chore(ci): add sfw security scanning via socket-registry install action#1138
Merged
John-David Dalton (jdalton) merged 1 commit intomainfrom Mar 31, 2026
Merged
Conversation
John-David Dalton (jdalton)
force-pushed
the
chore/add-sfw-install-action
branch
from
c05d5ee to
41214f2
Compare
Bill Li (billxinli)
approved these changes
Mar 31, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Replaces bare
pnpm install --frozen-lockfilewith the shared socket-registry install action (withfrozen-lockfile: true), which injects sfw-free shims for all supported package managers before install. No other changes — checkout, pnpm setup, and node setup are unchanged.Note
Medium Risk
CI behavior changes by delegating dependency installation to an external shared action, which could affect reproducibility and introduce workflow regressions if the action behavior changes. Documentation-only edits are low risk but won’t mitigate install-action issues if misconfigured.
Overview
CI workflows now install dependencies via the shared
SocketDev/socket-registryinstallaction (withfrozen-lockfile: 'true') instead of runningpnpm install --frozen-lockfiledirectly, acrossci.yml,provenance.yml, andweekly-update.yml.Updates internal Claude skill documentation: trims the
quality-scanversion line metadata, corrects the expected tool count output inupdating-checksums, and adds new reference docs forupdatingandupdating-checksums.Written by Cursor Bugbot for commit c05d5ee. Configure here.