chore(tools): add external-tools.json with fleet-canonical schema#613
Merged
John-David Dalton (jdalton) merged 3 commits intomainfrom Apr 24, 2026
Merged
chore(tools): add external-tools.json with fleet-canonical schema#613John-David Dalton (jdalton) merged 3 commits intomainfrom
John-David Dalton (jdalton) merged 3 commits intomainfrom
Conversation
Ships the fleet's canonical external-tools manifest so socket-cli validates against the same schema every other repo does: https://raw.githubusercontent.com/SocketDev/socket-btm/main/packages/build-infra/lib/external-tools-schema.json `tools` map covers the universal build prerequisites — git, node, pnpm, gh — plus the CI-only security tooling (zizmor, sfw-free, sfw-enterprise) with sha256-verified checksums pulled from socket-registry's pinned entries. Each entry carries both human-facing fields (description, version, notes — for doctor-style reporting) and machine- verify fields (repository, release, checksums — for CI download+verify). One file drives both surfaces. No workflow changes here. The schema file is consumed by: - editors / schema-aware validators (via the $schema URL) - future setup-and-install actions that want to pin pnpm/zizmor/sfw the same way socket-registry does - a future `doctor` command that reads the tools map to report what's installed vs expected
Contributor
Author
|
Bill Li (@billxinli) James Tu (@jmsjtu) review bump — this adds |
Bill Li (billxinli)
approved these changes
Apr 24, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Ships
external-tools.jsonat the repo root using the fleet's canonical schema:https://raw.githubusercontent.com/SocketDev/socket-btm/main/packages/build-infra/lib/external-tools-schema.json
The
tools:map covers the universal build prerequisites the repo uses — git, node, pnpm, gh — plus the CI-only security tooling (zizmor, sfw-free, sfw-enterprise) with sha256-verified checksums pulled fromsocket-registry's pinned entries.Each entry carries both human-facing fields (
description,version,notes— for doctor-style reporting) and machine-verify fields (repository,release,checksums— for CI download+verify). One file drives both surfaces.Why this shape
$schemapoints at the socket-btm-hosted JSON Schema that every fleet repo validates against. Editors + CI validators pick up the single source of truth.tools:wrapper: matchessocket-packageurl-js,socket-sdxgen, and everysocket-btm/packages/*/external-tools.json. (socket-registry currently uses the flat shape for its active CI tooling; that can converge later.)external-tools.jsonso a future composite action in this repo can download + verify pnpm / zizmor / sfw the same way.What this PR does NOT change
$schemaURL)doctorcommand that reads the tools map to report what's installed vs expectedTest plan
$schemaURL resolves in a schema-aware editor (VS Code JSON language server picks it up)jq .tools.pnpm.version external-tools.jsonreturns the pinned version