From 76da53a86f7ac8507e52c1f3a9aff70092c19cfa Mon Sep 17 00:00:00 2001 From: jdalton Date: Fri, 24 Apr 2026 16:05:00 -0400 Subject: [PATCH 1/3] chore(ci): bump socket-registry refs to 0371e83f MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Picks up the @socketsecurity/lib floor enforcement that landed in socket-registry 24ad6b61 — the install action now fails fast with an actionable message when the consumer's @socketsecurity/lib is below the latest version published to npm. socket-cli already pins @socketsecurity/lib at 5.24.0 (the floor) via the catalog, so this bump is mechanical — no consumer code changes. --- .github/workflows/ci.yml | 8 ++++---- .github/workflows/provenance.yml | 6 +++--- .github/workflows/weekly-update.yml | 8 ++++---- 3 files changed, 11 insertions(+), 11 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 8d9d3a47c..c9b25df6a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -109,7 +109,7 @@ jobs: export default { text, view, renderToString, renderToStringWithWidth, printComponent, eprintComponent, getTerminalSize, TuiRenderer, init } CODE - - uses: SocketDev/socket-registry/.github/actions/setup-and-install@444b6415a78a44d50066a0eb7ef219a751224561 # main + - uses: SocketDev/socket-registry/.github/actions/setup-and-install@0371e83fccd7e2e5370b9ee7d0ddc882c9790210 # main with: checkout: 'false' @@ -168,7 +168,7 @@ jobs: export default { text, view, renderToString, renderToStringWithWidth, printComponent, eprintComponent, getTerminalSize, TuiRenderer, init } CODE - - uses: SocketDev/socket-registry/.github/actions/setup-and-install@444b6415a78a44d50066a0eb7ef219a751224561 # main + - uses: SocketDev/socket-registry/.github/actions/setup-and-install@0371e83fccd7e2e5370b9ee7d0ddc882c9790210 # main with: checkout: 'false' @@ -234,7 +234,7 @@ jobs: export default { text, view, renderToString, renderToStringWithWidth, printComponent, eprintComponent, getTerminalSize, TuiRenderer, init } CODE - - uses: SocketDev/socket-registry/.github/actions/setup-and-install@444b6415a78a44d50066a0eb7ef219a751224561 # main + - uses: SocketDev/socket-registry/.github/actions/setup-and-install@0371e83fccd7e2e5370b9ee7d0ddc882c9790210 # main with: checkout: 'false' node-version: ${{ matrix.node-version }} @@ -310,7 +310,7 @@ jobs: export default { text, view, renderToString, renderToStringWithWidth, printComponent, eprintComponent, getTerminalSize, TuiRenderer, init } CODE - - uses: SocketDev/socket-registry/.github/actions/setup-and-install@444b6415a78a44d50066a0eb7ef219a751224561 # main + - uses: SocketDev/socket-registry/.github/actions/setup-and-install@0371e83fccd7e2e5370b9ee7d0ddc882c9790210 # main with: checkout: 'false' node-version: ${{ matrix.node-version }} diff --git a/.github/workflows/provenance.yml b/.github/workflows/provenance.yml index 32600be1d..4d4ddeb34 100644 --- a/.github/workflows/provenance.yml +++ b/.github/workflows/provenance.yml @@ -51,7 +51,7 @@ jobs: with: persist-credentials: false - - uses: SocketDev/socket-registry/.github/actions/setup-and-install@444b6415a78a44d50066a0eb7ef219a751224561 # main + - uses: SocketDev/socket-registry/.github/actions/setup-and-install@0371e83fccd7e2e5370b9ee7d0ddc882c9790210 # main with: checkout: 'false' @@ -91,7 +91,7 @@ jobs: with: persist-credentials: false - - uses: SocketDev/socket-registry/.github/actions/setup-and-install@444b6415a78a44d50066a0eb7ef219a751224561 # main + - uses: SocketDev/socket-registry/.github/actions/setup-and-install@0371e83fccd7e2e5370b9ee7d0ddc882c9790210 # main with: checkout: 'false' registry-url: 'https://registry.npmjs.org' @@ -141,7 +141,7 @@ jobs: with: persist-credentials: false - - uses: SocketDev/socket-registry/.github/actions/setup-and-install@444b6415a78a44d50066a0eb7ef219a751224561 # main + - uses: SocketDev/socket-registry/.github/actions/setup-and-install@0371e83fccd7e2e5370b9ee7d0ddc882c9790210 # main with: checkout: 'false' registry-url: 'https://registry.npmjs.org' diff --git a/.github/workflows/weekly-update.yml b/.github/workflows/weekly-update.yml index fe9a7b320..bd15cb0d2 100644 --- a/.github/workflows/weekly-update.yml +++ b/.github/workflows/weekly-update.yml @@ -29,7 +29,7 @@ jobs: with: persist-credentials: false - - uses: