Skip to content

Socket Basics SAST: add workflow and gitignore entries#3

Open
sgrammargs wants to merge 2 commits into
buffy/fix-ci-android-buildfrom
stagility/socket-basics-sast
Open

Socket Basics SAST: add workflow and gitignore entries#3
sgrammargs wants to merge 2 commits into
buffy/fix-ci-android-buildfrom
stagility/socket-basics-sast

Conversation

@sgrammargs

@sgrammargs sgrammargs commented Jun 25, 2026

Copy link
Copy Markdown

Summary

  • Adds .github/workflows/socket-basics.yml — calls the shared Socket Basics reusable workflow at @main
  • Adds .socket-scans/ and .socket.facts.json to .gitignore

Dependencies

Requires ynab/shared-actions#233 to be merged first.

Test plan

  • Trigger on a PR — verify the socket-basics-security-scan job runs and posts a comment
  • Verify no unexpected findings block the PR

🤖 Generated with Claude Code

@sgrammargs sgrammargs marked this pull request as ready for review June 30, 2026 13:43
@sgrammargs sgrammargs requested a review from buffym June 30, 2026 19:23
@sgrammargs

Copy link
Copy Markdown
Author

@copilot add sha pinning to the action in this PR to fix the failing auto-labeler ci failure

@sgrammargs

Copy link
Copy Markdown
Author

@copilot add sha pinning to the action in this PR to fix the failing auto-labeler ci failure

whomp. whomp.

@buffym

buffym commented Jul 3, 2026

Copy link
Copy Markdown
Member

@copilot setup sha pinning for the actions in this repo to fix the failing ci.

Copilot AI commented Jul 3, 2026

Copy link
Copy Markdown

@copilot add sha pinning to the action in this PR to fix the failing auto-labeler ci failure

Updated in commit eb944f3. I pinned the GitHub Actions references used by the repo workflows to full commit SHAs to satisfy the policy check.

@copilot setup sha pinning for the actions in this repo to fix the failing ci.

Completed in commit eb944f3. I pinned the existing workflow action references in this repo to full-length SHAs to address the failing CI policy check.

Copilot finished work on behalf of buffym July 3, 2026 00:49
@buffym

buffym commented Jul 3, 2026

Copy link
Copy Markdown
Member

@copilot explain why the build and test J2V8 is failing ci?

Copilot AI commented Jul 3, 2026

Copy link
Copy Markdown

@copilot explain why the build and test J2V8 is failing ci?

Build and test J2V8 is failing before the build/test commands run. In both jobs (Build J2V8 for Linux and Build J2V8 for Android), the step Download monolithic libraries and extract to v8.out downloads only ~194 bytes from http://download.eclipsesource.com/j2v8/v8/libv8_9.3.345.11_monolith.zip, then unzip fails with End-of-central-directory signature not found (exit code 9). So the root cause is the monolith artifact download returning a non-zip payload, not the SHA pinning changes.

Copilot finished work on behalf of buffym July 3, 2026 00:54
@buffym

buffym commented Jul 3, 2026

Copy link
Copy Markdown
Member

@copilot any way to fix the monolith download ci issue?

Copilot AI commented Jul 3, 2026

Copy link
Copy Markdown

@copilot any way to fix the monolith download ci issue?

Yes — fixed in 8eb048d. I updated build_and_test.yml to download the monolith over HTTPS with curl --fail --location --retry ... and added unzip -tq validation before extraction in both Linux and Android jobs, so bad/non-zip responses fail fast and valid redirects are handled.

Copilot finished work on behalf of buffym July 3, 2026 00:58
@buffym

buffym commented Jul 3, 2026

Copy link
Copy Markdown
Member

@copilot I think you are unzipping to the wrong directory with your most recent "fix"

Copilot AI commented Jul 3, 2026

Copy link
Copy Markdown

@copilot I think you are unzipping to the wrong directory with your most recent "fix"

I checked the latest failing run (28631306986) and the archive is extracting into v8.out as expected (v8.out/linux.x64, v8.out/android.*, v8.out/include). The current failure is happening in the next step with python2 build.py exiting 127 (python2 not found on the runner), not from extraction pathing.

Copilot finished work on behalf of buffym July 3, 2026 01:03
@buffym

buffym commented Jul 3, 2026

Copy link
Copy Markdown
Member

@copilot help me fix the failing builds now at the next step

Copilot AI commented Jul 3, 2026

Copy link
Copy Markdown

@copilot help me fix the failing builds now at the next step

Fixed in 38cab82. I added pinned actions/setup-python (Python 2.7) steps to both Linux and Android jobs in build_and_test.yml, so the next python2 build.py ... step can run on current GitHub runners where python2 is not preinstalled.

@socket-security

socket-security Bot commented Jul 3, 2026

Copy link
Copy Markdown

sgrammargs and others added 2 commits July 2, 2026 21:28
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
The shared workflow (ynab/shared-actions#233) is gaining a required
GH_YBOT_TOKEN secret (it now checks out shared-actions to run its helper
actions from current main). `secrets: inherit` forwards the org secrets it
needs today and means this file never needs touching when the shared
workflow's secret needs change again.

Safe to merge immediately: inherit also satisfies the current version of
the shared workflow.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@buffym buffym force-pushed the stagility/socket-basics-sast branch from 38cab82 to 3905645 Compare July 3, 2026 01:28
@buffym buffym changed the base branch from master to buffy/fix-ci-android-build July 3, 2026 01:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants