From 41214f211115b7753e2f87f3b7a700ad460435d6 Mon Sep 17 00:00:00 2001
From: jdalton <john.david.dalton@gmail.com>
Date: Tue, 31 Mar 2026 16:18:26 -0400
Subject: [PATCH] chore(ci): add sfw security scanning via socket-registry
 install action

---
 .github/workflows/ci.yml            | 20 ++++++++++++--------
 .github/workflows/provenance.yml    | 12 +++++++++---
 .github/workflows/weekly-update.yml | 10 ++++++----
 3 files changed, 27 insertions(+), 15 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 739803c75..ea7f8caa7 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -119,8 +119,9 @@ jobs:
           export default { text, view, renderToString, renderToStringWithWidth, printComponent, eprintComponent, getTerminalSize, TuiRenderer, init }
           CODE
 
-      - name: Install dependencies
-        run: pnpm install --frozen-lockfile
+      - uses: SocketDev/socket-registry/.github/actions/install@715b14fec288ea6abc94a63dd74a2860c0db82f0 # main
+        with:
+          frozen-lockfile: 'true'
 
       - name: Run lint
         run: pnpm --filter @socketsecurity/cli run check
@@ -185,8 +186,9 @@ jobs:
           export default { text, view, renderToString, renderToStringWithWidth, printComponent, eprintComponent, getTerminalSize, TuiRenderer, init }
           CODE
 
-      - name: Install dependencies
-        run: pnpm install --frozen-lockfile
+      - uses: SocketDev/socket-registry/.github/actions/install@715b14fec288ea6abc94a63dd74a2860c0db82f0 # main
+        with:
+          frozen-lockfile: 'true'
 
       - name: Run type check
         run: pnpm --filter @socketsecurity/cli run type
@@ -258,8 +260,9 @@ jobs:
           export default { text, view, renderToString, renderToStringWithWidth, printComponent, eprintComponent, getTerminalSize, TuiRenderer, init }
           CODE
 
-      - name: Install dependencies
-        run: pnpm install --frozen-lockfile
+      - uses: SocketDev/socket-registry/.github/actions/install@715b14fec288ea6abc94a63dd74a2860c0db82f0 # main
+        with:
+          frozen-lockfile: 'true'
 
       - name: Build CLI
         working-directory: packages/cli
@@ -338,8 +341,9 @@ jobs:
           export default { text, view, renderToString, renderToStringWithWidth, printComponent, eprintComponent, getTerminalSize, TuiRenderer, init }
           CODE
 
-      - name: Install dependencies
-        run: pnpm install --frozen-lockfile
+      - uses: SocketDev/socket-registry/.github/actions/install@715b14fec288ea6abc94a63dd74a2860c0db82f0 # main
+        with:
+          frozen-lockfile: 'true'
 
       - name: Build CLI
         working-directory: packages/cli
diff --git a/.github/workflows/provenance.yml b/.github/workflows/provenance.yml
index 4ee624240..2f098b1e7 100644
--- a/.github/workflows/provenance.yml
+++ b/.github/workflows/provenance.yml
@@ -59,7 +59,9 @@ jobs:
 
       - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5
 
-      - run: pnpm install --frozen-lockfile
+      - uses: SocketDev/socket-registry/.github/actions/install@715b14fec288ea6abc94a63dd74a2860c0db82f0 # main
+        with:
+          frozen-lockfile: 'true'
 
       - name: Build CLI
         run: pnpm --filter @socketsecurity/cli run build
@@ -104,7 +106,9 @@ jobs:
 
       - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5
 
-      - run: pnpm install --frozen-lockfile
+      - uses: SocketDev/socket-registry/.github/actions/install@715b14fec288ea6abc94a63dd74a2860c0db82f0 # main
+        with:
+          frozen-lockfile: 'true'
 
       - name: Download CLI bundle
         uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
@@ -160,7 +164,9 @@ jobs:
 
       - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5
 
-      - run: pnpm install --frozen-lockfile
+      - uses: SocketDev/socket-registry/.github/actions/install@715b14fec288ea6abc94a63dd74a2860c0db82f0 # main
+        with:
+          frozen-lockfile: 'true'
 
       - run: npm install -g npm@latest
 
diff --git a/.github/workflows/weekly-update.yml b/.github/workflows/weekly-update.yml
index 991c250ce..4331d1a81 100644
--- a/.github/workflows/weekly-update.yml
+++ b/.github/workflows/weekly-update.yml
@@ -38,8 +38,9 @@ jobs:
           node-version-file: .node-version
           cache: 'pnpm'
 
-      - name: Install dependencies
-        run: pnpm install --frozen-lockfile
+      - uses: SocketDev/socket-registry/.github/actions/install@715b14fec288ea6abc94a63dd74a2860c0db82f0 # main
+        with:
+          frozen-lockfile: 'true'
 
       - name: Check for npm updates
         id: check
@@ -77,8 +78,9 @@ jobs:
           node-version-file: .node-version
           cache: 'pnpm'
 
-      - name: Install dependencies
-        run: pnpm install --frozen-lockfile
+      - uses: SocketDev/socket-registry/.github/actions/install@715b14fec288ea6abc94a63dd74a2860c0db82f0 # main
+        with:
+          frozen-lockfile: 'true'
 
       - name: Install Claude Code
         run: npm install -g @anthropic-ai/claude-code