fix(ci): inline CI setup, add Node 24 support, harden workflows#1176
Merged
John-David Dalton (jdalton) merged 10 commits intov1.xfrom Apr 8, 2026
Merged
fix(ci): inline CI setup, add Node 24 support, harden workflows#1176John-David Dalton (jdalton) merged 10 commits intov1.xfrom
John-David Dalton (jdalton) merged 10 commits intov1.xfrom
Conversation
Previously our CI workflows depended on a shared composite action from the socket-registry repo (setup-and-install). That action was pinned to an October 2025 SHA that predated Node 24 support, and updating it meant tracking SHA cascades across multiple layers of nested actions. This commit replaces that dependency by inlining every setup step directly into each workflow file. Now each workflow is self-contained and easy to read top-to-bottom: 1. actions/checkout — clone the repo 2. pnpm/action-setup — install pnpm (version from package.json) 3. actions/setup-node — install the right Node.js version 4. Download sfw-free — fetch the Socket Firewall binary 5. Create sfw shims — wrap npm/yarn/pnpm through the firewall 6. pnpm install — install dependencies (through the firewall) All three actions are pinned to full commit SHAs (not version tags) so the exact code that runs is deterministic and auditable. Binary downloads (sfw-free v1.6.1) are verified against SHA-256 checksums baked into the workflow. If someone tampers with a release asset, CI will fail immediately instead of running untrusted code. The sfw shim scripts handle both Linux/macOS and Windows: - On Windows, MSYS-style paths (/c/Users/...) are converted to native format (C:\Users\...) so sfw-free can resolve them correctly. - .cmd wrapper files are generated alongside bash shims for Windows. - Each shim strips its own directory from PATH before exec to prevent infinite recursion (shim calling itself instead of the real binary). Other changes: - Node 24 is now tested in the CI matrix alongside Node 20 and 22. Provenance publishes with Node 24. - The lint job now runs zizmor (a GitHub Actions security auditor) on every push/PR. It downloads a pinned, checksum-verified native binary — no Docker, Python, or pip needed. It scans .github/ for template injection, unpinned actions, cache poisoning, and other issues. - Removed three dead workflow files that referenced shared workflows which no longer exist upstream: claude-auto-review.yml, claude.yml, and socket-auto-pr.yml. - Fixed template injection in provenance.yml: inputs.dist-tag was interpolated directly into run blocks (attackable via workflow dispatch). Now passed through an environment variable instead. - Removed the push/tag trigger from e2e-tests.yml to eliminate a cache-poisoning vector flagged by zizmor (PR + tag triggers combined with action caching). - Removed the old npm install -g npm@latest hack from provenance.yml since Node 24 ships with a modern npm.
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
Replace the pnpm/action-setup third-party action with a direct download of the pnpm standalone binary from GitHub releases, matching the same pattern used for sfw-free and zizmor. The pnpm binary (v10.33.0) is downloaded, checksum-verified against a SHA-256 hash, and symlinked as "pnpm" on PATH. This removes the last third-party action dependency beyond actions/checkout and actions/setup-node.
Aligns socket-cli with all other Socket repos which already declare packageManager in package.json. This lets corepack and tooling auto- detect the correct pnpm version.
Zizmor exits 13 for warnings-only and 14 for errors. The secrets-outside-env warnings are expected (requires GitHub environment configuration) so we allow exit code 13 while still failing on actual errors.
John-David Dalton (jdalton)
force-pushed
the
fix/v1x-inline-ci-workflows
branch
from
fbd1af9 to
22bb904
Compare
John-David Dalton (jdalton)
force-pushed
the
fix/v1x-inline-ci-workflows
branch
from
22bb904 to
13fc680
Compare
Bill Li (billxinli)
approved these changes
Apr 8, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Our CI workflows used to call a shared composite action (
SocketDev/socket-registry/.github/actions/setup-and-install) that was pinned to an old SHA from October 2025 — before Node 24 even existed. Updating it meant chasing SHA cascades across multiple layers of nested actions in another repo.This PR removes that external dependency entirely. Each workflow now has its setup steps inlined so you can read it top-to-bottom and understand exactly what runs:
npm/yarn/pnpmthrough the firewallpnpm installWhat changed
pnpm/action-setupthird-party action with a direct download of the pnpm standalone binary from GitHub releases. Same checksum-verified pattern as sfw-free and zizmor.inputs.dist-tagin provenance.yml was directly interpolated inrun:blocks, which is a code injection vector. Now passed safely through an env var.push+tags: ['*']trigger from e2e-tests.yml. Combining tag triggers with action caching is a known attack vector..cmdwrappers. Anti-recursion logic strips the shim directory from PATH before exec.claude-auto-review.yml,claude.yml, andsocket-auto-pr.ymlwhich referenced shared workflows that no longer exist.npm install -g npm@latestin provenance.yml is no longer needed since Node 24 ships with modern npm.packageManagerfield —pnpm@10.33.0in package.json, matching all other Socket repos.Action SHAs pinned
actions/checkoutde0fac2e4500dabe0009e67214ff5f5447ce83ddactions/setup-node53b83947a5a98c8d113130e565377fae1a50d02fBinary checksums (SHA-256)
pnpm v10.33.0
8d4e8f7d778e8ac482022e2577011706a872542f6f6f233e795a4d9f978ea8b506755ad2817548b84317d857d5c8003dc6e9e28416a3ea7467256c49ab400d48c31e29554b0e3f4e03f4617195c949595e4dca36085922003de4896c3ca4057ded8a1f140f4de457b01ebe0be3ae28e9a7e28863315dcd53d22ff1e5a32d63aeafc96009dc39fe23a835d65192049e6a995f342496b175585dc2beda7d42d33fsfw-free v1.6.1
4a1e8b65e90fce7d5fd066cf0af6c93d512065fa4222a475c8d959a6bc14b9ffdf2eedb2daf2572eee047adb8bfd81c9069edcb200fc7d3710fca98ec3ca81a1724ccea19d847b79db8cc8e38f5f18ce2dd32336007f42b11bed7d2e5f4a2566bf1616fc44ac49f1cb2067fedfa127a3ae65d6ec6d634efbb3098cfa355e5555c953e62ad7928d4d8f2302f5737884ea1a757babc26bed6a42b9b6b68a5d54afzizmor v1.23.1
67a8df0a14352dd81882e14876653d097b99b0f4f6b6fe798edc0320cff27aff3725d7cd7102e4d70827186389f7d5930b6878232930d0a3eb058d7e5b47e65889d5ed42081dd9d0433a10b7545fac42b35f1f030885c278b9712b32c66f25972632561b974c69f952258c1ab4b7432d5c7f92e555704155c3ac28a2910bd71733c2293ff02834720dd7cd8b47348aafb2e95a19bdc993c0ecaca9c804ade92aTest plan