From 5bde67f47f82b19b95c6cd9b34d5764ecdc25f71 Mon Sep 17 00:00:00 2001 From: lelia <2418071+lelia@users.noreply.github.com> Date: Fri, 29 May 2026 18:50:44 -0400 Subject: [PATCH 01/10] ci: skip PR Preview and Version Check on Dependabot PRs Both workflows failed on every Dependabot PR for reasons that don't apply to dependency bumps: - PR Preview publishes a dev build to Test PyPI + Docker Hub. On a dependency bump there's no version change, so the publish 400s ("File already exists") -- and it needs publish secrets a Dependabot PR shouldn't carry anyway. - Version Check requires an incremented app version, but Dependabot PRs touch uv.lock / pyproject.toml without bumping socketsecurity's version, so the check always fails. Add a job-level `if` to skip each on `dependabot[bot]`-authored PRs (same pattern already used for e2e-test.yml). Job-level skips report as "skipped" rather than blocking, and these stay required for human-authored PRs. Follow-up to #207 (the Dependabot review hardening), addressing fallout observed once that config went live on real Dependabot PRs. Signed-off-by: lelia <2418071+lelia@users.noreply.github.com> --- .github/workflows/pr-preview.yml | 8 +++++++- .github/workflows/version-check.yml | 4 ++++ 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/.github/workflows/pr-preview.yml b/.github/workflows/pr-preview.yml index 1d7115a..ef47ea0 100644 --- a/.github/workflows/pr-preview.yml +++ b/.github/workflows/pr-preview.yml @@ -5,7 +5,13 @@ on: jobs: preview: - if: github.event.pull_request.head.repo.full_name == github.repository + # Skip on: + # - PRs from forks (no access to publish secrets) + # - Dependabot PRs: preview-publishing a dependency bump to Test PyPI / + # Docker Hub is pointless and fails (no version bump, secret access). + if: >- + github.event.pull_request.head.repo.full_name == github.repository && + github.event.pull_request.user.login != 'dependabot[bot]' runs-on: ubuntu-latest permissions: id-token: write diff --git a/.github/workflows/version-check.yml b/.github/workflows/version-check.yml index 1eefa27..dc50819 100644 --- a/.github/workflows/version-check.yml +++ b/.github/workflows/version-check.yml @@ -14,6 +14,10 @@ permissions: jobs: check_version: + # Skip on Dependabot PRs: they bump dependencies (touching uv.lock / + # pyproject.toml) without bumping the app version, so the increment check + # would always fail. App-version bumps come from maintainer PRs. + if: github.event.pull_request.user.login != 'dependabot[bot]' runs-on: ubuntu-latest steps: - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 From cfd5f475b14956c0e7518cc15287611e4cfbe230 Mon Sep 17 00:00:00 2001 From: lelia <2418071+lelia@users.noreply.github.com> Date: Fri, 29 May 2026 19:06:32 -0400 Subject: [PATCH 02/10] ci: pin sfw uv sync to the locked dependency set on Dependabot review `sfw uv sync` is the intended way to route uv through Socket Firewall (per Socket's own uv-wrapper guidance), so the python-sfw-smoke job was already exercising the firewall -- uv's integration is just quieter than npm/pip (no "N packages fetched" footer), which made it look like a no-op. Add `--locked` so the check verifies the exact uv.lock set and fails on lockfile drift instead of silently re-resolving to newer versions than the PR locked. This makes the firewall inspect precisely what would be installed and aligns with the deterministic-verification guidance for uv-based repos. Signed-off-by: lelia <2418071+lelia@users.noreply.github.com> --- .github/workflows/dependabot-review.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/.github/workflows/dependabot-review.yml b/.github/workflows/dependabot-review.yml index 486ccb3..069c9d0 100644 --- a/.github/workflows/dependabot-review.yml +++ b/.github/workflows/dependabot-review.yml @@ -109,7 +109,13 @@ jobs: run: python -m pip install --upgrade pip uv - name: Sync project through Socket Firewall - run: sfw uv sync --extra test --extra dev + # `sfw uv sync` is the intended way to route uv through Socket Firewall + # (per Socket's own uv wrapper guidance). --locked verifies the exact + # uv.lock set and fails on lockfile drift rather than silently + # re-resolving, so the firewall inspects precisely what would install. + # Note: uv's sfw integration is quieter than npm/pip -- it does not + # print the "N packages fetched" footer, but interception is active. + run: sfw uv sync --locked --extra test --extra dev - name: Import smoke test run: | From c2bc561130cb9c3025b23f72dd131e204c83aa38 Mon Sep 17 00:00:00 2001 From: lelia <2418071+lelia@users.noreply.github.com> Date: Fri, 29 May 2026 19:09:40 -0400 Subject: [PATCH 03/10] ci: use official socketdev/action for Socket Firewall setup Replace the hand-rolled `npm install -g sfw` in all three sfw smoke jobs with the official setup action (socketdev/action@v1.3.2, mode: firewall-free). Why: - It's the documented GitHub Actions integration for Socket Firewall Free and wires up sfw routing correctly, rather than relying on an ad-hoc global npm install. This is the right mitigation for the class of Wrapper-Mode routing gaps where sfw can fail to proxy fetches from files.pythonhosted.org (tracked upstream as ENG-4871) -- exactly the "no interception" symptom that made the python job look like a no-op. - The Python jobs no longer need actions/setup-node at all (the action provides sfw directly), so those steps are dropped; the npm fixture job keeps setup-node since `npm install` needs it. Setup mode is firewall-free (anonymous, no API token) -- unchanged, and the reason this