From 23b4725a5be7fe66e3bb4079f2cd1abc54830868 Mon Sep 17 00:00:00 2001 From: Nick Nisi Date: Tue, 24 Mar 2026 12:16:10 -0500 Subject: [PATCH 1/8] add release-please automation and PR title linting --- .github/workflows/lint-pr-title.yml | 16 +++++++++++++ .github/workflows/release-please.yml | 35 ++++++++++++++++++++++++++++ .github/workflows/release.yml | 32 ++++++++----------------- .release-please-manifest.json | 3 +++ release-please-config.json | 11 +++++++++ 5 files changed, 75 insertions(+), 22 deletions(-) create mode 100644 .github/workflows/lint-pr-title.yml create mode 100644 .github/workflows/release-please.yml create mode 100644 .release-please-manifest.json create mode 100644 release-please-config.json diff --git a/.github/workflows/lint-pr-title.yml b/.github/workflows/lint-pr-title.yml new file mode 100644 index 0000000..b8e96ff --- /dev/null +++ b/.github/workflows/lint-pr-title.yml @@ -0,0 +1,16 @@ +name: Lint PR Title + +on: + pull_request_target: + types: [opened, edited, synchronize] + +permissions: + pull-requests: read + +jobs: + lint: + runs-on: ubuntu-latest + steps: + - uses: amannn/action-semantic-pull-request@v5 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml new file mode 100644 index 0000000..ac54991 --- /dev/null +++ b/.github/workflows/release-please.yml @@ -0,0 +1,35 @@ +name: Release Please + +on: + push: + branches: + - main + +permissions: + contents: write + pull-requests: write + id-token: write + +jobs: + release-please: + runs-on: ubuntu-latest + outputs: + release_created: ${{ steps.release.outputs.release_created }} + tag_name: ${{ steps.release.outputs.tag_name }} + steps: + - name: Generate token + id: generate-token + uses: actions/create-github-app-token@v2 + with: + app-id: ${{ vars.SDK_BOT_APP_ID }} + private-key: ${{ secrets.SDK_BOT_PRIVATE_KEY }} + + - uses: googleapis/release-please-action@v4 + id: release + with: + token: ${{ steps.generate-token.outputs.token }} + + publish: + needs: release-please + if: ${{ needs.release-please.outputs.release_created == 'true' }} + uses: ./.github/workflows/release.yml diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index d7ba329..11e646b 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,44 +1,32 @@ name: Release on: - # Support manually pushing a new release - workflow_dispatch: {} - # Trigger when a release is published - release: - types: [published] + workflow_dispatch: + workflow_call: defaults: run: shell: bash jobs: - publish: + test: name: Publish to NPM runs-on: ubuntu-latest permissions: contents: read id-token: write steps: - - uses: actions/checkout@v4 - - uses: actions/setup-node@v4 + - uses: actions/checkout@v6 + - uses: actions/setup-node@v6 with: node-version: 24 - registry-url: "https://registry.npmjs.org" + registry-url: 'https://registry.npmjs.org' - name: Install Dependencies - run: | - npm install + run: npm install - name: Build project - run: | - npm run build + run: npm run build - - name: Push Release - if: ${{ !github.event.release.prerelease }} - run: | - npm publish --tag latest --access=public --provenance - - - name: Push Pre-Release - if: ${{ github.event.release.prerelease }} - run: | - npm publish --tag next --access=public --provenance + - name: Publish + run: npm publish --tag latest --access=public --provenance --no-git-checks diff --git a/.release-please-manifest.json b/.release-please-manifest.json new file mode 100644 index 0000000..bc7e4aa --- /dev/null +++ b/.release-please-manifest.json @@ -0,0 +1,3 @@ +{ + ".": "0.16.0" +} diff --git a/release-please-config.json b/release-please-config.json new file mode 100644 index 0000000..637e606 --- /dev/null +++ b/release-please-config.json @@ -0,0 +1,11 @@ +{ + "$schema": "https://raw.githubusercontent.com/googleapis/release-please/main/schemas/config.json", + "include-component-in-tag": false, + "packages": { + ".": { + "release-type": "node", + "changelog-path": "CHANGELOG.md", + "versioning": "default" + } + } +} From 89ac26b819ab2f46ef30709e5d1b3221c3ad6ca4 Mon Sep 17 00:00:00 2001 From: Nick Nisi Date: Tue, 