feat(ci): add sfw-enterprise support and publish-without-sfw escape hatch

[John-David Dalton (jdalton)]

Summary

Backport of sfw-enterprise support to v1.x inline workflows.

• When SOCKET_API_KEY secret is set, downloads sfw-enterprise from SocketDev/firewall-release instead of sfw-free
• Enterprise shims include additional wrapper mode ecosystems: gem, bundler, nuget, go (Linux only)
• SSL workaround (GIT_SSL_NO_VERIFY) only applied for sfw-free
• Adds publish-without-sfw escape hatch to provenance workflow — strips shims before publish, restores after
• Applied to all 4 sfw blocks (ci.yml lint/typecheck/test + provenance.yml build)

Test plan

• CI passes with no SOCKET_API_KEY set (sfw-free path, current behavior)
• Enterprise path activates when SOCKET_API_KEY repo secret is configured
• publish-without-sfw checkbox bypasses shims during publish

---

Note

Medium Risk
Modifies CI and release workflows to conditionally download and run different firewall binaries based on a repository secret and to optionally bypass shims during npm publishing; mistakes could break builds/publishes or change supply-chain scanning coverage.

Overview
Updates GitHub Actions workflows to download sfw from either SocketDev/sfw-free or SocketDev/firewall-release depending on whether SOCKET_API_KEY is present, and exports SFW_IS_ENTERPRISE to drive behavior.

In CI, shim generation now expands the wrapped commands for enterprise (adds gem, bundler, nuget, and go on Linux) and only applies the GIT_SSL_NO_VERIFY workaround for the free variant.

In provenance.yml, adds a publish-without-sfw input that temporarily strips the sfw shim directory from PATH for npm publish, then restores the original PATH afterward.

^{Reviewed by Cursor Bugbot for commit 976cb5d. Configure here.}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Bugbot Autofix prepared a fix for the issue found in the latest run.

• ✅ Fixed: PATH stripping via GITHUB_ENV cannot override GITHUB_PATH
  • Replaced the ineffective GITHUB_ENV PATH override with renaming the shim directory on disk (mv to .disabled), which reliably removes shims from PATH resolution regardless of GITHUB_PATH precedence.

Or push these changes by commenting:

@cursor push fa4f89be6d

Preview (fa4f89be6d)

diff --git a/.github/workflows/provenance.yml b/.github/workflows/provenance.yml
--- a/.github/workflows/provenance.yml
+++ b/.github/workflows/provenance.yml
@@ -190,12 +190,10 @@
 
       - name: Strip sfw shims for publishing
         if: inputs.publish-without-sfw == true
-        run: | # zizmor: ignore[github-env]
+        run: |
           echo "Bypassing Socket firewall shims for publishing"
-          echo "SFW_ORIGINAL_PATH=$PATH" >> "${GITHUB_ENV:-/dev/null}"
-          if [ -n "$SFW_SHIM_DIR" ]; then
-            CLEAN_PATH="$(echo "$PATH" | tr ':' '\n' | grep -vxF "$SFW_SHIM_DIR" | paste -sd: -)"
-            echo "PATH=$CLEAN_PATH" >> "${GITHUB_ENV:-/dev/null}"
+          if [ -n "$SFW_SHIM_DIR" ] && [ -d "$SFW_SHIM_DIR" ]; then
+            mv "$SFW_SHIM_DIR" "${SFW_SHIM_DIR}.disabled"
           fi
 
       - run: INLINED_SOCKET_CLI_PUBLISHED_BUILD=1 pnpm run build:dist
@@ -225,7 +223,7 @@
           SOCKET_CLI_DEBUG: ${{ inputs.debug }}
       - name: Restore sfw shims after publishing
         if: inputs.publish-without-sfw == true && always()
-        run: | # zizmor: ignore[github-env]
-          if [ -n "$SFW_ORIGINAL_PATH" ]; then
-            echo "PATH=$SFW_ORIGINAL_PATH" >> "${GITHUB_ENV:-/dev/null}"
+        run: |
+          if [ -n "$SFW_SHIM_DIR" ] && [ -d "${SFW_SHIM_DIR}.disabled" ]; then
+            mv "${SFW_SHIM_DIR}.disabled" "$SFW_SHIM_DIR"
           fi

_{You can send follow-ups to the cloud agent here.}

Comment @cursor review or bugbot run to trigger another review on this PR

^{Reviewed by Cursor Bugbot for commit 976cb5d. Configure here.}