Type of request
Why are you raising this issue?
I still don't know exactly why, but this is happening. Checks run, but skip the scan, #540 is an example.
I ping-ponged with AI and the potential solution was something like this below, but not sure yet, it does not quite convince me.
name: Socket fallback - GitHub Actions dependencies
on:
pull_request:
types: [opened, synchronize, reopened]
merge_group:
permissions:
contents: read
pull-requests: read
concurrency:
group: socket-gha-fallback-${{ github.event.pull_request.number || github.sha }}
cancel-in-progress: true
jobs:
socket-gha-fallback:
name: Socket fallback: GitHub Actions deps
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
persist-credentials: false
- name: Decide whether fallback applies
id: scope
shell: bash
env:
BASE_SHA: ${{ github.event.pull_request.base.sha }}
HEAD_SHA: ${{ github.event.pull_request.head.sha }}
run: |
set -euo pipefail
if [ -z "${BASE_SHA:-}" ] || [ -z "${HEAD_SHA:-}" ]; then
echo "run_socket=false" >> "$GITHUB_OUTPUT"
echo "reason=not a pull_request event" >> "$GITHUB_OUTPUT"
exit 0
fi
# Run only when a GitHub Actions dependency ref changed.
if git diff -U0 "$BASE_SHA" "$HEAD_SHA" -- '.github/workflows/*.yml' '.github/workflows/*.yaml' |
grep -Eq '^[+-][[:space:]]*uses:[[:space:]][^[:space:]#]+@[^[:space:]#]+'; then
echo "run_socket=true" >> "$GITHUB_OUTPUT"
echo "reason=workflow uses ref changed" >> "$GITHUB_OUTPUT"
else
echo "run_socket=false" >> "$GITHUB_OUTPUT"
echo "reason=no GitHub Actions uses ref changed" >> "$GITHUB_OUTPUT"
fi
- uses: actions/setup-python@v5
if: steps.scope.outputs.run_socket == 'true'
with:
python-version: "3.12"
- name: Install Socket CLI
if: steps.scope.outputs.run_socket == 'true'
run: |
python -m pip install --upgrade pip
python -m pip install 'socketsecurity==2.4.18'
- name: Run Socket scan for GitHub Actions workflow deps only
if: steps.scope.outputs.run_socket == 'true'
env:
SOCKET_SECURITY_API_KEY: ${{ secrets.SOCKET_SECURITY_API_KEY }}
GH_API_TOKEN: ${{ github.token }}
PR_NUMBER: ${{ github.event.pull_request.number || 0 }}
run: |
set -euo pipefail
if [ -z "${SOCKET_SECURITY_API_KEY:-}" ]; then
echo "SOCKET_SECURITY_API_KEY is unavailable."
echo "For Dependabot PRs, add SOCKET_SECURITY_API_KEY as both an Actions secret and a Dependabot secret."
exit 1
fi
socketcli \
--api-token "$SOCKET_SECURITY_API_KEY" \
--target-path "$GITHUB_WORKSPACE" \
--sub-path ".github/workflows" \
--workspace-name "github-actions" \
--scm github \
--pr-number "$PR_NUMBER"
Why do you think it is important?
We shouldn't miss on these.
Can you justify your argument or provide additional resources?
The checks speak for themselves:
✅ Pull request contains no net changes to dependencies:
Pull request alerts notify when new issues are detected between the diff of the pull request and it's target branch.
Contribution intent
Type of request
Why are you raising this issue?
I still don't know exactly why, but this is happening. Checks run, but skip the scan, #540 is an example.
I ping-ponged with AI and the potential solution was something like this below, but not sure yet, it does not quite convince me.
Why do you think it is important?
We shouldn't miss on these.
Can you justify your argument or provide additional resources?
The checks speak for themselves:
✅ Pull request contains no net changes to dependencies:
Pull request alerts notify when new issues are detected between the diff of the pull request and it's target branch.
Contribution intent