ENG-9212: integration socket.dev in OSS integration tests (#6280)

masenf · web-flow · commit 57b30bc145db · 2026-04-07T09:45:27.000-07:00
* ENG-9212: integration socket.dev in OSS integration tests * don't pass git+https dependencies through sfw * greptile feedback * handle git+https wheels earlier in the process * simplify git+https install * Revert pyi_hashes.json change This reverts commit 88d0a0e. * Make the bun/npm sfw shim more focused * Add local `sfw-shims` for adding sfw-enabled bun/npm to PATH * consolidate sfw wrapper logic * reference upstream issue * setup bun for integration_tests the sfw shims are expecting bun to exist * install bun before setting up shims * exclude reflex-dev/reflex repo
diff --git a/.github/workflows/integration_tests.yml b/.github/workflows/integration_tests.yml
@@ -117,10 +117,52 @@ jobs:
         with:
           fetch-tags: true
           fetch-depth: 0
-      - uses: ./.github/actions/setup_build_env
+
+      # Install sfw BEFORE any dependency installation so all packages are scanned.
+      - name: Install Socket.dev Firewall (free)
+        uses: SocketDev/action@2d3f25590c6ed6ba11a9a14c064d962a3a04698f # v1.3.1
+        with:
+          mode: firewall-free
+
+      - name: Install Bun
+        uses: oven-sh/setup-bun@v2
+      - name: Activate sfw shims for npm and bun
+        run: |
+          SHIM_DIR="$(cd scripts/sfw-shims && pwd)"
+          echo "$SHIM_DIR" >> "$GITHUB_PATH"
+          echo "REFLEX_USE_SYSTEM_BUN=1" >> "$GITHUB_ENV"
+
+      # Inline setup_build_env steps so all installs go through sfw.
+      - name: Install UV
+        uses: astral-sh/setup-uv@v6
         with:
           python-version: ${{ matrix.python-version }}
-          run-uv-sync: true
+          enable-cache: true
+          prune-cache: false
+          activate-environment: true
+          cache-dependency-glob: "uv.lock"
+      - name: Setup Node
+        uses: actions/setup-node@v4
+        with:
+          node-version: 22
+
+      # Build git+https deps as wheels outside sfw (avoids sfw MITM cert issues
+      # with git), then install everything else through sfw for scanning.
+      # TODO: revisit when https://github.com/SocketDev/sfw-free/issues/30 is resolved.
+      - name: Pre-install git dependencies (outside sfw)
+        run: |
+          # Install git+https deps directly without sfw to avoid MITM cert issues.
+          # Their transitive registry deps will still be scanned by sfw uv sync.
+          grep -oP 'git\+https://[^"]+' uv.lock | sort -u > "$RUNNER_TEMP/git-deps.txt" || true
+          if [ -s "$RUNNER_TEMP/git-deps.txt" ]; then
+            echo "Installing git dependencies:"
+            cat "$RUNNER_TEMP/git-deps.txt"
+            uv pip install --no-deps -r "$RUNNER_TEMP/git-deps.txt"
+          else
+            echo "No git dependencies found."
+          fi
+      - name: Install Dependencies (scanned by Socket.dev)
+        run: sfw uv sync
 
       - name: Clone Reflex Website Repo
         uses: actions/checkout@v4
@@ -130,25 +172,45 @@ jobs:
           path: reflex-web
           submodules: recursive
 
