ENG-9212: integration socket.dev in OSS integration tests

[masenf]

No description provided.

[linear]

ENG-9212 Integrate socket.dev in OSS CI runs to detect vulnerable transitive dependencies

[codspeed-hq]

Merging this PR will not alter performance

✅ 9 untouched benchmarks

---

_{Comparing masenf/socket-dev-scan (fc78cb5) with main (8edcb7b)}

[greptile-apps]

Greptile Summary

This PR integrates Socket.dev supply-chain security scanning into the reflex-web integration test job by installing the sfw (Socket FireWall) CLI via SocketDev/action@v1.3.1, wrapping npm and bun invocations through sfw, and scanning Python dependency installation with sfw uv pip install.

Key changes:

• Adds SocketDev/action@v1.3.1 (firewall-free mode) as a new step in the reflex-web job
• Creates bash wrapper scripts for npm and bun in $RUNNER_TEMP/sfw-wrappers/ to route calls through sfw
• Prefixes Python requirements installation with sfw to scan for supply-chain threats
• Prepends the wrapper directory to PATH in the "Run Website and Check for errors" step via a step-level env: block

Issues found:

• Critical: ${{ env.PATH }} evaluates to an empty string because the GitHub Actions env context only reflects variables defined in env: blocks, not the system PATH. This replaces the entire PATH with just the wrappers directory, breaking the step. The fix is to use echo \"$RUNNER_TEMP/sfw-wrappers\" >> \"$GITHUB_PATH\" in the wrapper-creation step instead.
• Minor: npm/bun calls during reflex init are not intercepted by sfw since the wrappers are not on PATH at that point.
• Minor: SocketDev/action@v1.3.1 uses a mutable tag rather than a pinned commit SHA.

Confidence Score: 3/5

Not safe to merge — the PATH construction will break the 'Run Website and Check for errors' step, replacing the system PATH with only the sfw-wrappers directory.

There is a P1 defect in the PATH manipulation: ${{ env.PATH }} is empty in the GitHub Actions env context (PATH is not defined in any env: block), so the step's PATH becomes only $RUNNER_TEMP/sfw-wrappers:, which will cause uv run and other tools to be unfindable. This is a current, definite breakage on the changed path.

.github/workflows/integration_tests.yml — specifically the env: PATH: block at the 'Run Website and Check for errors' step (lines 159–160)

Important Files Changed

Filename	Overview
.github/workflows/integration_tests.yml	Integrates Socket.dev firewall into the reflex-web CI job; the ${{ env.PATH }} expression in the step-level env block evaluates to an empty string (system PATH is not in the GitHub Actions env context), which would replace the entire PATH with only the sfw-wrappers directory and break the step.

Sequence Diagram

sequenceDiagram
    participant GHA as GitHub Actions Runner
    participant Socket as SocketDev/action (sfw)
    participant UV as uv / pip
    participant NPM as npm (via sfw wrapper)
    participant Reflex as reflex init / integration.sh

    GHA->>Socket: Install sfw binary (firewall-free mode)
    GHA->>GHA: Create npm & bun wrapper scripts in $RUNNER_TEMP/sfw-wrappers/
    GHA->>UV: sfw uv pip install -r requirements.txt
    UV-->>Socket: Dependency scan (Python packages)
    Socket-->>GHA: Allow / Block packages
    GHA->>Reflex: uv run reflex init (npm NOT intercepted — wrappers not on PATH)
    GHA->>GHA: Set env PATH=$RUNNER_TEMP/sfw-wrappers:${{env.PATH}}
    Note over GHA: env.PATH is empty → system PATH lost
    GHA->>NPM: which npm && npm -v (resolves to sfw wrapper)
    NPM-->>Socket: npm calls intercepted by sfw
    GHA->>Reflex: uv run integration.sh (uv not found if PATH broken)

Loading

_{Reviews (1): Last reviewed commit: "ENG-9212: integration socket.dev in OSS ..." | Re-trigger Greptile}