24 Mar 2026 12:18:18 -0500 Subject: [PATCH 2/8] add pre-major version bump settings for 0.x semver --- release-please-config.json | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/release-please-config.json b/release-please-config.json index 637e606..9941797 100644 --- a/release-please-config.json +++ b/release-please-config.json @@ -5,7 +5,9 @@ ".": { "release-type": "node", "changelog-path": "CHANGELOG.md", - "versioning": "default" + "versioning": "default", + "bump-minor-pre-major": true, + "bump-patch-for-minor-pre-major": true } } } From 16d4d19d9aa9c8caa92cd0a51bd31624adb850a6 Mon Sep 17 00:00:00 2001 From: Nick Nisi Date: Tue, 24 Mar 2026 12:19:51 -0500 Subject: [PATCH 3/8] chore: formatting: --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 11e646b..2f1131d 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -20,7 +20,7 @@ jobs: - uses: actions/setup-node@v6 with: node-version: 24 - registry-url: 'https://registry.npmjs.org' + registry-url: "https://registry.npmjs.org" - name: Install Dependencies run: npm install From d4fab2239c73abda6a7b4bc8a36fa123e570d32e Mon Sep 17 00:00:00 2001 From: Nick Nisi Date: Tue, 24 Mar 2026 12:23:08 -0500 Subject: [PATCH 4/8] chore: replace coana with socket tier 1 reachability analysis --- .github/workflows/coana-analysis.yml | 28 --------- .github/workflows/coana-guardrail.yml | 67 --------------------- .github/workflows/socket-tier1-analysis.yml | 40 ++++++++++++ 3 files changed, 40 insertions(+), 95 deletions(-) delete mode 100644 .github/workflows/coana-analysis.yml delete mode 100644 .github/workflows/coana-guardrail.yml create mode 100644 .github/workflows/socket-tier1-analysis.yml diff --git a/.github/workflows/coana-analysis.yml b/.github/workflows/coana-analysis.yml deleted file mode 100644 index 90bfa06..0000000 --- a/.github/workflows/coana-analysis.yml +++ /dev/null @@ -1,28 +0,0 @@ -name: Coana Vulnerability Analysis - -on: - schedule: - - cron: "0 3 * * *" # every day at 3 AM - workflow_dispatch: - inputs: - tags: - description: "Manually run vulnerability analysis" - # Required by the return-dispatch action - distinct_id: - -jobs: - coana-vulnerability-analysis: - runs-on: ubuntu-latest - - steps: - - name: Checkout code - uses: actions/checkout@v4 - - - name: Run Coana CLI - id: coana-cli - uses: docker://coana/coana:latest - with: - args: | - coana run . \ - --api-key ${{ secrets.COANA_API_KEY }} \ - --repo-url https://github.com/${{github.repository}} diff --git a/.github/workflows/coana-guardrail.yml b/.github/workflows/coana-guardrail.yml deleted file mode 100644 index 6928ce0..0000000 --- a/.github/workflows/coana-guardrail.yml +++ /dev/null @@ -1,67 +0,0 @@ -name: Coana Guardrail - -on: pull_request - -jobs: - guardrail: - runs-on: ubuntu-latest - - steps: - - name: Checkout the ${{github.base_ref}} branch - uses: actions/checkout@v4 - with: - ref: ${{github.base_ref}} # checkout the base branch (usually master/main). - - - name: Fetch the PR branch - run: | - git fetch ${{ github.event.pull_request.head.repo.clone_url }} ${{ github.head_ref }}:${{ github.head_ref }} --depth=1 - - - name: Get list of changed files relative to the main/master branch - id: changed-files - run: | - echo "all_changed_files=$(git diff --name-only ${{ github.base_ref }} ${{ github.head_ref }} | tr '\n' ' ')" >> $GITHUB_OUTPUT - - - name: Use Node.js 20.x - uses: actions/setup-node@v4 - with: - node-version: 20.x - - - name: Run Coana on the ${{github.base_ref}} branch - run: | - npx @coana-tech/cli run . \ - --guardrail-mode \ - --api-key ${{ secrets.COANA_API_KEY || 'api-key-unavailable' }} \ - -o /tmp/main-branch \ - --changed-files ${{ steps.changed-files.outputs.all_changed_files }} \ - --lightweight-reachability \ - - # Reset file permissions. - # This is necessary because the Coana CLI may add - # new files with root ownership since it's using docker. - # These files will not be deleted by the clean step in checkout - # if the permissions are not reset. - - name: Reset file permissions - run: sudo chown -R $USER:$USER . - - - name: Checkout