From bb7f9f13642c8805baefd135fe0c8ab30b8091aa Mon Sep 17 00:00:00 2001 From: jdalton Date: Mon, 27 Apr 2026 11:01:47 -0400 Subject: [PATCH 1/2] chore(ci): cascade socket-registry pin to 3f2f2c00 Picks up the latest socket-registry workflow updates (currently the bootstrap-from-registry step in install/action.yml + the path-guard fleet rollout cascade). Self-landable split from #620. --- .github/workflows/ci.yml | 2 +- .github/workflows/generate.yml | 6 +++--- .github/workflows/provenance.yml | 2 +- .github/workflows/weekly-update.yml | 2 +- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e66ace81..9e4cacaa 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -21,6 +21,6 @@ concurrency: jobs: ci: name: Run CI Pipeline - uses: SocketDev/socket-registry/.github/workflows/ci.yml@ea1986b8019fedee5fb38b485690b13ad8e0217f # main + uses: SocketDev/socket-registry/.github/workflows/ci.yml@3f2f2c00e9b9dbd78872619e47cb600586b88105 # main with: test-script: 'pnpm run test --all --skip-build' diff --git a/.github/workflows/generate.yml b/.github/workflows/generate.yml index 313804e4..769498c6 100644 --- a/.github/workflows/generate.yml +++ b/.github/workflows/generate.yml @@ -46,14 +46,14 @@ jobs: echo "Sleeping for $delay seconds..." sleep $delay - - uses: SocketDev/socket-registry/.github/actions/setup-and-install@ea1986b8019fedee5fb38b485690b13ad8e0217f # main + - uses: SocketDev/socket-registry/.github/actions/setup-and-install@3f2f2c00e9b9dbd78872619e47cb600586b88105 # main - name: Configure push credentials env: GH_TOKEN: ${{ github.token }} run: git remote set-url origin "https://x-access-token:${GH_TOKEN}@github.com/${{ github.repository }}.git" - - uses: SocketDev/socket-registry/.github/actions/setup-git-signing@ea1986b8019fedee5fb38b485690b13ad8e0217f # main + - uses: SocketDev/socket-registry/.github/actions/setup-git-signing@3f2f2c00e9b9dbd78872619e47cb600586b88105 # main with: gpg-private-key: ${{ secrets.BOT_GPG_PRIVATE_KEY }} @@ -145,5 +145,5 @@ jobs: > \`\`\` EOF - - uses: SocketDev/socket-registry/.github/actions/cleanup-git-signing@ea1986b8019fedee5fb38b485690b13ad8e0217f # main + - uses: SocketDev/socket-registry/.github/actions/cleanup-git-signing@3f2f2c00e9b9dbd78872619e47cb600586b88105 # main if: always() diff --git a/.github/workflows/provenance.yml b/.github/workflows/provenance.yml index ad940907..7c7c5af9 100644 --- a/.github/workflows/provenance.yml +++ b/.github/workflows/provenance.yml @@ -25,7 +25,7 @@ jobs: permissions: contents: write # To create GitHub releases id-token: write # For npm trusted publishing via OIDC - uses: SocketDev/socket-registry/.github/workflows/provenance.yml@ea1986b8019fedee5fb38b485690b13ad8e0217f # main + uses: SocketDev/socket-registry/.github/workflows/provenance.yml@3f2f2c00e9b9dbd78872619e47cb600586b88105 # main with: debug: ${{ inputs.debug }} dist-tag: ${{ inputs.dist-tag }} diff --git a/.github/workflows/weekly-update.yml b/.github/workflows/weekly-update.yml index 504b96be..f347ea69 100644 --- a/.github/workflows/weekly-update.yml +++ b/.github/workflows/weekly-update.yml @@ -10,7 +10,7 @@ permissions: jobs: weekly-update: - uses: SocketDev/socket-registry/.github/workflows/weekly-update.yml@ea1986b8019fedee5fb38b485690b13ad8e0217f # main + uses: SocketDev/socket-registry/.github/workflows/weekly-update.yml@3f2f2c00e9b9dbd78872619e47cb600586b88105 # main with: test-setup-script: 'pnpm run build' test-script: 'pnpm test' From aacf5102511598919c56c557e49ce0b3912da20d Mon Sep 17 00:00:00 2001 From: jdalton Date: Mon, 27 Apr 2026 11:08:56 -0400 Subject: [PATCH 2/2] chore(ci): cascade