-
Notifications
You must be signed in to change notification settings - Fork 3
198 lines (177 loc) · 7.34 KB
/
Copy pathdependency-review.yml
File metadata and controls
198 lines (177 loc) · 7.34 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
name: dependency-review
# Supply-chain guardrails for dependency-update PRs -- for BOTH Dependabot
# and maintainers. `inspect` classifies the PR, then exactly one Socket
# Firewall (sfw) install smoke job runs when Python deps change:
#
# - python-sfw-smoke-enterprise -- trusted SocketDev org members
# (author_association OWNER/MEMBER) on an in-repo (non-fork) PR. Runs the
# authenticated enterprise edition for full org-policy enforcement. The
# SOCKET_SFW_API_TOKEN is scoped to the `socket-firewall` environment, so
# it is the ONLY job that can read the token.
# - python-sfw-smoke-free -- everyone else (Dependabot, forks, outside
# collaborators, external contributors). Anonymous free edition, no token.
# This job never references the secret.
#
# Splitting the jobs (rather than picking a mode in one job) keeps the token
# out of scope on every untrusted run and satisfies zizmor's
# `secrets-outside-env` audit without suppressing it. The free path runs in
# the unprivileged `pull_request` context with no secret-leak surface.
#
# Pattern adapted from SocketDev/socket-python-cli.
on:
pull_request:
types: [opened, synchronize, reopened, ready_for_review]
permissions:
contents: read
concurrency:
group: dependency-review-${{ github.event.pull_request.number }}
cancel-in-progress: true
jobs:
inspect:
runs-on: ubuntu-latest
timeout-minutes: 5
outputs:
python_deps_changed: ${{ steps.diff.outputs.python_deps_changed }}
workflow_or_action_changed: ${{ steps.diff.outputs.workflow_or_action_changed }}
is_trusted: ${{ steps.trust.outputs.is_trusted }}
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
persist-credentials: false
- name: Inspect changed files
id: diff
env:
BASE_SHA: ${{ github.event.pull_request.base.sha }}
HEAD_SHA: ${{ github.event.pull_request.head.sha }}
run: |
CHANGED_FILES="$(git diff --name-only "$BASE_SHA" "$HEAD_SHA")"
{
echo "## Changed files"
echo '```'
printf '%s\n' "$CHANGED_FILES"
echo '```'
} >> "$GITHUB_STEP_SUMMARY"
has_file() {
local pattern="$1"
if printf '%s\n' "$CHANGED_FILES" | grep -Eq "$pattern"; then
echo "true"
else
echo "false"
fi
}
{
echo "python_deps_changed=$(has_file '^(pyproject\.toml|uv\.lock)$')"
echo "workflow_or_action_changed=$(has_file '^\.github/workflows/|^\.github/actions/|^\.github/dependabot\.yml$')"
} >> "$GITHUB_OUTPUT"
- name: Classify PR trust
id: trust
# Trusted == a SocketDev org member (OWNER/MEMBER) on an in-repo
# (non-fork) PR. Note this references NO secret -- it only decides which
# smoke job runs; the token stays scoped to the enterprise job.
env:
IS_DEPENDABOT: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }}
IS_FORK: ${{ github.event.pull_request.head.repo.full_name != github.repository }}
AUTHOR_ASSOC: ${{ github.event.pull_request.author_association }}
run: |
is_trusted=false
if [ "$IS_DEPENDABOT" != "true" ] \
&& [ "$IS_FORK" != "true" ] \
&& printf '%s' "$AUTHOR_ASSOC" | grep -qE '^(OWNER|MEMBER)$'; then
is_trusted=true
fi
echo "is_trusted=$is_trusted" >> "$GITHUB_OUTPUT"
{
echo "## Socket Firewall edition: \`$([ "$is_trusted" = true ] && echo enterprise || echo free)\`"
echo "- author_association: \`$AUTHOR_ASSOC\`"
echo "- dependabot: \`$IS_DEPENDABOT\` | fork: \`$IS_FORK\`"
} >> "$GITHUB_STEP_SUMMARY"
- name: Summarize review expectations
env:
PR_URL: ${{ github.event.pull_request.html_url }}
run: |
{
echo "## Dependency Review Checklist"
echo "- PR: $PR_URL"
echo "- Confirm upstream release notes before merge"
echo "- Do not treat a dependency PR as trusted solely because of the actor"
echo "- This workflow runs in pull_request context only; no publish secrets are exposed"
} >> "$GITHUB_STEP_SUMMARY"
# Untrusted PRs (Dependabot, forks, outside collaborators, externals):
# anonymous free edition. Never references the token.
python-sfw-smoke-free:
needs: inspect
if: needs.inspect.outputs.python_deps_changed == 'true' && needs.inspect.outputs.is_trusted != 'true'
runs-on: ubuntu-latest
timeout-minutes: 15
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 1
persist-credentials: false
- uses: ./.github/actions/setup-sfw
with:
uv: "true"
mode: firewall-free
- name: Sync project through Socket Firewall (free)
env:
UV_PYTHON: "3.12"
UV_PYTHON_DOWNLOADS: never
run: sfw uv sync --locked --extra test --extra dev
- name: Import smoke test
run: |
uv run python -c "
import socketdev
from socketdev import socketdev as SocketDevClient
from socketdev.core.api import API
from socketdev.version import __version__
print('import smoke OK', __version__)
"
# Trusted SocketDev members: authenticated enterprise edition. The token is
# scoped to the `socket-firewall` environment, so only this job can read it.
python-sfw-smoke-enterprise:
needs: inspect
if: needs.inspect.outputs.python_deps_changed == 'true' && needs.inspect.outputs.is_trusted == 'true'
runs-on: ubuntu-latest
timeout-minutes: 15
environment: socket-firewall
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 1
persist-credentials: false
- uses: ./.github/actions/setup-sfw
with:
uv: "true"
mode: firewall-enterprise
socket-token: ${{ secrets.SOCKET_SFW_API_TOKEN }}
- name: Sync project through Socket Firewall (enterprise)
# See free job for the UV_PYTHON rationale: .python-version pins an
# exact patch that uv would otherwise fetch from GitHub through the
# firewall (blocked by its TLS interception); use the runner's Python.
env:
UV_PYTHON: "3.12"
UV_PYTHON_DOWNLOADS: never
run: sfw uv sync --locked --extra test --extra dev
- name: Import smoke test
run: |
uv run python -c "
import socketdev
from socketdev import socketdev as SocketDevClient
from socketdev.core.api import API
from socketdev.version import __version__
print('import smoke OK', __version__)
"
workflow-notice:
needs: inspect
if: needs.inspect.outputs.workflow_or_action_changed == 'true'
runs-on: ubuntu-latest
timeout-minutes: 2
steps:
- name: Flag workflow-sensitive updates
run: |
{
echo "## Sensitive File Notice"
echo "This PR changes workflow, composite-action, or dependabot config files."
echo "Require explicit human review before merge."
} >> "$GITHUB_STEP_SUMMARY"