Dependabot hardening + dependency update bundle#84
Merged
Conversation
Mirrors the Dependabot hardening done in socket-python-cli (#207/#217/#218), adapted to this SDK (no Dockerfile, no e2e fixtures, hatch/pip build path). Bundle dependency updates (supersedes 4 open Dependabot PRs): - idna 3.11 -> 3.17 (security: CVE-2026-45409 quadratic-time DoS fix) - cryptography 46.0.5 -> 46.0.7 - pygments 2.19.2 -> 2.20.0 - uv 0.9.21 -> 0.11.17 Verified via uv sync --locked, import smoke, and pytest tests/unit (102 passed). Adds grouped/cooldowned dependabot.yml (uv + github-actions), a dependabot-review workflow running anonymous Socket Firewall smoke jobs, Version Check / PR Preview skips for Dependabot PRs, and setup-sfw / setup-hatch composite actions. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This was referenced Jun 1, 2026
|
🚀 Preview package published! Install with: pip install --index-url https://test.pypi.org/simple/ --extra-index-url https://pypi.org/simple socketdev==3.1.2.dev8 |
lelia
added
enhancement
Version Check requires a package-version increment on maintainer PRs, and this PR bundles dependency bumps + Dependabot hardening. Bump version.py, pyproject.toml, and the uv.lock project version in sync. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Broaden dependabot-review into dependency-review so the Socket Firewall guardrail covers maintainer PRs too, not just Dependabot: - inspect now runs on every PR and computes the SFW edition per-PR: enterprise for a trusted SocketDev member (author_association OWNER/ MEMBER/COLLABORATOR) on an in-repo (non-fork) PR when SOCKET_API_TOKEN is present; free (anonymous) for Dependabot, forks, external contributors, or when the token is absent. - The mode degrades to free whenever the token is missing, so this is safe to ship before the secret exists and auto-upgrades to enterprise once SOCKET_API_TOKEN is added (repo or org level). The SDK has no Socket token today (cf. socket-python-cli's SOCKET_CLI_API_TOKEN). - setup-sfw composite action gains `mode` + `socket-token` inputs, forwarded to socketdev/action (same action, firewall-free vs firewall-enterprise). - Rename workflow dependabot-review.yml -> dependency-review.yml to match the broadened scope (not a required status check). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…load .python-version pins 3.12.7; setup-python provides 3.12.13, so `uv sync` tried to download the exact managed CPython from GitHub, which Socket Firewall's TLS interception blocked (UnknownIssuer). Set UV_PYTHON=3.12 + UV_PYTHON_DOWNLOADS=never so uv uses the runner interpreter and only PyPI package fetches route through sfw. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
lelia
changed the title
lelia
changed the title
lelia
changed the title
Tighten the enterprise-mode gate to author_association OWNER/MEMBER only. Outside collaborators (COLLABORATOR) now fall through to the free edition, same as Dependabot / forks / external contributors. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
8 tasks
…TOKEN Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Resolve zizmor secrets-outside-env (medium) without suppressing it. Split the single mode-switching smoke job into two: - python-sfw-smoke-free: untrusted PRs (Dependabot, forks, outside collaborators, externals). Anonymous free edition, never references the token. - python-sfw-smoke-enterprise: SocketDev org members (OWNER/MEMBER) on an in-repo PR. Authenticated enterprise edition; SOCKET_SFW_API_TOKEN is scoped to the `socket-firewall` GitHub environment, so only this job can read it. inspect now classifies PR trust (author_association OWNER/MEMBER, non-fork, non-Dependabot) and references no secret. No required-reviewer protection on the environment, so trusted dep PRs still run automatically. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…ot author_association author_association only reflects PUBLIC org membership, so private members (the common case here) show as CONTRIBUTOR and were misclassified -> the enterprise job always skipped. Switch the trust gate to "non-fork PR and not Dependabot": only accounts with write access can push an in-repo branch, the same boundary GitHub uses for secret exposure. No read:org token needed. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
… scrape Match socket-python-cli: discover the firewall report via the $SFW_JSON_REPORT_PATH env var that socketdev/action exports, instead of parsing the 'sfw report written to:' line out of stdout. The two sync steps return to plain 'set -o pipefail' + tee. A new 'Collect SFW JSON report' step (if: always(), before each upload) copies $SFW_JSON_REPORT_PATH into sfw-artifacts/sfw-report.json -- copy, not move, since socketdev/action's post step reads that temp path for its job summary -- and drops a sfw-report-missing.txt breadcrumb when absent. More robust than scraping an undocumented log string, and keeps the report-capture pattern uniform across both repos. Signed-off-by: lelia <2418071+lelia@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Mirrors the Dependabot hardening done in
socket-python-cli(#207 / #217 / #218), adapted to this SDK (no Dockerfile, no e2e fixtures,hatch/pipbuild path), and extended so the Socket Firewall guardrail covers maintainer PRs, not just Dependabot. Three threads:Dependencies (supersedes 4 Dependabot PRs)
All four are transitive build/dev deps; runtime deps (
requests,typing-extensions) are unchanged. Targeteduv lockupgrades only — no unrelated churn. The 4 Dependabot PRs were closed manually (GitHub closing keywords only close issues, not PRs).Dependency review (
.github/workflows/dependency-review.yml)On every PR: inspect changed files, then run a Socket Firewall (
sfw uv sync --locked) + import-smoke job when Python deps change. The firewall edition is chosen per-PR ininspect:firewall-enterprise+socket-token) — for a trusted SocketDev member (author_association∈ OWNER/MEMBER/COLLABORATOR) on an in-repo (non-fork) PR, whenSOCKET_SFW_API_TOKENis present. Full org-policy enforcement.firewall-free, anonymous, no token) — Dependabot, forks, external contributors, or whenever the token is absent. Safe in the unprivilegedpull_requestcontext (nopull_request_target, no secret-leak surface).The mode degrades to free whenever the token is missing, so this is safe to ship today and auto-upgrades to enterprise once the secret exists — no follow-up PR needed.
Verified live on this PR:
inspect→firewall-free(no token yet) →python-sfw-smokeinstalls Socket Firewall Free v1.12.0 and runssfw uv sync+ import smoke successfully.Dependabot config + workflow skips
.github/dependabot.yml(new). Grouped (minor/patch + separate major), 7-day cooldown;uv+github-actions(scanning/.github/workflowsand/.github/actions/*). Nodockerecosystem — no Dockerfile here.version-check.ymlskips Dependabot PRs (dep bumps carry no package-version bump).pr-preview.ymlskips Dependabot + fork PRs and gains concurrency cancellation.Workflow cleanup
.github/actions/setup-sfw(now parameterized withmode+socket-token) and.github/actions/setup-hatchcomposite actions.pr-preview.ymlandrelease.ymlusesetup-hatchto de-duplicate the pinnedvirtualenv/hatchling/hatchinstall.Test plan
Automated (local + CI, all green):
uv lock --locked;uv sync --locked --extra test --extra devpytest tests/unit— 102 passed, 1 skippedactionlinton all workflows; YAML parse on all.githubfilesinspect,python-sfw-smoke(free mode),workflow-notice,check_version,previewall passPending:
python-sfw-smokeinfirewall-enterprisemodefirewall-free; Version Check + PR Preview show skipped