socket-sdk-python/.github/workflows/dependency-review.yml at 37d06add8d2ede23f84c34782c2d5a96911e6d63 · SocketDev/socket-sdk-python · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
name: dependency-review

# Supply-chain guardrails for dependency-update PRs -- for BOTH Dependabot
# and maintainers. Inspects the changed files, then runs a Socket Firewall
# (sfw) install smoke job for Python dependency changes, picking the firewall
# edition per-PR:
#
#   - Trusted SocketDev members on an in-repo (non-fork) PR, when the
#     SOCKET_API_TOKEN secret is present -> Socket Firewall ENTERPRISE
#     (authenticated, full org-policy enforcement).
#   - Everything else -- Dependabot, forks, external contributors, or a
#     missing token -> Socket Firewall FREE (anonymous, no API token), which
#     is safe in the unprivileged `pull_request` context.
#
# The mode is computed in `inspect` and degrades to free whenever the token is
# absent (e.g. before it has been added to the repo/org, or on fork PRs where
# GitHub withholds secrets), so this workflow is safe to ship as-is and starts
# using the enterprise edition automatically once the secret exists.
#
# Pattern adapted from SocketDev/socket-python-cli.

on:
  pull_request:
    types: [opened, synchronize, reopened, ready_for_review]

permissions:
  contents: read

concurrency:
  group: dependency-review-${{ github.event.pull_request.number }}
  cancel-in-progress: true

jobs:
  inspect:
    runs-on: ubuntu-latest
    timeout-minutes: 5
    outputs:
      python_deps_changed: ${{ steps.diff.outputs.python_deps_changed }}
      workflow_or_action_changed: ${{ steps.diff.outputs.workflow_or_action_changed }}
      sfw_mode: ${{ steps.mode.outputs.sfw_mode }}
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 0
          persist-credentials: false

      - name: Inspect changed files
        id: diff
        env:
          BASE_SHA: ${{ github.event.pull_request.base.sha }}
          HEAD_SHA: ${{ github.event.pull_request.head.sha }}
        run: |
          CHANGED_FILES="$(git diff --name-only "$BASE_SHA" "$HEAD_SHA")"

          {
            echo "## Changed files"
            echo '```'
            printf '%s\n' "$CHANGED_FILES"
            echo '```'
          } >> "$GITHUB_STEP_SUMMARY"

          has_file() {
            local pattern="$1"
            if printf '%s\n' "$CHANGED_FILES" | grep -Eq "$pattern"; then
              echo "true"
            else
              echo "false"
            fi
          }

          {
            echo "python_deps_changed=$(has_file '^(pyproject\.toml|uv\.lock)$')"
            echo "workflow_or_action_changed=$(has_file '^\.github/workflows/|^\.github/actions/|^\.github/dependabot\.yml$')"
          } >> "$GITHUB_OUTPUT"

      - name: Determine Socket Firewall mode
        id: mode
        env:
          IS_DEPENDABOT: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }}
          IS_FORK: ${{ github.event.pull_request.head.repo.full_name != github.repository }}
          AUTHOR_ASSOC: ${{ github.event.pull_request.author_association }}
          # Empty for fork PRs (secrets withheld) and until the secret is added.
          SOCKET_API_TOKEN: ${{ secrets.SOCKET_API_TOKEN }}
        run: |
          mode=firewall-free
          # Enterprise only for a trusted SocketDev member (OWNER/MEMBER) or
          # repo collaborator on an in-repo PR, and only when the token is
          # actually present. Anything else falls back to the free edition.
          if [ "$IS_DEPENDABOT" != "true" ] \
             && [ "$IS_FORK" != "true" ] \
             && [ -n "$SOCKET_API_TOKEN" ] \
             && printf '%s' "$AUTHOR_ASSOC" | grep -qE '^(OWNER|MEMBER|COLLABORATOR)$'; then
            mode=firewall-enterprise
          fi

          echo "sfw_mode=$mode" >> "$GITHUB_OUTPUT"
          {
            echo "## Socket Firewall mode: \`$mode\`"
            echo "- author_association: \`$AUTHOR_ASSOC\`"
            echo "- dependabot: \`$IS_DEPENDABOT\` | fork: \`$IS_FORK\`"
          } >> "$GITHUB_STEP_SUMMARY"

      - name: Summarize review expectations
        env:
          PR_URL: ${{ github.event.pull_request.html_url }}
        run: |
          {
            echo "## Dependency Review Checklist"
            echo "- PR: $PR_URL"
            echo "- Confirm upstream release notes before merge"
            echo "- Do not treat a dependency PR as trusted solely because of the actor"
            echo "- This workflow runs in pull_request context only; no publish secrets are exposed"
          } >> "$GITHUB_STEP_SUMMARY"

  python-sfw-smoke:
    needs: inspect
    if: needs.inspect.outputs.python_deps_changed == 'true'
    runs-on: ubuntu-latest
    timeout-minutes: 15
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 1
          persist-credentials: false

      - uses: ./.github/actions/setup-sfw
        with:
          uv: "true"
          mode: ${{ needs.inspect.outputs.sfw_mode }}
          socket-token: ${{ secrets.SOCKET_API_TOKEN }}

      - name: Sync project through Socket Firewall
        # `sfw uv sync` is the intended way to route uv through Socket Firewall
        # (per Socket's own uv wrapper guidance). --locked verifies the exact
        # uv.lock set and fails on lockfile drift rather than silently
        # re-resolving, so the firewall inspects precisely what would install.
        # Note: uv's sfw integration is quieter than npm/pip -- it does not
        # print the "N packages fetched" footer, but interception is active.
        #
        # Use the runner's setup-python interpreter and forbid managed-Python
        # downloads: .python-version pins an exact patch (3.12.7) that uv would
        # otherwise fetch from GitHub, which the firewall's TLS interception
        # blocks. The firewall is here to vet PyPI installs, not the toolchain.
        env:
          UV_PYTHON: "3.12"
          UV_PYTHON_DOWNLOADS: never
        run: sfw uv sync --locked --extra test --extra dev

      - name: Import smoke test
        run: |
          uv run python -c "
          import socketdev
          from socketdev import socketdev as SocketDevClient
          from socketdev.core.api import API
          from socketdev.version import __version__
          print('import smoke OK', __version__)
          "

  workflow-notice:
    needs: inspect
    if: needs.inspect.outputs.workflow_or_action_changed == 'true'
    runs-on: ubuntu-latest
    timeout-minutes: 2
    steps:
      - name: Flag workflow-sensitive updates
        run: |
          {
            echo "## Sensitive File Notice"
            echo "This PR changes workflow, composite-action, or dependabot config files."
            echo "Require explicit human review before merge."
          } >> "$GITHUB_STEP_SUMMARY"