is safe to run on Dependabot/untrusted PRs. Our setup is Wrapper Mode + free edition + no CodeArtifact, so the Registry Mode + CodeArtifact `uv sync`/`uv lock` issue (CE-171) does not apply. Signed-off-by: lelia <2418071+lelia@users.noreply.github.com> --- .github/workflows/dependabot-review.yml | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/.github/workflows/dependabot-review.yml b/.github/workflows/dependabot-review.yml index 069c9d0..55b42dd 100644 --- a/.github/workflows/dependabot-review.yml +++ b/.github/workflows/dependabot-review.yml @@ -98,12 +98,12 @@ jobs: with: python-version: "3.12" - - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af + # Official Socket setup action (free edition). Installs sfw and wires up + # routing correctly -- preferred over a hand-rolled `npm install -g sfw`. + - name: Set up Socket Firewall (free) + uses: socketdev/action@ba6de6cc0565af1f42295590380973573297e31f # v1.3.2 with: - node-version: "20" - - - name: Install Socket Firewall - run: npm install -g sfw + mode: firewall-free - name: Install uv run: python -m pip install --upgrade pip uv @@ -145,8 +145,10 @@ jobs: with: node-version: "20" - - name: Install Socket Firewall - run: npm install -g sfw + - name: Set up Socket Firewall (free) + uses: socketdev/action@ba6de6cc0565af1f42295590380973573297e31f # v1.3.2 + with: + mode: firewall-free - name: Install fixture through Socket Firewall working-directory: tests/e2e/fixtures/simple-npm @@ -167,12 +169,10 @@ jobs: with: python-version: "3.12" - - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af + - name: Set up Socket Firewall (free) + uses: socketdev/action@ba6de6cc0565af1f42295590380973573297e31f # v1.3.2 with: - node-version: "20" - - - name: Install Socket Firewall - run: npm install -g sfw + mode: firewall-free - name: Install fixture through Socket Firewall working-directory: tests/e2e/fixtures/simple-pypi From 728bb15b1ff624e1c0758a5d4fdf7753b5478a42 Mon Sep 17 00:00:00 2001 From: lelia <2418071+lelia@users.noreply.github.com> Date: Sat, 30 May 2026 18:38:52 -0400 Subject: [PATCH 04/10] ci: factor Socket Firewall setup into a composite action The three sfw smoke jobs (python / npm-fixture / pypi-fixture) repeated the same setup: toolchain bootstrap + socketdev/action install. GitHub Actions doesn't support YAML anchors, so extract the shared setup into a local composite action instead. - New .github/actions/setup-sfw: optional Python/Node/uv toolchain inputs + the socketdev/action (firewall-free) install. - Each job now just declares the toolchain it needs (`uv`, `node`, or `python`) and runs its own distinct sfw command. Net effect: the pinned socketdev/action SHA now lives in ONE place (future bumps touch a single line), the per-job setup-python/setup-node duplication is gone, and each job body is reduced to its actual firewall check. No behavior change. Signed-off-by: lelia <2418071+lelia@users.noreply.github.com> --- .github/actions/setup-sfw/action.yml | 40 +++++++++++++++++++++++++ .github/workflows/dependabot-review.yml | 32 ++++---------------- 2 files changed, 46 insertions(+), 26 deletions(-) create mode 100644 .github/actions/setup-sfw/action.yml diff --git a/.github/actions/setup-sfw/action.yml b/.github/actions/setup-sfw/action.yml new file mode 100644 index 0000000..7f7b8db --- /dev/null +++ b/.github/actions/setup-sfw/action.yml @@ -0,0 +1,40 @@ +name: "Set up Socket Firewall (free)" +description: >- + Set up the requested language toolchain and install Socket Firewall (free + edition) so subsequent steps can run package-manager commands wrapped with + `sfw`. Free/anonymous mode -- no API token, safe on untrusted/Dependabot PRs. + +inputs: + python: + description: "Set up Python 3.12" + default: "false" + node: + description: "Set up Node 20 (needed for npm-wrapped checks)" + default: "false" + uv: + description: "Install uv (implies Python)" + default: "false" + +runs: + using: "composite" + steps: + - if: ${{ inputs.python == 'true' || inputs.uv == 'true' }} + uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 + with: + python-version: "3.12" + + - if: ${{ inputs.node == 'true' }} + uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af + with: + node-version: "20" + + # Official Socket setup action. Wires up sfw routing correctly -- preferred + # over a hand-rolled `npm install -g sfw`. Pinned to a commit SHA (v1.3.2). + - uses: socketdev/action@ba6de6cc0565af1f42295590380973573297e31f + with: + mode: firewall-free + + - if: ${{ inputs.uv == 'true' }} + name: Install uv + shell: bash + run: python -m pip install --upgrade pip uv diff --git a/.github/workflows/dependabot-review.yml b/.github/workflows/dependabot-review.yml index 55b42dd..c3be28a 100644 --- a/.github/workflows/dependabot-review.yml +++ b/.github/workflows/dependabot-review.yml @@ -94,19 +94,9 @@ jobs: fetch-depth: 1 persist-credentials: false - - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 + - uses: ./.github/actions/setup-sfw with: - python-version: "3.12" - - # Official Socket setup action (free edition). Installs sfw and wires up - # routing correctly -- preferred over a hand-rolled `npm install -g sfw`. - - name: Set up Socket Firewall (free) - uses: socketdev/action@ba6de6cc0565af1f42295590380973573297e31f # v1.3.2 - with: - mode: firewall-free - - - name: Install uv - run: python -m pip install --upgrade pip uv + uv: "true" - name: Sync project through Socket Firewall # `sfw uv sync` is the intended way to route uv through Socket Firewall @@ -141,14 +131,9 @@ jobs: fetch-depth: 1 persist-credentials: false - - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af + - uses: ./.github/actions/setup-sfw with: - node-version: "20" - - - name: Set up Socket Firewall (free) - uses: socketdev/action@ba6de6cc0565af1f42295590380973573297e31f # v1.3.2 - with: - mode: firewall-free + node: "true" - name: Install fixture through Socket Firewall working-directory: tests/e2e/fixtures/simple-npm @@ -165,14 +150,9 @@ jobs: fetch-depth: 1 persist-credentials: false - - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 - with: - python-version: "3.12" - - - name: Set up Socket Firewall (free) - uses: socketdev/action@ba6de6cc0565af1f42295590380973573297e31f # v1.3.2 + - uses: ./.github/actions/setup-sfw with: - mode: firewall-free + python: "true" - name: Install fixture through Socket Firewall working-directory: tests/e2e/fixtures/simple-pypi From 6f89e0fd8a4df5d01a892905fd5654ce981430ba Mon Sep 17 00:00:00 2001 From: lelia <2418071+lelia@users.noreply.github.com> Date: Sat, 30 May 2026 20:44:21 -0400 Subject: [PATCH 05/10] ci: speed up and de-duplicate the release & preview pipelines Performance (PR preview, the iterative-feedback path): - Add a concurrency group with cancel-in-progress so pushing a PR again cancels the superseded (slow) preview run instead of letting it churn. - Build preview images amd64-only. arm64 under QEMU emulation was the slowest part of the job, and preview images are for quick testing; release/stable keep multi-arch. - Enable GitHub Actions Docker layer cache (type=gha) on all image builds so unchanged layers are reused across runs. De-duplication (GitHub Actions has no YAML anchors, so use composite actions): - New .github/actions/setup-docker-publish: the QEMU + Buildx + Docker Hub login trio, shared by release.yml, pr-preview.yml, and docker-stable.yml. These had drifted to three different pinned SHA sets; now there is one. (Docker Hub creds are passed as inputs since composite actions can't read secrets directly.) - New .github/actions/setup-hatch: the pinned virtualenv/hatchling/hatch install shared by release.yml and pr-preview.yml. No behavior change to what gets published; only how the pipelines are assembled and how fast/parallel they run. Stacked on #217 (lelia/fix-dependabot-checks) to avoid a pr-preview.yml conflict with that PR's Dependabot skip; rebase onto main once #217 lands. Signed-off-by: lelia <2418071+lelia@users.noreply.github.com> --- .../actions/setup-docker-publish/action.yml | 24 +++++++++++++ .github/actions/setup-hatch/action.yml | 13 +++++++ .github/workflows/docker-stable.yml | 16 ++++----- .github/workflows/pr-preview.yml | 35 ++++++++++--------- .github/workflows/release.yml | 26 +++++--------- 5 files changed, 70 insertions(+), 44 deletions(-) create mode 100644 .github/actions/setup-docker-publish/action.yml create mode 100644 .github/actions/setup-hatch/action.yml diff --git a/.github/actions/setup-docker-publish/action.yml b/.github/actions/setup-docker-publish/action.yml new file mode 100644 index 0000000..9144ac6 --- /dev/null +++ b/.github/actions/setup-docker-publish/action.yml @@ -0,0 +1,24 @@ +name: "Set up Docker publish" +description: >- + Set up QEMU + Docker Buildx and authenticate to Docker Hub for multi-arch + image builds. Centralizes the QEMU/Buildx/login trio that the release, + preview, and stable workflows previously each copied (and which had drifted + to different pinned SHAs). + +inputs: + dockerhub-username: + description: "Docker Hub username (pass from secrets)" + required: true + dockerhub-token: + description: "Docker Hub token/password (pass from secrets)" + required: true + +runs: + using: "composite" + steps: + - uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3 + - uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 + - uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 + with: + username: ${{ inputs.dockerhub-username }} + password: ${{ inputs.dockerhub-token }} diff --git a/.github/actions/setup-hatch/action.yml b/.github/actions/setup-hatch/action.yml new file mode 100644 index 0000000..0da5160 --- /dev/null +++ b/.github/actions/setup-hatch/action.yml @@ -0,0 +1,13 @@ +name: "Set up Hatch build tooling" +description: >- + Install the pinned hatch / hatchling / virtualenv toolchain used to build + and publish the package. Assumes Python is already set up by the caller. + +runs: + using: "composite" + steps: + - shell: bash + run: | + python -m pip install --upgrade pip + pip install "virtualenv<20.36" + pip install hatchling==1.27.0 hatch==1.14.0 diff --git a/.github/workflows/docker-stable.yml b/.github/workflows/docker-stable.yml index 3639ffc..24fc3a4 100644 --- a/.github/workflows/docker-stable.yml +++ b/.github/workflows/docker-stable.yml @@ -28,23 +28,19 @@ jobs: fi echo "Version ${INPUT_VERSION} found on PyPI - proceeding with release" - - name: Set up QEMU - uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 - - - name: Login to Docker Hub with Organization Token - uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 + - name: Set up Docker publishing + uses: ./.github/actions/setup-docker-publish with: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_TOKEN }} + dockerhub-username: ${{ secrets.DOCKERHUB_USERNAME }} + dockerhub-token: ${{ secrets.DOCKERHUB_TOKEN }} - name: Build & Push Stable Docker uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5 with: push: true platforms: linux/amd64,linux/arm64 + cache-from: type=gha + cache-to: type=gha,mode=max tags: socketdev/cli:stable build-args: | CLI_VERSION=${{ inputs.version }} diff --git