socket-registry pins to 85a2fc0d MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Picks up the firewall-checker fix in @SocketDev/socket-registry — any alert from Socket Firewall now blocks the bootstrap (no severity threshold; the API only returns alerts when a package is flagged as malware, so any alert means malware). Cascade chain: check-firewall.mts Layer 1 e4193847 setup-and-install Layer 2 b94c9571 reusable workflows Layer 3 85a2fc0d ← propagation SHA _local-not-for-reuse-* Layer 4 25ec2c76 (socket-registry only) --- .github/workflows/ci.yml | 2 +- .github/workflows/generate.yml | 6 +++--- .github/workflows/provenance.yml | 2 +- .github/workflows/weekly-update.yml | 2 +- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 9e4cacaa..b430cd4b 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -21,6 +21,6 @@ concurrency: jobs: ci: name: Run CI Pipeline - uses: SocketDev/socket-registry/.github/workflows/ci.yml@3f2f2c00e9b9dbd78872619e47cb600586b88105 # main + uses: SocketDev/socket-registry/.github/workflows/ci.yml@85a2fc0d33af6304246620365de3e7f053035a8d # main with: test-script: 'pnpm run test --all --skip-build' diff --git a/.github/workflows/generate.yml b/.github/workflows/generate.yml index 769498c6..b4534c3e 100644 --- a/.github/workflows/generate.yml +++ b/.github/workflows/generate.yml @@ -46,14 +46,14 @@ jobs: echo "Sleeping for $delay seconds..." sleep $delay - - uses: SocketDev/socket-registry/.github/actions/setup-and-install@3f2f2c00e9b9dbd78872619e47cb600586b88105 # main + - uses: SocketDev/socket-registry/.github/actions/setup-and-install@85a2fc0d33af6304246620365de3e7f053035a8d # main - name: Configure push credentials env: GH_TOKEN: ${{ github.token }} run: git remote set-url origin "https://x-access-token:${GH_TOKEN}@github.com/${{ github.repository }}.git" - - uses: SocketDev/socket-registry/.github/actions/setup-git-signing@3f2f2c00e9b9dbd78872619e47cb600586b88105 # main + - uses: SocketDev/socket-registry/.github/actions/setup-git-signing@85a2fc0d33af6304246620365de3e7f053035a8d # main with: gpg-private-key: ${{ secrets.BOT_GPG_PRIVATE_KEY }} @@ -145,5 +145,5 @@ jobs: > \`\`\` EOF - - uses: SocketDev/socket-registry/.github/actions/cleanup-git-signing@3f2f2c00e9b9dbd78872619e47cb600586b88105 # main + - uses: SocketDev/socket-registry/.github/actions/cleanup-git-signing@85a2fc0d33af6304246620365de3e7f053035a8d # main if: always() diff --git a/.github/workflows/provenance.yml b/.github/workflows/provenance.yml index 7c7c5af9..ecf5df13 100644 --- a/.github/workflows/provenance.yml +++ b/.github/workflows/provenance.yml @@ -25,7 +25,7 @@ jobs: permissions: contents: write # To create GitHub releases id-token: write # For npm trusted publishing via OIDC - uses: SocketDev/socket-registry/.github/workflows/provenance.yml@3f2f2c00e9b9dbd78872619e47cb600586b88105 # main + uses: SocketDev/socket-registry/.github/workflows/provenance.yml@85a2fc0d33af6304246620365de3e7f053035a8d # main with: debug: ${{ inputs.debug }} dist-tag: ${{ inputs.dist-tag }} diff --git a/.github/workflows/weekly-update.yml b/.github/workflows/weekly-update.yml index f347ea69..1112eaed 100644 --- a/.github/workflows/weekly-update.yml +++ b/.github/workflows/weekly-update.yml @@ -10,7 +10,7 @@ permissions: jobs: weekly-update: - uses: SocketDev/socket-registry/.github/workflows/weekly-update.yml@3f2f2c00e9b9dbd78872619e47cb600586b88105 # main + uses: SocketDev/socket-registry/.github/workflows/weekly-update.yml@85a2fc0d33af6304246620365de3e7f053035a8d # main with: test-setup-script: 'pnpm run build' test-script: 'pnpm test'