW_BIN}\" \"${REAL}\" \"\$@\"")
             printf '%s\n' "${SHIM_LINES[@]}" > "$SHIM_DIR/$CMD"
             chmod +x "$SHIM_DIR/$CMD"
             if $IS_WINDOWS; then
-              printf '@echo off\r\nset "PATH=;%%PATH%%;"\r\nset "PATH=%%PATH:;%s;=;%%"\r\nset "PATH=%%PATH:~1,-1%%"\r\n"%s" "%s" %%*\r\n' \
+              printf '@echo off\r\nset "PATH=;%%PATH%%;"\r\nset "PATH=%%PATH:;%s;=;%%"\r\nset "PATH=%%PATH:~1,-1%%"\r\nset "SFW_UNKNOWN_HOST_ACTION=ignore"\r\n"%s" "%s" %%*\r\n' \
                 "$SHIM_DIR" "$SFW_BIN" "$REAL" > "$SHIM_DIR/$CMD.cmd"
             fi
           else
