Skip to content

feat(ci): add setup-and-install reusable workflow + native zizmor#23

Open
John-David Dalton (jdalton) wants to merge 1 commit intomasterfrom
feat/setup-and-install-workflow
Open

feat(ci): add setup-and-install reusable workflow + native zizmor#23
John-David Dalton (jdalton) wants to merge 1 commit intomasterfrom
feat/setup-and-install-workflow

Conversation

@jdalton
Copy link
Copy Markdown
Contributor

@jdalton John-David Dalton (jdalton) commented Apr 8, 2026
edited
Loading

Summary

Adds a setup-and-install reusable workflow (split into separate composite actions) and replaces pip install zizmor with a native binary download.

New: Composite actions

Split into the same structure as socket-registry:

  • .github/actions/setup — pnpm, Node.js, sfw download + shims
  • .github/actions/installpnpm install with sfw guard
  • .github/actions/setup-and-install — aggregate: checkout + setup + install

New: setup-and-install.yml reusable workflow

A thin wrapper that gives any repo a complete CI environment in one line:

jobs:
  build:
    uses: SocketDev/workflows/.github/workflows/setup-and-install.yml@<sha> # pinned
    with:
      node-version: '24'
    secrets:
      SOCKET_API_KEY: ${{ secrets.SOCKET_API_KEY }}

What it sets up:

  1. pnpm v10.33.0 — standalone native binary, checksum-verified
  2. Node.js — via actions/setup-node
  3. Socket firewall — sfw-enterprise (when SOCKET_API_KEY is provided) or sfw-free (default), with shims for supported ecosystems

Wrapper mode ecosystems (sfw-free):

  • JavaScript/TypeScript: npm, yarn, pnpm
  • Python: pip, uv
  • Rust: cargo

Additional wrapper mode ecosystems (sfw-enterprise):

  • Ruby: gem, bundler
  • .NET: nuget
  • Go: go (Linux only)
  1. pnpm install — dependencies installed through the firewall
  2. sfw guard — fails fast if sfw binary is not installed

Changed: audit-gha-workflows.yml

Replaced pip install zizmor==1.23.1 with a direct download of the zizmor native binary. No Python/pip dependency, SHA-256 checksum-verified. Also switched secrets.GITHUB_TOKENgithub.token.

Design

No Docker, no Python, no npm needed to bootstrap. Every binary (pnpm, sfw, zizmor) follows the same pattern: download from GitHub releases, verify SHA-256 checksum, put on PATH. Only two third-party actions: actions/checkout and actions/setup-node, both pinned to commit SHAs.

Binary checksums (SHA-256)

pnpm v10.33.0
Platform Checksum
linux-x64 8d4e8f7d778e8ac482022e2577011706a872542f6f6f233e795a4d9f978ea8b5
linux-arm64 06755ad2817548b84317d857d5c8003dc6e9e28416a3ea7467256c49ab400d48
macos-x64 c31e29554b0e3f4e03f4617195c949595e4dca36085922003de4896c3ca4057d
macos-arm64 ed8a1f140f4de457b01ebe0be3ae28e9a7e28863315dcd53d22ff1e5a32d63ae
windows-x64 afc96009dc39fe23a835d65192049e6a995f342496b175585dc2beda7d42d33f
sfw-free v1.6.1
Platform Checksum
linux-x86_64 4a1e8b65e90fce7d5fd066cf0af6c93d512065fa4222a475c8d959a6bc14b9ff
linux-arm64 df2eedb2daf2572eee047adb8bfd81c9069edcb200fc7d3710fca98ec3ca81a1
macos-x86_64 724ccea19d847b79db8cc8e38f5f18ce2dd32336007f42b11bed7d2e5f4a2566
macos-arm64 bf1616fc44ac49f1cb2067fedfa127a3ae65d6ec6d634efbb3098cfa355e5555
windows-x86_64 c953e62ad7928d4d8f2302f5737884ea1a757babc26bed6a42b9b6b68a5d54af
sfw-enterprise v1.6.1
Platform Checksum
linux-x86_64 9115b4ca8021eb173eb9e9c3627deb7f1066f8debd48c5c9d9f3caabb2a26a4b
linux-arm64 671270231617142404a1564e52672f79b806f9df3f232fcc7606329c0246da55
macos-x86_64 01d64d40effda35c31f8d8ee1fed1388aac0a11aba40d47fba8a36024b77500c
macos-arm64 acad0b517601bb7408e2e611c9226f47dcccbd83333d7fc5157f1d32ed2b953d
windows-x86_64 9a50e1ddaf038138c3f85418dc5df0113bbe6fc884f5abe158beaa9aea18d70a
zizmor v1.23.1
Platform Checksum
linux-x86_64 67a8df0a14352dd81882e14876653d097b99b0f4f6b6fe798edc0320cff27aff
linux-arm64 3725d7cd7102e4d70827186389f7d5930b6878232930d0a3eb058d7e5b47e658
macos-x86_64 89d5ed42081dd9d0433a10b7545fac42b35f1f030885c278b9712b32c66f2597
macos-arm64 2632561b974c69f952258c1ab4b7432d5c7f92e555704155c3ac28a2910bd717
windows-x86_64 33c2293ff02834720dd7cd8b47348aafb2e95a19bdc993c0ecaca9c804ade92a

Test plan

  • zizmor audit passes in CI (no pip required)
  • setup-and-install workflow can be called from another repo
  • sfw shims wrap all package managers (free: 6, enterprise: 10)
  • sfw guard fails fast if setup action was not run
  • Enterprise mode activates when SOCKET_API_KEY secret is provided

@jdalton John-David Dalton (jdalton) mentioned this pull request Apr 8, 2026
Open
2 tasks
@jdalton John-David Dalton (jdalton) force-pushed the feat/setup-and-install-workflow branch 2 times, most recently from 318354d to 6b8d507 Compare April 8, 2026 20:46
@jdalton
feat(ci): add setup-and-install workflow, actions, and native zizmor
13c9f6c 
Add setup-and-install reusable workflow and composite actions (setup,
install, setup-and-install) matching the socket-registry action
structure.

setup-and-install provides a complete CI environment in one call:
  - pnpm v10.33.0 (native binary, checksum-verified)
  - Node.js 25.9.0 (via actions/setup-node)
  - Socket firewall shims (npm, yarn, pnpm, pip, uv, cargo)
  - pnpm install with sfw guard

When SOCKET_API_KEY is set, downloads sfw-enterprise from
SocketDev/firewall-release with expanded wrapper-mode ecosystems
(gem, bundler, nuget, go on Linux). Otherwise uses sfw-free.

audit-gha-workflows.yml now downloads zizmor v1.23.1 as a native
binary instead of pip install. No Python dependency needed.

All binary downloads are SHA-256 checksum-verified. Handles Linux,
macOS, and Windows (sha256sum/shasum fallback, backslash stripping,
pnpm.exe copy, MSYS path conversion).
@jdalton John-David Dalton (jdalton) force-pushed the feat/setup-and-install-workflow branch from 4e56d28 to 13c9f6c Compare April 9, 2026 17:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jdalton