a/.github/workflows/pr-preview.yml b/.github/workflows/pr-preview.yml index ef47ea0..5b4a892 100644 --- a/.github/workflows/pr-preview.yml +++ b/.github/workflows/pr-preview.yml @@ -3,6 +3,12 @@ on: pull_request: types: [opened, synchronize, ready_for_review] +# Cancel an in-flight preview when the PR is pushed again -- previews are slow +# (publish + multi-step Docker build), so superseded runs shouldn't keep going. +concurrency: + group: pr-preview-${{ github.event.pull_request.number }} + cancel-in-progress: true + jobs: preview: # Skip on: @@ -26,12 +32,8 @@ jobs: with: python-version: '3.13' - # Install all dependencies from pyproject.toml - - name: Install dependencies - run: | - python -m pip install --upgrade pip - pip install "virtualenv<20.36" - pip install hatchling==1.27.0 hatch==1.14.0 + - name: Install build tooling + uses: ./.github/actions/setup-hatch - name: Inject full dynamic version run: python .hooks/sync_version.py --dev @@ -139,18 +141,12 @@ jobs: echo "success=false" >> $GITHUB_OUTPUT exit 1 - - name: Set up QEMU - uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 - - - name: Login to Docker Hub with Organization Token + - name: Set up Docker publishing if: steps.verify_package.outputs.success == 'true' - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 + uses: ./.github/actions/setup-docker-publish with: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_TOKEN }} + dockerhub-username: ${{ secrets.DOCKERHUB_USERNAME }} + dockerhub-token: ${{ secrets.DOCKERHUB_TOKEN }} - name: Build & Push Docker Preview if: steps.verify_package.outputs.success == 'true' @@ -159,7 +155,12 @@ jobs: VERSION: ${{ env.VERSION }} with: push: true - platforms: linux/amd64,linux/arm64 + # Preview images are for quick testing -- build amd64 only. arm64 via + # QEMU emulation is the slowest part of the job; release builds keep + # multi-arch. GHA layer cache speeds up repeated preview builds. + platforms: linux/amd64 + cache-from: type=gha + cache-to: type=gha,mode=max tags: | socketdev/cli:pr-${{ github.event.pull_request.number }} build-args: | diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 5549b88..535a269 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -18,13 +18,9 @@ jobs: with: python-version: '3.13' - # Install all dependencies from pyproject.toml - - name: Install dependencies - run: | - python -m pip install --upgrade pip - pip install "virtualenv<20.36" - pip install hatchling==1.27.0 hatch==1.14.0 - + - name: Install build tooling + uses: ./.github/actions/setup-hatch + - name: Get Version id: version env: @@ -72,17 +68,11 @@ jobs: if: steps.version_check.outputs.pypi_exists != 'true' uses: pypa/gh-action-pypi-publish@ab69e431e9c9f48a3310be0a56527c679f56e04d - - name: Set up QEMU - uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 - - - name: Login to Docker Hub with Organization Token - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 + - name: Set up Docker publishing + uses: ./.github/actions/setup-docker-publish with: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_TOKEN }} + dockerhub-username: ${{ secrets.DOCKERHUB_USERNAME }} + dockerhub-token: ${{ secrets.DOCKERHUB_TOKEN }} - name: Verify package is installable id: verify_package @@ -112,6 +102,8 @@ jobs: with: push: true platforms: linux/amd64,linux/arm64 + cache-from: type=gha + cache-to: type=gha,mode=max tags: | socketdev/cli:latest socketdev/cli:${{ env.VERSION }} From 1f5857fa9b1c95ff9240566ea1fa83a5dc6704f5 Mon Sep 17 00:00:00 2001 From: lelia <2418071+lelia@users.noreply.github.com> Date: Sat, 30 May 2026 21:17:09 -0400 Subject: [PATCH 06/10] ci: pin all GitHub Actions to latest release SHAs with version comments Bump every third-party action to its latest git-tagged release, pinned to the resolved commit SHA with a trailing '# vX.Y.Z' comment for readability: actions/checkout -> v6.0.2 actions/setup-python -> v6.2.0 actions/setup-node -> v6.4.0 actions/github-script -> v9.0.0 pypa/gh-action-pypi-publish -> v1.14.0 docker/setup-qemu-action -> v4.1.0 docker/setup-buildx-action -> v4.1.0 docker/login-action -> v4.2.0 docker/build-push-action -> v7.2.0 socketdev/action -> v1.3.2 (comment only) Applied across the setup-sfw composite action and all workflows, including docker-stable.yml which previously used floating major-version comments. Signed-off-by: lelia <2418071+lelia@users.noreply.github.com> --- .github/actions/setup-sfw/action.yml | 8 ++++---- .github/workflows/dependabot-review.yml | 10 +++++----- .github/workflows/docker-stable.yml | 10 +++++----- .github/workflows/e2e-test.yml | 6 +++--- .github/workflows/pr-preview.yml | 16 ++++++++-------- .github/workflows/python-tests.yml | 8 ++++---- .github/workflows/release.yml | 14 +++++++------- .github/workflows/version-check.yml | 4 ++-- 8 files changed, 38 insertions(+), 38 deletions(-) diff --git a/.github/actions/setup-sfw/action.yml b/.github/actions/setup-sfw/action.yml index 7f7b8db..34db12d 100644 --- a/.github/actions/setup-sfw/action.yml +++ b/.github/actions/setup-sfw/action.yml @@ -19,18 +19,18 @@ runs: using: "composite" steps: - if: ${{ inputs.python == 'true' || inputs.uv == 'true' }} - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: "3.12" - if: ${{ inputs.node == 'true' }} - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: "20" # Official Socket setup action. Wires up sfw routing correctly -- preferred - # over a hand-rolled `npm install -g sfw`. Pinned to a commit SHA (v1.3.2). - - uses: socketdev/action@ba6de6cc0565af1f42295590380973573297e31f + # over a hand-rolled `npm install -g