socket-python-cli/.github/workflows/e2e-test.yml at main · SocketDev/socket-python-cli · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
name: E2E Tests

on:
  push:
    branches: [main]
  pull_request:
  workflow_dispatch:

permissions:
  contents: read

jobs:
  e2e:
    # Skip e2e on:
    #  - PRs from forks (no secrets)
    #  - Dependabot PRs (no secrets, and dependency-bump risk is already
    #    covered by dependency-review.yml's Socket Firewall smoke jobs)
    if: >-
      (github.event_name != 'pull_request' ||
        github.event.pull_request.head.repo.full_name == github.repository) &&
      github.event.pull_request.user.login != 'dependabot[bot]'
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix:
        include:
          - name: scan
            args: >-
              --target-path tests/e2e/fixtures/simple-npm
              --disable-blocking
              --enable-debug
            validate: tests/e2e/validate-scan.sh

          - name: sarif
            args: >-
              --target-path tests/e2e/fixtures/simple-npm
              --sarif-file /tmp/results.sarif
              --disable-blocking
            validate: tests/e2e/validate-sarif.sh

          - name: reachability
            args: >-
              --target-path tests/e2e/fixtures/simple-npm
              --reach
              --disable-blocking
              --enable-debug
            validate: tests/e2e/validate-reachability.sh
            setup-node: "true"

          - name: gitlab
            args: >-
              --target-path tests/e2e/fixtures/simple-npm
              --enable-gitlab-security
              --disable-blocking
            validate: tests/e2e/validate-gitlab.sh

          - name: json
            args: >-
              --target-path tests/e2e/fixtures/simple-npm
              --enable-json
              --disable-blocking
            validate: tests/e2e/validate-json.sh

          - name: pypi
            args: >-
              --target-path tests/e2e/fixtures/simple-pypi
              --disable-blocking
              --enable-debug
            validate: tests/e2e/validate-scan.sh

    name: e2e-${{ matrix.name }}
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 0
          persist-credentials: false

      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
        with:
          python-version: '3.12'

      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
        if: matrix.setup-node == 'true'
        with:
          node-version: '20'

      - name: Install CLI from local repo
        run: |
          python -m pip install --upgrade pip
          pip install .

      - name: Install uv
        if: matrix.setup-node == 'true'
        run: pip install uv

      - name: Run Socket CLI
        env:
          SOCKET_SECURITY_API_KEY: ${{ secrets.SOCKET_CLI_API_TOKEN }}
        run: |
          set -o pipefail
          socketcli ${{ matrix.args }} 2>&1 | tee /tmp/e2e-output.log

      - name: Validate results
        env:
          SOCKET_SECURITY_API_KEY: ${{ secrets.SOCKET_CLI_API_TOKEN }}
        run: bash ${{ matrix.validate }}

  # Branch protection requires the e2e-* checks, but the `e2e` job above is
  # skipped on PRs that can't access repository secrets -- fork PRs and
  # Dependabot PRs. A job skipped via a job-level `if` never expands its
  # matrix, so the e2e-* check contexts are never created and the required
  # checks sit at "Expected -- Waiting for status to be reported" forever,
  # permanently blocking merge.
  #
  # This bypass reports a green status under the SAME e2e-* check names for
  # exactly those PRs, satisfying branch protection without running the real
  # tests (which need SOCKET_CLI_API_TOKEN). Its `if` is the precise negation
  # of the e2e job's run condition, so the two are mutually exclusive: any
  # given PR runs one or the other, never both, and never neither.
  #
  # Dependency-bump risk on these PRs is still covered by dependency-review.yml's
  # Socket Firewall smoke jobs, which run without repository secrets.
  e2e-bypass:
    if: >-
      github.event_name == 'pull_request' &&
      (github.event.pull_request.head.repo.full_name != github.repository ||
        github.event.pull_request.user.login == 'dependabot[bot]')
    runs-on: ubuntu-latest
    strategy:
      matrix:
        name: [scan, sarif, reachability, gitlab, json, pypi]
    name: e2e-${{ matrix.name }}
    steps:
      - name: Report skip status
        run: |
          echo "Skipping e2e-${{ matrix.name }} for a PR without repository secrets"
          echo "(fork or Dependabot). Dependency risk is covered by dependency-review.yml."