[APPSEC-1646] [Non-Prod] Restore Socket Security Scan workflow

[ping-huang1]

Summary

https://webflow.atlassian.net/browse/APPSEC-1646

• Restores .github/workflows/socket_reachability.yml (Socket Tier 1 reachability scan) that was accidentally deleted by fern-bot in PR 🌿 Fern Regeneration -- April 17, 2026 #340
• Adds .github/workflows/socket_reachability.yml to .fernignore to prevent future fern-bot regenerations from removing it

Root Cause

The fern-bot SDK regeneration PR (#340) overwrote .github/workflows/ with only ci.yml, dropping the Socket scan workflow that was added in April 2026.

Test plan

• Verify the "Socket Security Scan" workflow appears in the Actions tab after merge
• Trigger a manual run via workflow_dispatch to confirm it works
• Confirm SOCKET_SECURITY_API_KEY secret is still present in the repo settings

Risks

Low — restoring a previously working workflow file with no code changes.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	github/​astral-sh/​setup-uv@​e4db8464a088ece1b920f60402e813ea4de65b8f
	github/​actions/​setup-python@​a26af69be951a213d495a4c3e4e4022e16d87065
	github/​actions/​setup-node@​49933ea5288caeca8642d1e84afbd3f7d6820020
	github/​actions/​checkout@​34e114876b0b11c390a56381ad16ebd13914f8d5

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Input argument leak: github astral-sh/setup-uv exposes an input argument into sink Location: Package overview From: .github/workflows/socket_reachability.yml → github/astral-sh/setup-uv@e4db8464a088ece1b920f60402e813ea4de65b8f ℹ Read more on: This package | This alert | What are GitHub Actions taint flows? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Validate and sanitize all input arguments before using them in dangerous operations. Use parameterized commands or APIs instead of string concatenation for shell commands. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore github/astral-sh/setup-uv@e4db8464a088ece1b920f60402e813ea4de65b8f. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Environment variable leak: github astral-sh/setup-uv passes an environment variable into sink Location: Package overview From: .github/workflows/socket_reachability.yml → github/astral-sh/setup-uv@e4db8464a088ece1b920f60402e813ea4de65b8f ℹ Read more on: This package | This alert | What are GitHub Actions taint flows? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Validate and sanitize environment variables before using them in dangerous operations. Ensure environment variables come from trusted sources only, and use parameterized commands or APIs instead of string concatenation. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore github/astral-sh/setup-uv@e4db8464a088ece1b920f60402e813ea4de65b8f. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Dynamic code execution: github actions/setup-python Location: Package overview From: .github/workflows/socket_reachability.yml → github/actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 ℹ Read more on: This package | This alert | What is dynamic code execution? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Avoid packages that use dynamic code execution like eval(), since this could potentially execute any code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore github/actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Network access: github actions/setup-python Location: Package overview From: .github/workflows/socket_reachability.yml → github/actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore github/actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		System shell access: github actions/setup-python Location: Package overview From: .github/workflows/socket_reachability.yml → github/actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 ℹ Read more on: This package | This alert | What is shell access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore github/actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Network access: github astral-sh/setup-uv Location: Package overview From: .github/workflows/socket_reachability.yml → github/astral-sh/setup-uv@e4db8464a088ece1b920f60402e813ea4de65b8f ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore github/astral-sh/setup-uv@e4db8464a088ece1b920f60402e813ea4de65b8f. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		System shell access: github astral-sh/setup-uv Location: Package overview From: .github/workflows/socket_reachability.yml → github/astral-sh/setup-uv@e4db8464a088ece1b920f60402e813ea4de65b8f ℹ Read more on: This package | This alert | What is shell access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore github/astral-sh/setup-uv@e4db8464a088ece1b920f60402e813ea4de65b8f. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Dynamic code execution: github astral-sh/setup-uv Location: Package overview From: .github/workflows/socket_reachability.yml → github/astral-sh/setup-uv@e4db8464a088ece1b920f60402e813ea4de65b8f ℹ Read more on: This package | This alert | What is dynamic code execution? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Avoid packages that use dynamic code execution like eval(), since this could potentially execute any code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore github/astral-sh/setup-uv@e4db8464a088ece1b920f60402e813ea4de65b8f. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report