the current branch - uses: actions/checkout@v4 - with: - clean: true - - - name: Run Coana on the current branch - run: | - npx @coana-tech/cli run . \ - --guardrail-mode \ - --api-key ${{ secrets.COANA_API_KEY || 'api-key-unavailable' }} \ - -o /tmp/current-branch \ - --changed-files ${{ steps.changed-files.outputs.all_changed_files }} \ - --lightweight-reachability \ - - - name: Run Report Comparison - run: | - npx @coana-tech/cli compare-reports \ - --api-key ${{ secrets.COANA_API_KEY || 'api-key-unavailable' }} \ - /tmp/main-branch/coana-report.json \ - /tmp/current-branch/coana-report.json - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/socket-tier1-analysis.yml b/.github/workflows/socket-tier1-analysis.yml new file mode 100644 index 0000000..b60357c --- /dev/null +++ b/.github/workflows/socket-tier1-analysis.yml @@ -0,0 +1,40 @@ +name: Socket Tier 1 Reachability Analysis + +on: + schedule: + # every day at 12 AM + - cron: '0 0 * * *' + workflow_dispatch: + inputs: + tags: + description: 'Manually run vulnerability analysis' + distinct_id: + description: 'Required by the return-dispatch action' + required: true + +concurrency: + group: ${{ github.workflow }}-${{ github.ref_name }} + cancel-in-progress: true + +jobs: + socket-vulnerability-analysis: + runs-on: ubuntu-latest + timeout-minutes: 60 + + steps: + - name: Check distinct_id + run: | + echo "distinct_id: ${{ github.event.inputs.distinct_id }}" + - name: Checkout code + uses: actions/checkout@v4 + - name: Install Socket CLI + run: npm install -g socket + - name: Run Tier 1 reachability scan + env: + SOCKET_SECURITY_API_TOKEN: ${{ secrets.SOCKET_API_KEY }} + run: | + # Full application reachability (Tier 1) + socket scan create . \ + --reach \ + --org "workos" \ + --no-interactive From 3515a4389b1fa27961dd025793c66600d5c2c8b6 Mon Sep 17 00:00:00 2001 From: Nick Nisi Date: Tue, 24 Mar 2026 12:24:29 -0500 Subject: [PATCH 5/8] chore: formatting: --- .github/workflows/socket-tier1-analysis.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/socket-tier1-analysis.yml b/.github/workflows/socket-tier1-analysis.yml index b60357c..fb767ae 100644 --- a/.github/workflows/socket-tier1-analysis.yml +++ b/.github/workflows/socket-tier1-analysis.yml @@ -3,13 +3,13 @@ name: Socket Tier 1 Reachability Analysis on: schedule: # every day at 12 AM - - cron: '0 0 * * *' + - cron: "0 0 * * *" workflow_dispatch: inputs: tags: - description: 'Manually run vulnerability analysis' + description: "Manually run vulnerability analysis" distinct_id: - description: 'Required by the return-dispatch action' + description: "Required by the return-dispatch action" required: true concurrency: From 9655a52eb87ba91ded9640743b3cf0ad7945a0fc Mon Sep 17 00:00:00 2001 From: Nick Nisi Date: Tue, 24 Mar 2026 12:26:29 -0500 Subject: [PATCH 6/8] fix: add secrets inherit and fix publish job ID --- .github/workflows/release-please.yml | 1 + .github/workflows/release.yml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml index ac54991..ef35222 100644 --- a/.github/workflows/release-please.yml +++ b/.github/workflows/release-please.yml @@ -33,3 +33,4 @@ jobs: needs: release-please if: ${{ needs.release-please.outputs.release_created == 'true' }} uses: ./.github/workflows/release.yml + secrets: inherit diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 2f1131d..80acf92 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -9,7 +9,7 @@ defaults: shell: bash jobs: - test: + publish: name: Publish to NPM runs-on: ubuntu-latest permissions: From c429947433795a65bf53f7481f42f5c16ea924d4 Mon Sep 17 00:00:00 2001 From: Nick Nisi Date: Tue, 24 Mar 2026 13:50:46 -0500 Subject: [PATCH 7/8] chore: pin actions to SHA and add renovate config --- .github/workflows/ci.yml | 4 +-- .github/workflows/lint-pr-title.yml | 2 +- .github/workflows/release-please.yml | 4 +-- .github/workflows/release.yml | 4 +-- .github/workflows/socket-tier1-analysis.yml | 2 +- renovate.json | 39 +++++++++++++++++++++ 6 files changed, 47 insertions(+), 8 deletions(-) create mode 100644 renovate.json diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index bd75857..a62e31c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -11,8 +11,8 @@ jobs: name: Pre-merge Checks runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-node@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: 20 diff --git a/.github/workflows/lint-pr-title.yml b/.github/workflows/lint-pr-title.yml index b8e96ff..44bdad6 100644 --- a/.github/workflows/lint-pr-title.yml +++ b/.github/workflows/lint-pr-title.yml @@ -11,6 +11,6 @@ jobs: lint: runs-on: ubuntu-latest steps: - - uses: amannn/action-semantic-pull-request@v5 + - uses: amannn/action-semantic-pull-request@e32d7e603df1aa1ba07e981f2a23455dee596825 # v5 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml index ef35222..70b5bbb 100644 --- a/.github/workflows/release-please.yml +++ b/.github/workflows/release-please.yml @@ -19,12 +19,12 @@ jobs: steps: - name: Generate token id: generate-token - uses: actions/create-github-app-token@v2 + uses: actions/create-github-app-token@fee1f7d63c2ff003460e3d139729b119787bc349 # v2.2.2 with: app-id: ${{ vars.SDK_BOT_APP_ID }} private-key: ${{ secrets.SDK_BOT_PRIVATE_KEY }} - - uses: googleapis/release-please-action@v4 + - uses: googleapis/release-please-action@16a9c90856f42705d54a6fda1823352bdc62cf38 # v4.4.0 id: release with: token: ${{ steps.generate-token.outputs.token }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 80acf92..01b3549 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -16,8 +16,8 @@ jobs: contents: read id-token: write steps: - - uses: actions/checkout@v6 - - uses: actions/setup-node@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: node-version: 24 registry-url: "https://registry.npmjs.org" diff --git a/.github/workflows/socket-tier1-analysis.yml b/.github/workflows/socket-tier1-analysis.yml index fb767ae..a983ef8 100644 --- a/.github/workflows/socket-tier1-analysis.yml +++ b/.github/workflows/socket-tier1-analysis.yml @@ -26,7 +26,7 @@ jobs: run: | echo "distinct_id: ${{ github.event.inputs.distinct_id }}" - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Install Socket CLI run: npm install -g socket - name: Run Tier 1 reachability scan diff --git a/renovate.json b/renovate.json new file mode 100644 index 0000000..a8ef9a7 --- /dev/null +++ b/renovate.json @@ -0,0 +1,39 @@ +{ + "extends": [ + "config:recommended" + ], + "schedule": [ + "on the 15th day of the month before 12pm" + ], + "timezone": "UTC", + "rebaseWhen": "conflicted", + "packageRules": [ + { + "matchManagers": [ + "github-actions" + ], + "extractVersion": "^v(?\\d+\\.\\d+\\.\\d+)$", + "groupName": "github-actions" + }, + { + "matchUpdateTypes": [ + "minor", + "patch" + ], + "automerge": true, + "groupName": "minor and patch updates" + }, + { + "matchUpdateTypes": [ + "major" + ], + "automerge": false + }, + { + "matchUpdateTypes": [ + "digest" + ], + "automerge": false + } + ] +} From 8530237b3e831cad64e7d8dc214a42191ff0f53a Mon Sep 17 00:00:00 2001 From: Nick Nisi Date: Tue, 24 Mar 2026 13:52:18 -0500 Subject: [PATCH 8/8] chore: formatting: --- renovate.json | 25 ++++++------------------- 1 file changed, 6 insertions(+), 19 deletions(-) diff --git a/renovate.json b/renovate.json index a8ef9a7..a1edcd4 100644 --- a/renovate.json +++ b/renovate.json @@ -1,38 +1,25 @@ { - "extends": [ - "config:recommended" - ], - "schedule": [ - "on the 15th day of the month before 12pm" - ], + "extends": ["config:recommended"], + "schedule": ["on the 15th day of the month before 12pm"], "timezone": "UTC", "rebaseWhen": "conflicted", "packageRules": [ { - "matchManagers": [ - "github-actions" - ], + "matchManagers": ["github-actions"], "extractVersion": "^v(?\\d+\\.\\d+\\.\\d+)$", "groupName": "github-actions" }, { - "matchUpdateTypes": [ - "minor", - "patch" - ], + "matchUpdateTypes": ["minor", "patch"], "automerge": true, "groupName": "minor and patch updates" }, { - "matchUpdateTypes": [ - "major" - ], + "matchUpdateTypes": ["major"], "automerge": false }, { - "matchUpdateTypes": [ - "digest" - ], + "matchUpdateTypes": ["digest"], "automerge": false } ]