SocketDev/socket-registry/.github/actions/setup-and-install@444b6415a78a44d50066a0eb7ef219a751224561 # main + - uses: SocketDev/socket-registry/.github/actions/setup-and-install@0371e83fccd7e2e5370b9ee7d0ddc882c9790210 # main with: checkout: 'false' @@ -62,7 +62,7 @@ jobs: fetch-depth: 0 persist-credentials: false - - uses: SocketDev/socket-registry/.github/actions/setup-and-install@444b6415a78a44d50066a0eb7ef219a751224561 # main + - uses: SocketDev/socket-registry/.github/actions/setup-and-install@0371e83fccd7e2e5370b9ee7d0ddc882c9790210 # main with: checkout: 'false' @@ -79,7 +79,7 @@ jobs: git checkout -b "$BRANCH_NAME" HEAD~1 echo "branch=$BRANCH_NAME" >> $GITHUB_OUTPUT - - uses: SocketDev/socket-registry/.github/actions/setup-git-signing@444b6415a78a44d50066a0eb7ef219a751224561 # main + - uses: SocketDev/socket-registry/.github/actions/setup-git-signing@0371e83fccd7e2e5370b9ee7d0ddc882c9790210 # main with: gpg-private-key: ${{ secrets.BOT_GPG_PRIVATE_KEY }} @@ -332,7 +332,7 @@ jobs: test.log retention-days: 7 - - uses: SocketDev/socket-registry/.github/actions/cleanup-git-signing@444b6415a78a44d50066a0eb7ef219a751224561 # main + - uses: SocketDev/socket-registry/.github/actions/cleanup-git-signing@0371e83fccd7e2e5370b9ee7d0ddc882c9790210 # main if: always() notify: From 7af5ef4280882e2180effefdb7f68ce1387c3508 Mon Sep 17 00:00:00 2001 From: jdalton Date: Fri, 24 Apr 2026 16:15:32 -0400 Subject: [PATCH 2/3] fixup: repin socket-registry to f1b40c99 (npm-banner-validation fix) The previous propagation SHA (0371e83f) shipped a guard step whose version_lt function exploded when npm view returned a Socket Firewall banner string instead of a version. f1b40c99 validates npm view output as semver before using it. --- .github/workflows/ci.yml | 8 ++++---- .github/workflows/provenance.yml | 6 +++--- .github/workflows/weekly-update.yml | 8 ++++---- 3 files changed, 11 insertions(+), 11 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index c9b25df6a..ef69bd9af 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -109,7 +109,7 @@ jobs: export default { text, view, renderToString, renderToStringWithWidth, printComponent, eprintComponent, getTerminalSize, TuiRenderer, init } CODE - - uses: SocketDev/socket-registry/.github/actions/setup-and-install@0371e83fccd7e2e5370b9ee7d0ddc882c9790210 # main + - uses: SocketDev/socket-registry/.github/actions/setup-and-install@f1b40c99a11f8f2f65a44c9e6c66e53470bd0b90 # main with: checkout: 'false' @@ -168,7 +168,7 @@ jobs: export default { text, view, renderToString, renderToStringWithWidth, printComponent, eprintComponent, getTerminalSize, TuiRenderer, init } CODE - - uses: SocketDev/socket-registry/.github/actions/setup-and-install@0371e83fccd7e2e5370b9ee7d0ddc882c9790210 # main + - uses: SocketDev/socket-registry/.github/actions/setup-and-install@f1b40c99a11f8f2f65a44c9e6c66e53470bd0b90 # main with: checkout: 'false' @@ -234,7 +234,7 @@ jobs: export default { text, view, renderToString, renderToStringWithWidth, printComponent, eprintComponent, getTerminalSize, TuiRenderer, init } CODE - - uses: SocketDev/socket-registry/.github/actions/setup-and-install@0371e83fccd7e2e5370b9ee7d0ddc882c9790210 # main + - uses: SocketDev/socket-registry/.github/actions/setup-and-install@f1b40c99a11f8f2f65a44c9e6c66e53470bd0b90 # main with: checkout: 'false' node-version: ${{ matrix.node-version }} @@ -310,7 +310,7 @@ jobs: export default { text, view, renderToString, renderToStringWithWidth, printComponent, eprintComponent, getTerminalSize, TuiRenderer, init } CODE - - uses: SocketDev/socket-registry/.github/actions/setup-and-install@0371e83fccd7e2e5370b9ee7d0ddc882c9790210 # main + - uses: SocketDev/socket-registry/.github/actions/setup-and-install@f1b40c99a11f8f2f65a44c9e6c66e53470bd0b90 # main with: checkout: 'false' node-version: ${{ matrix.node-version }} diff --git a/.github/workflows/provenance.yml b/.github/workflows/provenance.yml index 4d4ddeb34..524beed3e 100644 --- a/.github/workflows/provenance.yml +++ b/.github/workflows/provenance.yml @@ -51,7 +51,7 @@ jobs: with: persist-credentials: false - - uses: SocketDev/socket-registry/.github/actions/setup-and-install@0371e83fccd7e2e5370b9ee7d0ddc882c9790210 # main + - uses: SocketDev/socket-registry/.github/actions/setup-and-install@f1b40c99a11f8f2f65a44c9e6c66e53470bd0b90 # main with: checkout: 'false' @@ -91,7 +91,7 @@ jobs: with: persist-credentials: false - - uses: SocketDev/socket-registry/.github/actions/setup-and-install@0371e83fccd7e2e5370b9ee7d0ddc882c9790210 # main + - uses: SocketDev/socket-registry/.github/actions/setup-and-install@f1b40c99a11f8f2f65a44c9e6c66e53470bd0b90 # main with: checkout: 'false' registry-url: 'https://registry.npmjs.org' @@ -141,7 +141,7 @@ jobs: with: persist-credentials: false - - uses: SocketDev/socket-registry/.github/actions/setup-and-install@0371e83fccd7e2e5370b9ee7d0ddc882c9790210 # main + - uses: SocketDev/socket-registry/.github/actions/setup-and-install@f1b40c99a11f8f2f65a44c9e6c66e53470bd0b90 # main with: checkout: 'false' registry-url: 'https://registry.npmjs.org' diff --git a/.github/workflows/weekly-update.yml b/.github/workflows/weekly-update.yml index bd15cb0d2..77e403fd4 100644 --- a/.github/workflows/weekly-update.yml +++ b/.github/workflows/weekly-update.yml @@ -29,7 +29,7 @@ jobs: with: persist-credentials: false - - uses: SocketDev/socket-registry/.github/actions/setup-and-install@0371e83fccd7e2e5370b9ee7d0ddc882c9790210 # main + - uses: SocketDev/socket-registry/.github/actions/setup-and-install@f1b40c99a11f8f2f65a44c9e6c66e53470bd0b90 # main with: checkout: 'false' @@ -62,7 +62,7 @@ jobs: fetch-depth: 0 persist-credentials: false - - uses: SocketDev/socket-registry/.github/actions/setup-and-install@0371e83fccd7e2e5370b9ee7d0ddc882c9790210 # main + - uses: SocketDev/socket-registry/.github/actions/setup-and-install@f1b40c99a11f8f2f65a44c9e6c66e53470bd0b90 # main with: checkout: 'false' @@ -79,7 +79,7 @@ jobs: git checkout -b "$BRANCH_NAME" HEAD~1 echo "branch=$BRANCH_NAME" >> $GITHUB_OUTPUT - - uses: SocketDev/socket-registry/.github/actions/setup-git-signing@0371e83fccd7e2e5370b9ee7d0ddc882c9790210 # main + - uses: SocketDev/socket-registry/.github/actions/setup-git-signing@f1b40c99a11f8f2f65a44c9e6c66e53470bd0b90 # main with: gpg-private-key: ${{ secrets.BOT_GPG_PRIVATE_KEY }} @@ -332,7 +332,7 @@ jobs: test.log retention-days: 7 - - uses: SocketDev/socket-registry/.github/actions/cleanup-git-signing@0371e83fccd7e2e5370b9ee7d0ddc882c9790210 # main + - uses: SocketDev/socket-registry/.github/actions/cleanup-git-signing@f1b40c99a11f8f2f65a44c9e6c66e53470bd0b90 # main if: always() notify: From 5136b32b264b7eb3605bb010709eeb9c014f7207 Mon Sep 17 00:00:00 2001 From: jdalton Date: Fri, 24 Apr 2026 16:20:08 -0400 Subject: [PATCH 3/3] fix(ci): pass GITHUB_TOKEN to Build CLI step to bypass anonymous quota scripts/download-assets.mts (via packages/build-infra/lib/github-releases.mts) queries the GitHub releases API for binject / node-smol / iocraft during the cli build. The script reads GH_TOKEN / GITHUB_TOKEN to authenticate, but the Build CLI step in both unit-tests and e2e jobs never set either, so calls went out anonymously, hit the 60-req/hr public quota, and returned 403 ("Failed to fetch releases: 403"). Expose secrets.GITHUB_TOKEN to both Build CLI steps. Authenticated calls share a 1000-req/hr per-job bucket. permissions: contents: read is already declared on both jobs, which is what the asset reads need. --- .github/workflows/ci.yml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ef69bd9af..75d914d4d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -242,6 +242,13 @@ jobs: - name: Build CLI working-directory: packages/cli shell: bash + env: + # download-assets.mts hits the GitHub releases API for + # binject / node-smol / iocraft. Anonymous calls share the + # 60-req/hr public quota and get 403 once exhausted; the + # auto-provided GITHUB_TOKEN gives this job its own 1000/hr + # bucket. + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | pnpm run build @@ -318,6 +325,13 @@ jobs: - name: Build CLI working-directory: packages/cli shell: bash + env: + # download-assets.mts hits the GitHub releases API for + # binject / node-smol / iocraft. Anonymous calls share the + # 60-req/hr public quota and get 403 once exhausted; the + # auto-provided GITHUB_TOKEN gives this job its own 1000/hr + # bucket. + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | pnpm run build