sfw`. + - uses: socketdev/action@ba6de6cc0565af1f42295590380973573297e31f # v1.3.2 with: mode: firewall-free diff --git a/.github/workflows/dependabot-review.yml b/.github/workflows/dependabot-review.yml index c3be28a..f6248fa 100644 --- a/.github/workflows/dependabot-review.yml +++ b/.github/workflows/dependabot-review.yml @@ -34,7 +34,7 @@ jobs: dockerfile_changed: ${{ steps.diff.outputs.dockerfile_changed }} workflow_or_action_changed: ${{ steps.diff.outputs.workflow_or_action_changed }} steps: - - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 persist-credentials: false @@ -89,7 +89,7 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 15 steps: - - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 1 persist-credentials: false @@ -126,7 +126,7 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 15 steps: - - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 1 persist-credentials: false @@ -145,7 +145,7 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 15 steps: - - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 1 persist-credentials: false @@ -168,7 +168,7 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 20 steps: - - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 1 persist-credentials: false diff --git a/.github/workflows/docker-stable.yml b/.github/workflows/docker-stable.yml index 3639ffc..8f98fd8 100644 --- a/.github/workflows/docker-stable.yml +++ b/.github/workflows/docker-stable.yml @@ -13,7 +13,7 @@ jobs: stable: runs-on: ubuntu-latest steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -29,19 +29,19 @@ jobs: echo "Version ${INPUT_VERSION} found on PyPI - proceeding with release" - name: Set up QEMU - uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3 + uses: docker/setup-qemu-action@06116385d9baf250c9f4dcb4858b16962ea869c3 # v4.1.0 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 + uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0 - name: Login to Docker Hub with Organization Token - uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 + uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Build & Push Stable Docker - uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5 + uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0 with: push: true platforms: linux/amd64,linux/arm64 diff --git a/.github/workflows/e2e-test.yml b/.github/workflows/e2e-test.yml index 83a6fa4..1ce306f 100644 --- a/.github/workflows/e2e-test.yml +++ b/.github/workflows/e2e-test.yml @@ -70,16 +70,16 @@ jobs: name: e2e-${{ matrix.name }} steps: - - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 persist-credentials: false - - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: '3.12' - - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af + - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 if: matrix.setup-node == 'true' with: node-version: '20' diff --git a/.github/workflows/pr-preview.yml b/.github/workflows/pr-preview.yml index ef47ea0..465d480 100644 --- a/.github/workflows/pr-preview.yml +++ b/.github/workflows/pr-preview.yml @@ -18,11 +18,11 @@ jobs: contents: read pull-requests: write steps: - - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 persist-credentials: false - - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: '3.13' @@ -63,14 +63,14 @@ jobs: - name: Publish to Test PyPI if: steps.version_check.outputs.exists != 'true' - uses: pypa/gh-action-pypi-publish@ab69e431e9c9f48a3310be0a56527c679f56e04d + uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0 with: repository-url: https://test.pypi.org/legacy/ verbose: true - name: Comment on PR if: steps.version_check.outputs.exists != 'true' - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 env: VERSION: ${{ env.VERSION }} with: @@ -140,21 +140,21 @@ jobs: exit 1 - name: Set up QEMU - uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf + uses: docker/setup-qemu-action@06116385d9baf250c9f4dcb4858b16962ea869c3 # v4.1.0 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 + uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0 - name: Login to Docker Hub with Organization Token if: steps.verify_package.outputs.success == 'true' - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 + uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Build & Push Docker Preview if: steps.verify_package.outputs.success == 'true' - uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 + uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0 env: VERSION: ${{ env.VERSION }} with: diff --git a/.github/workflows/python-tests.yml b/.github/workflows/python-tests.yml index 94f4f82..3247275 100644 --- a/.github/workflows/python-tests.yml +++ b/.github/workflows/python-tests.yml @@ -35,12 +35,12 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 20 steps: - - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 1 persist-credentials: false - name: 🐍 setup python - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: ${{ env.PYTHON_VERSION }} - name: 🛠️ install deps @@ -71,12 +71,12 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 10 steps: - - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 1 persist-credentials: false - name: 🐍 setup python - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: "3.10" - name: 🚫 verify install is rejected on unsupported python diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 5549b88..f21955a 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -10,11 +10,11 @@ jobs: id-token: write contents: read steps: - - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 persist-credentials: false - - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: '3.13' @@ -70,16 +70,16 @@ jobs: - name: Publish to PyPI if: steps.version_check.outputs.pypi_exists != 'true' - uses: pypa/gh-action-pypi-publish@ab69e431e9c9f48a3310be0a56527c679f56e04d + uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0 - name: Set up QEMU - uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf + uses: docker/setup-qemu-action@06116385d9baf250c9f4dcb4858b16962ea869c3 # v4.1.0 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 + uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0 - name: Login to Docker Hub with Organization Token - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 + uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} @@ -106,7 +106,7 @@ jobs: if: | steps.verify_package.outputs.success == 'true' && steps.docker_check.outputs.docker_exists != 'true' - uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 + uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0 env: VERSION: ${{ env.VERSION }} with: diff --git a/.github/workflows/version-check.yml b/.github/workflows/version-check.yml index dc50819..a097208 100644 --- a/.github/workflows/version-check.yml +++ b/.github/workflows/version-check.yml @@ -20,7 +20,7 @@ jobs: if: github.event.pull_request.user.login != 'dependabot[bot]' runs-on: ubuntu-latest steps: - - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 # Fetch all history for all branches persist-credentials: false @@ -90,7 +90,7 @@ jobs: fi - name: Manage PR Comment - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 if: always() && github.event.pull_request.head.repo.full_name == github.repository env: MAIN_VERSION: ${{ env.MAIN_VERSION }} From cb7bc9fcc830703a6936dda420c5835a86e2e28e Mon Sep 17 00:00:00 2001 From: lelia <2418071+lelia@users.noreply.github.com> Date: Sun, 31 May 2026 00:36:47 -0400 Subject: [PATCH 07/10] Keep dependabot action pins visible --- .github/actions/setup-sfw/action.yml | 40 ------------------------- .github/workflows/dependabot-review.yml | 27 +++++++++++++---- 2 files changed, 21 insertions(+), 46 deletions(-) delete mode 100644 .github/actions/setup-sfw/action.yml diff --git a/.github/actions/setup-sfw/action.yml b/.github/actions/setup-sfw/action.yml deleted file mode 100644 index 34db12d..0000000 --- a/.github/actions/setup-sfw/action.yml +++ /dev/null @@ -1,40 +0,0 @@ -name: "Set up Socket Firewall (free)" -description: >- - Set up the requested language toolchain and install Socket Firewall (free - edition) so subsequent steps can run package-manager commands wrapped with - `sfw`. Free/anonymous mode -- no API token, safe on untrusted/Dependabot PRs. - -inputs: - python: - description: "Set up Python 3.12" - default: "false" - node: - description: "Set up Node 20 (needed for npm-wrapped checks)" - default: "false" - uv: - description: "Install uv (implies Python)" - default: "false" - -runs: - using: "composite" - steps: - - if: ${{ inputs.python == 'true' || inputs.uv == 'true' }} - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 - with: - python-version: "3.12" - - - if: ${{ inputs.node == 'true' }} - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 - with: - node-version: "20" - - # Official Socket setup action. Wires up sfw routing correctly -- preferred - # over a hand-rolled `npm install -g sfw`. - - uses: socketdev/action@ba6de6cc0565af1f42295590380973573297e31f # v1.3.2 - with: - mode: firewall-free - - - if: ${{ inputs.uv == 'true' }} - name: Install uv - shell: bash - run: python -m pip install --upgrade pip uv diff --git a/.github/workflows/dependabot-review.yml b/.github/workflows/dependabot-review.yml index f6248fa..502dd4a 100644 --- a/.github/workflows/dependabot-review.yml +++ b/.github/workflows/dependabot-review.yml @@ -94,9 +94,16 @@ jobs: fetch-depth: 1 persist-credentials: false - - uses: ./.github/actions/setup-sfw + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: - uv: "true" + python-version: "3.12" + + - uses: socketdev/action@ba6de6cc0565af1f42295590380973573297e31f # v1.3.2 + with: + mode: firewall-free + + - name: Install uv + run: python -m pip install --upgrade pip uv - name: Sync project through Socket Firewall # `sfw uv sync` is the intended way to route uv through Socket Firewall @@ -131,9 +138,13 @@ jobs: fetch-depth: 1 persist-credentials: false - - uses: ./.github/actions/setup-sfw + - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: - node: "true" + node-version: "20" + + - uses: socketdev/action@ba6de6cc0565af1f42295590380973573297e31f # v1.3.2 + with: + mode: firewall-free - name: Install fixture through Socket Firewall working-directory: tests/e2e/fixtures/simple-npm @@ -150,9 +161,13 @@ jobs: fetch-depth: 1 persist-credentials: false - - uses: ./.github/actions/setup-sfw + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 + with: + python-version: "3.12" + + - uses: socketdev/action@ba6de6cc0565af1f42295590380973573297e31f # v1.3.2 with: - python: "true" + mode: firewall-free - name: Install fixture through Socket Firewall working-directory: tests/e2e/fixtures/simple-pypi From ba9b94692b37a55a4eeaaedcb497fa6d1547396b Mon Sep 17 00:00:00 2001 From: lelia <2418071+lelia@users.noreply.github.com> Date: Sun, 31 May 2026 00:44:07 -0400 Subject: [PATCH 08/10] Configure Dependabot for composite actions --- .../actions/setup-docker-publish/action.yml | 23 +++++++++++ .github/actions/setup-sfw/action.yml | 39 +++++++++++++++++++ .github/dependabot.yml | 4 +- .github/workflows/dependabot-review.yml | 27 +++---------- .github/workflows/docker-stable.yml | 14 ++----- .github/workflows/pr-preview.yml | 14 ++----- .github/workflows/release.yml | 14 ++----- 7 files changed, 83 insertions(+), 52 deletions(-) create mode 100644 .github/actions/setup-docker-publish/action.yml create mode 100644 .github/actions/setup-sfw/action.yml diff --git a/.github/actions/setup-docker-publish/action.yml b/.github/actions/setup-docker-publish/action.yml new file mode 100644 index 0000000..dd0a17c --- /dev/null +++ b/.github/actions/setup-docker-publish/action.yml @@ -0,0 +1,23 @@ +name: "Set up Docker publish" +description: >- + Set up QEMU + Docker Buildx and authenticate to Docker Hub for multi-arch + image builds. Centralizes the QEMU/Buildx/login trio used by release, + preview, and stable workflows. + +inputs: + dockerhub-username: + description: "Docker Hub username (pass from secrets)" + required: true + dockerhub-token: + description: "Docker Hub token/password (pass from secrets)" + required: true + +runs: + using: "composite" + steps: + - uses: docker/setup-qemu-action@06116385d9baf250c9f4dcb4858b16962ea869c3 # v4.1.0 + - uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0 + - uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 + with: + username: ${{ inputs.dockerhub-username }} + password: ${{ inputs.dockerhub-token }} diff --git a/.github/actions/setup-sfw/action.yml b/.github/actions/setup-sfw/action.yml new file mode 100644 index 0000000..2804701 --- /dev/null +++ b/.github/actions/setup-sfw/action.yml @@ -0,0 +1,39 @@ +name: "Set up Socket Firewall (free)" +description: >- + Set up the requested language toolchain and install Socket Firewall (free + edition) so subsequent steps can run package-manager commands wrapped with + `sfw`. Free/anonymous mode -- no API token, safe on untrusted/Dependabot PRs. + +inputs: + python: + description: "Set up Python 3.12" + default: "false" + node: + description: "Set up Node 20 (needed for npm-wrapped checks)" + default: "false" + uv: + description: "Install uv (implies Python)" + default: "false" + +runs: + using: "composite" + steps: + - if: ${{ inputs.python == 'true' || inputs.uv == 'true' }} + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 + with: + python-version: "3.12" + + - if: ${{ inputs.node == 'true' }} + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 + with: + node-version: "20" + + # Official Socket setup action. Wires up sfw routing correctly. + - uses: socketdev/action@ba6de6cc0565af1f42295590380973573297e31f # v1.3.2 + with: + mode: firewall-free + + - if: ${{ inputs.uv == 'true' }} + name: Install uv + shell: bash + run: python -m pip install --upgrade pip uv diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 7c05ee5..08a2a62 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -38,7 +38,9 @@ updates: # GitHub Actions used in workflows - package-ecosystem: "github-actions" - directory: "/" + directories: + - "/" + - "/.github/actions/*" schedule: interval: "weekly" open-pull-requests-limit: 2 diff --git a/.github/workflows/dependabot-review.yml b/.github/workflows/dependabot-review.yml index 502dd4a..f6248fa 100644 --- a/.github/workflows/dependabot-review.yml +++ b/.github/workflows/dependabot-review.yml @@ -94,16 +94,9 @@ jobs: fetch-depth: 1 persist-credentials: false - - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 + - uses: ./.github/actions/setup-sfw with: - python-version: "3.12" - - - uses: socketdev/action@ba6de6cc0565af1f42295590380973573297e31f # v1.3.2 - with: - mode: firewall-free - - - name: Install uv - run: python -m pip install --upgrade pip uv + uv: "true" - name: Sync project through Socket Firewall # `sfw uv sync` is the intended way to route uv through Socket Firewall @@ -138,13 +131,9 @@ jobs: fetch-depth: 1 persist-credentials: false - - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 + - uses: ./.github/actions/setup-sfw with: - node-version: "20" - - - uses: socketdev/action@ba6de6cc0565af1f42295590380973573297e31f # v1.3.2 - with: - mode: firewall-free + node: "true" - name: Install fixture through Socket Firewall working-directory: tests/e2e/fixtures/simple-npm @@ -161,13 +150,9 @@ jobs: fetch-depth: 1 persist-credentials: false - - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 - with: - python-version: "3.12" - - - uses: socketdev/action@ba6de6cc0565af1f42295590380973573297e31f # v1.3.2 + - uses: ./.github/actions/setup-sfw with: - mode: firewall-free + python: "true" - name: Install fixture through Socket Firewall working-directory: tests/e2e/fixtures/simple-pypi diff --git a/.github/workflows/docker-stable.yml b/.github/workflows/docker-stable.yml index 55b9e2d..fcb3ba2 100644 --- a/.github/workflows/docker-stable.yml +++ b/.github/workflows/docker-stable.yml @@ -28,17 +28,11 @@ jobs: fi echo "Version ${INPUT_VERSION} found on PyPI - proceeding with release" - - name: Set up QEMU - uses: docker/setup-qemu-action@06116385d9baf250c9f4dcb4858b16962ea869c3 # v4.1.0 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0 - - - name: Login to Docker Hub with Organization Token - uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 + - name: Set up Docker publishing + uses: ./.github/actions/setup-docker-publish with: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_TOKEN }} + dockerhub-username: ${{ secrets.DOCKERHUB_USERNAME }} + dockerhub-token: ${{ secrets.DOCKERHUB_TOKEN }} - name: Build & Push Stable Docker uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0 diff --git a/.github/workflows/pr-preview.yml b/.github/workflows/pr-preview.yml index e5bc117..c7d70dc 100644 --- a/.github/workflows/pr-preview.yml +++ b/.github/workflows/pr-preview.yml @@ -141,18 +141,12 @@ jobs: echo "success=false" >> $GITHUB_OUTPUT exit 1 - - name: Set up QEMU - uses: docker/setup-qemu-action@06116385d9baf250c9f4dcb4858b16962ea869c3 # v4.1.0 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0 - - - name: Login to Docker Hub with Organization Token + - name: Set up Docker publishing if: steps.verify_package.outputs.success == 'true' - uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 + uses: ./.github/actions/setup-docker-publish with: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_TOKEN }} + dockerhub-username: ${{ secrets.DOCKERHUB_USERNAME }} + dockerhub-token: ${{ secrets.DOCKERHUB_TOKEN }} - name: Build & Push Docker Preview if: steps.verify_package.outputs.success == 'true' diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index db8a2de..5e8d2f8 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -68,17 +68,11 @@ jobs: if: steps.version_check.outputs.pypi_exists != 'true' uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0 - - name: Set up QEMU - uses: docker/setup-qemu-action@06116385d9baf250c9f4dcb4858b16962ea869c3 # v4.1.0 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0 - - - name: Login to Docker Hub with Organization Token - uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 + - name: Set up Docker publishing + uses: ./.github/actions/setup-docker-publish with: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_TOKEN }} + dockerhub-username: ${{ secrets.DOCKERHUB_USERNAME }} + dockerhub-token: ${{ secrets.DOCKERHUB_TOKEN }} - name: Verify package is installable id: verify_package From d9cb95cd80252f7d634f8a1397d707c26ab04131 Mon Sep 17 00:00:00 2001 From: lelia <2418071+lelia@users.noreply.github.com> Date: Sun, 31 May 2026 00:59:08 -0400 Subject: [PATCH 09/10] Include composite actions in Dependabot review notice --- .github/dependabot.yml | 2 +- .github/workflows/dependabot-review.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 08a2a62..89e2ed0 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -36,7 +36,7 @@ updates: cooldown: default-days: 7 - # GitHub Actions used in workflows + # GitHub Actions used in workflows and local composite actions. - package-ecosystem: "github-actions" directories: - "/" diff --git a/.github/workflows/dependabot-review.yml b/.github/workflows/dependabot-review.yml index f6248fa..2bc8879 100644 --- a/.github/workflows/dependabot-review.yml +++ b/.github/workflows/dependabot-review.yml @@ -68,7 +68,7 @@ jobs: echo "fixture_npm_changed=$(has_file '^tests/e2e/fixtures/simple-npm/')" echo "fixture_pypi_changed=$(has_file '^tests/e2e/fixtures/simple-pypi/')" echo "dockerfile_changed=$(has_file '^Dockerfile$')" - echo "workflow_or_action_changed=$(has_file '^\.github/workflows/|^\.github/dependabot\.yml$')" + echo "workflow_or_action_changed=$(has_file '^\.github/workflows/|^\.github/actions/|^\.github/dependabot\.yml$')" } >> "$GITHUB_OUTPUT" - name: Summarize review expectations From e3bef31921b652717763094cf225445cde8c912b Mon Sep 17 00:00:00 2001 From: lelia <2418071+lelia@users.noreply.github.com> Date: Sun, 31 May 2026 01:00:39 -0400 Subject: [PATCH 10/10] Rename Docker setup composite action --- .../actions/{setup-docker-publish => setup-docker}/action.yml | 2 +- .github/workflows/docker-stable.yml | 2 +- .github/workflows/pr-preview.yml | 2 +- .github/workflows/release.yml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) rename .github/actions/{setup-docker-publish => setup-docker}/action.yml (96%) diff --git a/.github/actions/setup-docker-publish/action.yml b/.github/actions/setup-docker/action.yml similarity index 96% rename from .github/actions/setup-docker-publish/action.yml rename to .github/actions/setup-docker/action.yml index dd0a17c..846efd4 100644 --- a/.github/actions/setup-docker-publish/action.yml +++ b/.github/actions/setup-docker/action.yml @@ -1,4 +1,4 @@ -name: "Set up Docker publish" +name: "Set up Docker" description: >- Set up QEMU + Docker Buildx and authenticate to Docker Hub for multi-arch image builds. Centralizes the QEMU/Buildx/login trio used by release, diff --git a/.github/workflows/docker-stable.yml b/.github/workflows/docker-stable.yml index fcb3ba2..934e0d9 100644 --- a/.github/workflows/docker-stable.yml +++ b/.github/workflows/docker-stable.yml @@ -29,7 +29,7 @@ jobs: echo "Version ${INPUT_VERSION} found on PyPI - proceeding with release" - name: Set up Docker publishing - uses: ./.github/actions/setup-docker-publish + uses: ./.github/actions/setup-docker with: dockerhub-username: ${{ secrets.DOCKERHUB_USERNAME }} dockerhub-token: ${{ secrets.DOCKERHUB_TOKEN }} diff --git a/.github/workflows/pr-preview.yml b/.github/workflows/pr-preview.yml index c7d70dc..eb29ef9 100644 --- a/.github/workflows/pr-preview.yml +++ b/.github/workflows/pr-preview.yml @@ -143,7 +143,7 @@ jobs: - name: Set up Docker publishing if: steps.verify_package.outputs.success == 'true' - uses: ./.github/actions/setup-docker-publish + uses: ./.github/actions/setup-docker with: dockerhub-username: ${{ secrets.DOCKERHUB_USERNAME }} dockerhub-token: ${{ secrets.DOCKERHUB_TOKEN }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 5e8d2f8..6c41e9c 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -69,7 +69,7 @@ jobs: uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0 - name: Set up Docker publishing - uses: ./.github/actions/setup-docker-publish + uses: ./.github/actions/setup-docker with: dockerhub-username: ${{ secrets.DOCKERHUB_USERNAME }} dockerhub-token: ${{ secrets.DOCKERHUB_TOKEN }}