-      - name: Compile pyproject.toml into requirements.txt
+      # TODO: revisit when https://github.com/SocketDev/sfw-free/issues/30 is resolved.
+      - name: Pre-install reflex-web git dependencies (outside sfw)
         working-directory: ./reflex-web
         run: |
-          uv pip compile pyproject.toml --no-annotate --no-header --no-deps --output-file requirements.txt
+          # Install git+https deps from pyproject.toml before pip compile resolves them.
+          # Exclude reflex itself — the PR version is already installed.
+          grep -oP 'git\+https://[^"'"'"']+' pyproject.toml | grep -v 'reflex-dev/reflex\.git' | sort -u > git-requirements.txt || true
+          if [ -s git-requirements.txt ]; then
+            echo "Installing git dependencies:"
+            cat git-requirements.txt
+            uv pip install --no-deps -r git-requirements.txt
+          fi
+      - name: Compile and install reflex-web requirements (scanned by Socket.dev)
+        working-directory: ./reflex-web
+        run: |
+          sfw uv pip compile pyproject.toml --no-annotate --no-header --no-deps --output-file requirements.txt
           uv pip list --format=json | jq -r '"^" + .[].name + "[ =]"' > installed_patterns.txt
           grep -ivf installed_patterns.txt requirements.txt > requirements.txt.tmp && mv requirements.txt.tmp requirements.txt
           rm installed_patterns.txt
-      - name: Install Requirements for reflex-web
-        working-directory: ./reflex-web
-        run: uv pip install -r requirements.txt
+          if [ -s requirements.txt ]; then
+            sfw uv pip install -r requirements.txt
+          fi
       - name: Init Website for reflex-web
         working-directory: ./reflex-web
         run: uv run --active --no-sync reflex init
       - name: Run Website and Check for errors
         run: |
-          # Check that npm is home
-          npm -v
+          # Verify sfw wrappers are on PATH
+          which npm && npm -v
           uv run --active --no-sync bash scripts/integration.sh ./reflex-web prod
 
+      - name: Upload Socket.dev Firewall report
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: sfw-report-reflex-web-py${{ matrix.python-version }}
+          path: ${{ env.SFW_JSON_REPORT_PATH }}
+          if-no-files-found: warn
+
   rx-shout-from-template:
     strategy:
       fail-fast: false
diff --git a/scripts/sfw-shims/activate.sh b/scripts/sfw-shims/activate.sh
@@ -0,0 +1,7 @@
+#!/usr/bin/env bash
+# Source this file to route npm/bun through Socket.dev Firewall (sfw).
+# Usage: source scripts/sfw-shims/activate.sh
+SHIM_DIR="$(cd "$(dirname "${BASH_SOURCE[0]:-${(%):-%x}}")" && pwd)"
+export PATH="$SHIM_DIR:$PATH"
+export REFLEX_USE_SYSTEM_BUN=1
+echo "sfw shims activated (npm=$(which npm), bun=$(which bun))"
diff --git a/scripts/sfw-shims/bun b/scripts/sfw-shims/bun
@@ -0,0 +1,20 @@
+#!/usr/bin/env bash
+# Remove this shim's directory from PATH so we find the real bun
+SHIM_DIR="$(cd "$(dirname "$0")" && pwd)"
+export PATH="${PATH//$SHIM_DIR:/}"
+export PATH="${PATH//:$SHIM_DIR/}"
+
+# Use sfw directly if available, otherwise fall back to npx sfw
+if command -v sfw >/dev/null 2>&1; then
+  SFW=sfw
+else
+  SFW="npx sfw"
+fi
+
+# Only route registry-touching commands through sfw
+case "${1-}" in
+  install|add|update|pm)
+    exec $SFW bun "$@" ;;
+  *)
+    exec bun "$@" ;;
+esac
diff --git a/scripts/sfw-shims/npm b/scripts/sfw-shims/npm
@@ -0,0 +1,20 @@
+#!/usr/bin/env bash
+# Remove this shim's directory from PATH so we find the real npm
+SHIM_DIR="$(cd "$(dirname "$0")" && pwd)"
+export PATH="${PATH//$SHIM_DIR:/}"
+export PATH="${PATH//:$SHIM_DIR/}"
+
+# Use sfw directly if available, otherwise fall back to npx sfw
+if command -v sfw >/dev/null 2>&1; then
+  SFW=sfw
+else
+  SFW="npx sfw"
+fi
+
+# Only route registry-touching commands through sfw
+case "${1-}" in
+  install|ci|update|audit|pack|publish|fund|outdated)
+    exec $SFW npm "$@" ;;
+  *)
+    exec npm "$@" ;;
+esac
