add socket tier 1 reachability analysis#2634
Conversation
There was a problem hiding this comment.
Pull request overview
Adds a scheduled GitHub Actions workflow to run Socket’s “full application reachability” scan against the stellar-cli repo, with a log-based warning mechanism to distinguish Tier 1 reachability from Tier 2 fallback results.
Changes:
- Introduces a new scheduled + manually dispatchable “Socket reachability scan” workflow.
- Installs Node + Socket CLI and runs
socket scan create --reach, emitting a GitHub Actions warning if Tier 2 fallback markers appear in the output. - Sets an environment opt-in to run JS-based actions on Node 24.
| socket-scan: | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 |
| - uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # v1 | ||
| with: | ||
| toolchain: "1.86.0" |
| # Force JS-based GitHub actions (actions/checkout, actions/setup-*, etc.) to | ||
| # use Node 24 instead of the soon-to-be-deprecated Node 20. Safe to remove | ||
| # after 2026-06-16 (when Node 24 becomes the default and this becomes a no-op). | ||
| FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true |
| - name: Run Socket reachability scan | ||
| env: | ||
| SOCKET_SECURITY_API_TOKEN: ${{ secrets.SOCKET_SECURITY_API_TOKEN }} | ||
| run: | |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 80f2814001
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
| socket scan create --reach \ | ||
| --org=stellar \ | ||
| --no-interactive \ |
There was a problem hiding this comment.
Because this workflow only passes --org, the Node CLI will not associate the scheduled scan with stellar-cli/main: I checked socket scan create --help, which says --repo defaults to socket-default-repository and --branch defaults to socket-default-branch, and this repo has no socket.json/socket.yml scan defaults. In that state the reachability results land under Socket's placeholder repo/branch instead of this project, so the dashboard/alerts history for stellar-cli won't be updated; pass explicit --repo and --branch values (and set the default branch once) when creating the scan.
Useful? React with 👍 / 👎.
More info: https://stellarorg.atlassian.net/wiki/spaces/SCRT/pages/5689311233/Socket+Tier+1+Reachability+Analysis