ci(dependency-review): read SFW report path from env var, drop stdout scrape

Match socket-python-cli: discover the firewall report via the
$SFW_JSON_REPORT_PATH env var that socketdev/action exports, instead of
parsing the 'sfw report written to:' line out of stdout.

The two sync steps return to plain 'set -o pipefail' + tee. A new
'Collect SFW JSON report' step (if: always(), before each upload) copies
$SFW_JSON_REPORT_PATH into sfw-artifacts/sfw-report.json -- copy, not
move, since socketdev/action's post step reads that temp path for its job
summary -- and drops a sfw-report-missing.txt breadcrumb when absent.

More robust than scraping an undocumented log string, and keeps the
report-capture pattern uniform across both repos.

Signed-off-by: lelia <2418071+lelia@users.noreply.github.com>

Author: lelia

.github/workflows/dependency-review.yml

@@ -144,27 +144,14 @@ jobs:
           mode: firewall-free
 
       - name: Sync project through Socket Firewall (free)
+        # pipefail keeps sfw's exit code through the tee so a firewall block
+        # still fails the job; tee captures the report for the artifact upload.
         env:
           UV_PYTHON: "3.12"
           UV_PYTHON_DOWNLOADS: never
         run: |
           set -o pipefail
-          set +e
           sfw uv sync --locked --extra test --extra dev 2>&1 | tee sfw-artifacts/sfw-uv-sync.log
-          sync_status=${PIPESTATUS[0]}
-
-          report_path="$(
-            sed -n 's/^.*sfw report written to: //p' sfw-artifacts/sfw-uv-sync.log |
-              tail -n 1 |
-              tr -d '\r'
-          )"
-          if [ -n "$report_path" ] && [ -f "$report_path" ]; then
-            cp "$report_path" sfw-artifacts/sfw-report.json
-          else
-            echo "No SFW report JSON found in sync output." > sfw-artifacts/sfw-report-missing.txt
-          fi
-
-          exit "$sync_status"
 
       - name: Import smoke test
         run: |
@@ -177,6 +164,21 @@ jobs:
           print('import smoke OK', __version__)
           " 2>&1 | tee sfw-artifacts/import-smoke.log
 
+      - name: Collect SFW JSON report
+        # socketdev/action points sfw at SFW_JSON_REPORT_PATH (a $RUNNER_TEMP
+        # file) and reads it back in its post step to render the job summary, so
+        # COPY (don't move) the report into the bundle. sfw writes it even when
+        # it blocks an install -- always() keeps it on failures too.
+        if: always()
+        run: |
+          if [ -n "${SFW_JSON_REPORT_PATH:-}" ] && [ -f "$SFW_JSON_REPORT_PATH" ]; then
+            cp "$SFW_JSON_REPORT_PATH" "$GITHUB_WORKSPACE/sfw-artifacts/sfw-report.json"
+            echo "Collected SFW report -> sfw-artifacts/sfw-report.json"
+          else
+            echo "No SFW JSON report found at '${SFW_JSON_REPORT_PATH:-<unset>}'." \
+              > "$GITHUB_WORKSPACE/sfw-artifacts/sfw-report-missing.txt"
+          fi
+
       - name: Upload SFW report artifact
         if: always()
         uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
@@ -219,27 +221,15 @@ jobs:
         # See free job for the UV_PYTHON rationale: .python-version pins an
         # exact patch that uv would otherwise fetch from GitHub through the
         # firewall (blocked by its TLS interception); use the runner's Python.
+        #
+        # pipefail keeps sfw's exit code through the tee so a firewall block
+        # still fails the job; tee captures the report for the artifact upload.
         env:
           UV_PYTHON: "3.12"
           UV_PYTHON_DOWNLOADS: never
         run: |
           set -o pipefail
-          set +e
           sfw uv sync --locked --extra test --extra dev 2>&1 | tee sfw-artifacts/sfw-uv-sync.log
-          sync_status=${PIPESTATUS[0]}
-
-          report_path="$(
-            sed -n 's/^.*sfw report written to: //p' sfw-artifacts/sfw-uv-sync.log |
-              tail -n 1 |
-              tr -d '\r'
-          )"
-          if [ -n "$report_path" ] && [ -f "$report_path" ]; then
-            cp "$report_path" sfw-artifacts/sfw-report.json
-          else
-            echo "No SFW report JSON found in sync output." > sfw-artifacts/sfw-report-missing.txt
-          fi
-
-          exit "$sync_status"
 
       - name: Import smoke test
         run: |
@@ -252,6 +242,21 @@ jobs:
           print('import smoke OK', __version__)
           " 2>&1 | tee sfw-artifacts/import-smoke.log
 
+      - name: Collect SFW JSON report
+        # socketdev/action points sfw at SFW_JSON_REPORT_PATH (a $RUNNER_TEMP
+        # file) and reads it back in its post step to render the job summary, so
+        # COPY (don't move) the report into the bundle. sfw writes it even when
+        # it blocks an install -- always() keeps it on failures too.
+        if: always()
+        run: |
+          if [ -n "${SFW_JSON_REPORT_PATH:-}" ] && [ -f "$SFW_JSON_REPORT_PATH" ]; then
+            cp "$SFW_JSON_REPORT_PATH" "$GITHUB_WORKSPACE/sfw-artifacts/sfw-report.json"
+            echo "Collected SFW report -> sfw-artifacts/sfw-report.json"
+          else
+            echo "No SFW JSON report found at '${SFW_JSON_REPORT_PATH:-<unset>}'." \
+              > "$GITHUB_WORKSPACE/sfw-artifacts/sfw-report-missing.txt"
+          fi
+
       - name: Upload SFW report artifact
         if: always()
         uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1