Skip to content

Socket integration does not execute on SHA-pinned GitHub Action bump #550

Description

@mattaereal

Type of request

  • Strategy (planning, high-level discussions, roadmap)
  • Tech (infrastructure, tooling, tech stack)
  • Other

Why are you raising this issue?

I still don't know exactly why, but this is happening. Checks run, but skip the scan, #540 is an example.

I ping-ponged with AI and the potential solution was something like this below, but not sure yet, it does not quite convince me.

name: Socket fallback - GitHub Actions dependencies

on:
  pull_request:
    types: [opened, synchronize, reopened]
  merge_group:

permissions:
  contents: read
  pull-requests: read

concurrency:
  group: socket-gha-fallback-${{ github.event.pull_request.number || github.sha }}
  cancel-in-progress: true

jobs:
  socket-gha-fallback:
    name: Socket fallback: GitHub Actions deps
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
          persist-credentials: false

      - name: Decide whether fallback applies
        id: scope
        shell: bash
        env:
          BASE_SHA: ${{ github.event.pull_request.base.sha }}
          HEAD_SHA: ${{ github.event.pull_request.head.sha }}
        run: |
          set -euo pipefail

          if [ -z "${BASE_SHA:-}" ] || [ -z "${HEAD_SHA:-}" ]; then
            echo "run_socket=false" >> "$GITHUB_OUTPUT"
            echo "reason=not a pull_request event" >> "$GITHUB_OUTPUT"
            exit 0
          fi

          # Run only when a GitHub Actions dependency ref changed.
          if git diff -U0 "$BASE_SHA" "$HEAD_SHA" -- '.github/workflows/*.yml' '.github/workflows/*.yaml' |
               grep -Eq '^[+-][[:space:]]*uses:[[:space:]][^[:space:]#]+@[^[:space:]#]+'; then
            echo "run_socket=true" >> "$GITHUB_OUTPUT"
            echo "reason=workflow uses ref changed" >> "$GITHUB_OUTPUT"
          else
            echo "run_socket=false" >> "$GITHUB_OUTPUT"
            echo "reason=no GitHub Actions uses ref changed" >> "$GITHUB_OUTPUT"
          fi

      - uses: actions/setup-python@v5
        if: steps.scope.outputs.run_socket == 'true'
        with:
          python-version: "3.12"

      - name: Install Socket CLI
        if: steps.scope.outputs.run_socket == 'true'
        run: |
          python -m pip install --upgrade pip
          python -m pip install 'socketsecurity==2.4.18'

      - name: Run Socket scan for GitHub Actions workflow deps only
        if: steps.scope.outputs.run_socket == 'true'
        env:
          SOCKET_SECURITY_API_KEY: ${{ secrets.SOCKET_SECURITY_API_KEY }}
          GH_API_TOKEN: ${{ github.token }}
          PR_NUMBER: ${{ github.event.pull_request.number || 0 }}
        run: |
          set -euo pipefail

          if [ -z "${SOCKET_SECURITY_API_KEY:-}" ]; then
            echo "SOCKET_SECURITY_API_KEY is unavailable."
            echo "For Dependabot PRs, add SOCKET_SECURITY_API_KEY as both an Actions secret and a Dependabot secret."
            exit 1
          fi

          socketcli \
            --api-token "$SOCKET_SECURITY_API_KEY" \
            --target-path "$GITHUB_WORKSPACE" \
            --sub-path ".github/workflows" \
            --workspace-name "github-actions" \
            --scm github \
            --pr-number "$PR_NUMBER"

Why do you think it is important?

We shouldn't miss on these.

Can you justify your argument or provide additional resources?

The checks speak for themselves:
✅ Pull request contains no net changes to dependencies:
Pull request alerts notify when new issues are detected between the diff of the pull request and it's target branch.

Contribution intent

  • I can work on implementing this
  • I'm raising this for discussion/someone else to handle

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

Fields

No fields configured for Bug.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions