From 848a8557d92f9a2e83df17f4db26ffb82426c27a Mon Sep 17 00:00:00 2001 From: lelia <2418071+lelia@users.noreply.github.com> Date: Fri, 24 Apr 2026 16:30:03 -0400 Subject: [PATCH 1/3] chore: bump version to 2.0.3 for release Signed-off-by: lelia <2418071+lelia@users.noreply.github.com> --- action.yml | 2 +- pyproject.toml | 2 +- socket_basics/__init__.py | 2 +- socket_basics/version.py | 2 +- uv.lock | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/action.yml b/action.yml index 75fedea..aa3537b 100644 --- a/action.yml +++ b/action.yml @@ -4,7 +4,7 @@ author: "Socket" runs: using: "docker" - image: "docker://ghcr.io/socketdev/socket-basics:2.0.2" + image: "docker://ghcr.io/socketdev/socket-basics:2.0.3" env: # Core GitHub variables (these are automatically available, but we explicitly pass GITHUB_TOKEN) GITHUB_TOKEN: ${{ inputs.github_token }} diff --git a/pyproject.toml b/pyproject.toml index e2dfcf9..bdb6cdc 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [project] name = "socket_basics" -version = "2.0.2" +version = "2.0.3" description = "Socket Basics with integrated SAST, secret scanning, and container analysis" readme = "README.md" requires-python = ">=3.10" diff --git a/socket_basics/__init__.py b/socket_basics/__init__.py index 9330d3a..6dd634c 100644 --- a/socket_basics/__init__.py +++ b/socket_basics/__init__.py @@ -12,7 +12,7 @@ from .socket_basics import SecurityScanner, main from .core.config import load_config_from_env, Config -__version__ = "2.0.2" +__version__ = "2.0.3" __author__ = "Socket.dev" __email__ = "support@socket.dev" diff --git a/socket_basics/version.py b/socket_basics/version.py index 0309ae2..5fa9130 100644 --- a/socket_basics/version.py +++ b/socket_basics/version.py @@ -1 +1 @@ -__version__ = "2.0.2" +__version__ = "2.0.3" diff --git a/uv.lock b/uv.lock index 0f9933a..6dd71c2 100644 --- a/uv.lock +++ b/uv.lock @@ -623,7 +623,7 @@ wheels = [ [[package]] name = "socket-basics" -version = "1.1.3" +version = "2.0.3" source = { editable = "." } dependencies = [ { name = "jsonschema" }, From be6d79095979eecf40c9ec8ba07b539bbc99d9f8 Mon Sep 17 00:00:00 2001 From: lelia <2418071+lelia@users.noreply.github.com> Date: Fri, 24 Apr 2026 16:30:53 -0400 Subject: [PATCH 2/3] docs: update documentation refs to v2.0.3 Signed-off-by: lelia <2418071+lelia@users.noreply.github.com> --- CHANGELOG.md | 15 +++++++ README.md | 6 +-- docs/github-action.md | 56 ++++++++++++------------ docs/local-install-docker.md | 82 ++++++++++++++++++------------------ docs/pre-commit-hook.md | 2 +- 5 files changed, 88 insertions(+), 73 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index af087a9..057682e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,21 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/). ## [Unreleased] +## [2.0.3] - 2026-04-24 + + + +## What's Changed +### 🔧 Other Changes +* fix: Harden GHA workflows by @reberhardt7 in https://github.com/SocketDev/socket-basics/pull/58 +* docs: cleanup docs guidance, additional workflow hardening by @lelia in https://github.com/SocketDev/socket-basics/pull/60 +* fix(rules): improve precision of 4 high-FP dotnet opengrep rules by @dc-larsen in https://github.com/SocketDev/socket-basics/pull/63 + +## New Contributors +* @reberhardt7 made their first contribution in https://github.com/SocketDev/socket-basics/pull/58 + +**Full Changelog**: https://github.com/SocketDev/socket-basics/compare/v2.0.2...v2.0.3 + ## [2.0.2] - 2026-03-23 diff --git a/README.md b/README.md index ee90234..5c0c2b9 100644 --- a/README.md +++ b/README.md @@ -35,7 +35,7 @@ jobs: - name: Run Socket Basics # Pin to a commit SHA for supply-chain safety. # Dependabot will keep this up to date automatically — see docs/github-action.md. - uses: SocketDev/socket-basics@ # v2.0.2 + uses: SocketDev/socket-basics@ # v2.0.3 env: GITHUB_PR_NUMBER: ${{ github.event.pull_request.number || github.event.issue.number }} with: @@ -168,10 +168,10 @@ For GitHub Actions, see the [Quick Start](#-quick-start---github-actions) above ```bash # Pull the pre-built image (recommended — no build step required) -docker pull ghcr.io/socketdev/socket-basics:2.0.2 +docker pull ghcr.io/socketdev/socket-basics:2.0.3 # Run scan -docker run --rm -v "$PWD:/workspace" ghcr.io/socketdev/socket-basics:2.0.2 \ +docker run --rm -v "$PWD:/workspace" ghcr.io/socketdev/socket-basics:2.0.3 \ --workspace /workspace \ --python-sast-enabled \ --secret-scanning-enabled \ diff --git a/docs/github-action.md b/docs/github-action.md index b795af7..33c6c49 100644 --- a/docs/github-action.md +++ b/docs/github-action.md @@ -43,7 +43,7 @@ jobs: steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Run Socket Basics - uses: SocketDev/socket-basics@v2.0.2 + uses: SocketDev/socket-basics@v2.0.3 env: GITHUB_PR_NUMBER: ${{ github.event.pull_request.number || github.event.issue.number }} with: @@ -57,7 +57,7 @@ With just your `SOCKET_SECURITY_API_KEY`, all scanning configurations are manage ### How the action is currently built -When you reference `uses: SocketDev/socket-basics@v2.0.2`, GitHub Actions pulls the +When you reference `uses: SocketDev/socket-basics@v2.0.3`, GitHub Actions pulls the pre-built image referenced by [`action.yml`](../action.yml). The historical multi-stage Docker build still matters for maintainers because it determines what lands in the published image: @@ -75,7 +75,7 @@ Socket Basics from source in every workflow run. ### Pre-built image Starting with v2, the action pulls a pre-built image from GHCR rather than -building from source on every run. Pinning to a specific version tag (e.g. `@v2.0.2`) +building from source on every run. Pinning to a specific version tag (e.g. `@v2.0.3`) means the action starts in seconds — the image is built, integration-tested, and published before the release tag is ever created. @@ -85,7 +85,7 @@ If you run socket-basics in other CI systems (Jenkins, GitLab, CircleCI, etc.) o as a standalone `docker run`, pull the pre-built image directly: ```bash -docker pull ghcr.io/socketdev/socket-basics:2.0.2 +docker pull ghcr.io/socketdev/socket-basics:2.0.3 ``` See [Local Docker Installation](local-install-docker.md) for usage examples. @@ -100,7 +100,7 @@ is immediately affected. We've seen this happen across the ecosystem: A single bad push silently reaches all users with no review gate. This is structurally identical to `docker pull :latest` — the anti-pattern we explicitly warn against in our Docker docs. -- **Version tags** (`@v2.0.2`) are better, but tags are mutable by default. +- **Version tags** (`@v2.0.3`) are better, but tags are mutable by default. A tag can be deleted and recreated pointing at a different commit. There are documented cases of this happening — maliciously and accidentally. - **Commit SHAs** are the only truly immutable reference. A SHA cannot be @@ -108,7 +108,7 @@ is immediately affected. We've seen this happen across the ecosystem: human review gate at zero ongoing maintenance cost. We don't publish a floating major tag (`v2`). We do publish immutable version -tags (`v2.0.2`) protected by tag protection rules in GitHub — but SHA pinning +tags (`v2.0.3`) protected by tag protection rules in GitHub — but SHA pinning is still the recommendation for defence in depth. ### Pinning strategies @@ -124,14 +124,14 @@ The only truly immutable reference. Dependabot keeps it current automatically. ```yaml - name: Run Socket Basics # Dependabot keeps this SHA up to date — see .github/dependabot.yml setup below. - uses: SocketDev/socket-basics@ # v2.0.2 + uses: SocketDev/socket-basics@ # v2.0.3 with: socket_security_api_key: ${{ secrets.SOCKET_SECURITY_API_KEY }} ``` Get the SHA for any release: ```bash -git ls-remote https://github.com/SocketDev/socket-basics refs/tags/v2.0.2 +git ls-remote https://github.com/SocketDev/socket-basics refs/tags/v2.0.3 ``` --- @@ -143,7 +143,7 @@ enforces tag protection rules). SHA pinning is still preferable for defence in depth. ```yaml -- uses: SocketDev/socket-basics@v2.0.2 +- uses: SocketDev/socket-basics@v2.0.3 with: socket_security_api_key: ${{ secrets.SOCKET_SECURITY_API_KEY }} ``` @@ -164,7 +164,7 @@ updates: ``` Dependabot opens a PR for each new release, updating the SHA or version tag -and keeping the `# v2.0.2` comment in sync. You review, approve, and merge +and keeping the `# v2.0.3` comment in sync. You review, approve, and merge on your own schedule — automated upgrades with a human gate. --- @@ -174,7 +174,7 @@ on your own schedule — automated upgrades with a human gate. | Strategy | Immutable? | Auto-updates | Review gate | |---|---|---|---| | `@v2` floating tag | ❌ (not published) | — | — | -| `@v2.0.2` + Dependabot | ✅ (tag protection enforced) | Yes (weekly PR) | Yes | +| `@v2.0.3` + Dependabot | ✅ (tag protection enforced) | Yes (weekly PR) | Yes | | `@` + Dependabot | ✅ always | Yes (weekly PR) | Yes | ## Basic Configuration @@ -202,7 +202,7 @@ Include these in your workflow's `jobs..permissions` section. **SAST (Static Analysis):** ```yaml -- uses: SocketDev/socket-basics@v2.0.2 +- uses: SocketDev/socket-basics@v2.0.3 with: github_token: ${{ secrets.GITHUB_TOKEN }} # Enable SAST for specific languages @@ -216,7 +216,7 @@ Include these in your workflow's `jobs..permissions` section. **Secret Scanning:** ```yaml -- uses: SocketDev/socket-basics@v2.0.2 +- uses: SocketDev/socket-basics@v2.0.3 with: github_token: ${{ secrets.GITHUB_TOKEN }} secret_scanning_enabled: 'true' @@ -228,7 +228,7 @@ Include these in your workflow's `jobs..permissions` section. **Container Scanning:** ```yaml -- uses: SocketDev/socket-basics@v2.0.2 +- uses: SocketDev/socket-basics@v2.0.3 with: github_token: ${{ secrets.GITHUB_TOKEN }} # The supported pre-built GitHub Action path currently ships without @@ -250,7 +250,7 @@ Include these in your workflow's `jobs..permissions` section. **Socket Tier 1 Reachability:** ```yaml -- uses: SocketDev/socket-basics@v2.0.2 +- uses: SocketDev/socket-basics@v2.0.3 with: github_token: ${{ secrets.GITHUB_TOKEN }} socket_tier_1_enabled: 'true' @@ -259,7 +259,7 @@ Include these in your workflow's `jobs..permissions` section. ### Output Configuration ```yaml -- uses: SocketDev/socket-basics@v2.0.2 +- uses: SocketDev/socket-basics@v2.0.3 with: github_token: ${{ secrets.GITHUB_TOKEN }} python_sast_enabled: 'true' @@ -295,7 +295,7 @@ Configure Socket Basics centrally from the [Socket Dashboard](https://socket.dev **Enable in workflow:** ```yaml -- uses: SocketDev/socket-basics@v2.0.2 +- uses: SocketDev/socket-basics@v2.0.3 env: GITHUB_PR_NUMBER: ${{ github.event.pull_request.number || github.event.issue.number }} with: @@ -308,7 +308,7 @@ Configure Socket Basics centrally from the [Socket Dashboard](https://socket.dev > [!NOTE] > You can also pass credentials using environment variables instead of the `with:` section: > ```yaml -> - uses: SocketDev/socket-basics@v2.0.2 +> - uses: SocketDev/socket-basics@v2.0.3 > env: > SOCKET_SECURITY_API_KEY: ${{ secrets.SOCKET_SECURITY_API_KEY }} > with: @@ -326,7 +326,7 @@ All notification integrations require Socket Enterprise. **Slack Notifications:** ```yaml -- uses: SocketDev/socket-basics@v2.0.2 +- uses: SocketDev/socket-basics@v2.0.3 with: github_token: ${{ secrets.GITHUB_TOKEN }} socket_org: ${{ secrets.SOCKET_ORG }} @@ -338,7 +338,7 @@ All notification integrations require Socket Enterprise. **Jira Issue Creation:** ```yaml -- uses: SocketDev/socket-basics@v2.0.2 +- uses: SocketDev/socket-basics@v2.0.3 with: github_token: ${{ secrets.GITHUB_TOKEN }} socket_org: ${{ secrets.SOCKET_ORG }} @@ -353,7 +353,7 @@ All notification integrations require Socket Enterprise. **Microsoft Teams:** ```yaml -- uses: SocketDev/socket-basics@v2.0.2 +- uses: SocketDev/socket-basics@v2.0.3 with: github_token: ${{ secrets.GITHUB_TOKEN }} socket_org: ${{ secrets.SOCKET_ORG }} @@ -365,7 +365,7 @@ All notification integrations require Socket Enterprise. **Generic Webhook:** ```yaml -- uses: SocketDev/socket-basics@v2.0.2 +- uses: SocketDev/socket-basics@v2.0.3 with: github_token: ${{ secrets.GITHUB_TOKEN }} socket_org: ${{ secrets.SOCKET_ORG }} @@ -377,7 +377,7 @@ All notification integrations require Socket Enterprise. **SIEM Integration:** ```yaml -- uses: SocketDev/socket-basics@v2.0.2 +- uses: SocketDev/socket-basics@v2.0.3 with: github_token: ${{ secrets.GITHUB_TOKEN }} socket_org: ${{ secrets.SOCKET_ORG }} @@ -413,7 +413,7 @@ jobs: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Run Socket Basics - uses: SocketDev/socket-basics@v2.0.2 + uses: SocketDev/socket-basics@v2.0.3 env: GITHUB_PR_NUMBER: ${{ github.event.pull_request.number || github.event.issue.number }} with: @@ -456,7 +456,7 @@ jobs: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Run Full Security Scan - uses: SocketDev/socket-basics@v2.0.2 + uses: SocketDev/socket-basics@v2.0.3 env: GITHUB_PR_NUMBER: ${{ github.event.pull_request.number || github.event.issue.number }} with: @@ -581,7 +581,7 @@ jobs: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Run Socket Basics - uses: SocketDev/socket-basics@v2.0.2 + uses: SocketDev/socket-basics@v2.0.3 env: GITHUB_PR_NUMBER: ${{ github.event.pull_request.number || github.event.issue.number }} with: @@ -636,7 +636,7 @@ jobs: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Run Socket Basics - uses: SocketDev/socket-basics@v2.0.2 + uses: SocketDev/socket-basics@v2.0.3 env: GITHUB_PR_NUMBER: ${{ github.event.pull_request.number || github.event.issue.number }} with: @@ -738,7 +738,7 @@ env: ```yaml steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - Must be first - - uses: SocketDev/socket-basics@v2.0.2 + - uses: SocketDev/socket-basics@v2.0.3 ``` ### PR Comments Not Appearing diff --git a/docs/local-install-docker.md b/docs/local-install-docker.md index 605ab4f..d4e31bc 100644 --- a/docs/local-install-docker.md +++ b/docs/local-install-docker.md @@ -16,7 +16,7 @@ Run Socket Basics locally using Docker without installing security tools on your ```bash # 1. Pull a pinned release from GHCR (no build step required) -docker pull ghcr.io/socketdev/socket-basics:2.0.2 +docker pull ghcr.io/socketdev/socket-basics:2.0.3 # 2. Create .env file with your credentials cat > .env << 'EOF' @@ -28,14 +28,14 @@ EOF docker run --rm \ -v "$PWD:/workspace" \ --env-file .env \ - ghcr.io/socketdev/socket-basics:2.0.2 \ + ghcr.io/socketdev/socket-basics:2.0.3 \ --workspace /workspace \ --python \ --secrets \ --console-tabular-enabled ``` -The Docker image should always be pinned to an exact version such as `2.0.2`. Avoid +The Docker image should always be pinned to an exact version such as `2.0.3`. Avoid floating tags like `:latest` in CI/CD. ## Using Pre-built Images @@ -45,12 +45,12 @@ The baked-in security tool versions are recorded in the image labels so you can inspect exactly what's inside: ```bash -docker inspect ghcr.io/socketdev/socket-basics:2.0.2 \ +docker inspect ghcr.io/socketdev/socket-basics:2.0.3 \ | jq '.[0].Config.Labels' # { # "com.socket.trufflehog-version": "3.93.8", # "com.socket.opengrep-version": "v1.16.5", -# "org.opencontainers.image.version": "2.0.2", +# "org.opencontainers.image.version": "2.0.3", # ... # } ``` @@ -84,7 +84,7 @@ docker inspect ghcr.io/socketdev/socket-basics:2.0.2 \ -v "$GITHUB_WORKSPACE:/workspace" \ -e SOCKET_SECURITY_API_KEY=${{ secrets.SOCKET_API_KEY }} \ -e SOCKET_ORG=${{ secrets.SOCKET_ORG }} \ - ghcr.io/socketdev/socket-basics:2.0.2 \ + ghcr.io/socketdev/socket-basics:2.0.3 \ --workspace /workspace \ --all-languages \ --secrets \ @@ -95,7 +95,7 @@ docker inspect ghcr.io/socketdev/socket-basics:2.0.2 \ ```yaml security-scan: - image: ghcr.io/socketdev/socket-basics:2.0.2 + image: ghcr.io/socketdev/socket-basics:2.0.3 stage: test script: - socket-basics @@ -112,7 +112,7 @@ security-scan: ```dockerfile # Pin socket-basics and let Dependabot send upgrade PRs automatically -FROM ghcr.io/socketdev/socket-basics:2.0.2 +FROM ghcr.io/socketdev/socket-basics:2.0.3 ``` ### Staying Up to Date with Dependabot @@ -130,7 +130,7 @@ updates: interval: "weekly" ``` -Dependabot will detect the `FROM ghcr.io/socketdev/socket-basics:2.0.2` reference +Dependabot will detect the `FROM ghcr.io/socketdev/socket-basics:2.0.3` reference and open a PR with the version bump when a new release is available. ## Building the Docker Image @@ -141,10 +141,10 @@ Pull a specific release without building locally: ```bash # GHCR (preferred) -docker pull ghcr.io/socketdev/socket-basics:2.0.2 +docker pull ghcr.io/socketdev/socket-basics:2.0.3 # Docker Hub -docker pull socketdev/socket-basics:2.0.2 +docker pull socketdev/socket-basics:2.0.3 ``` ### Build from Source @@ -157,7 +157,7 @@ git clone https://github.com/SocketDev/socket-basics.git cd socket-basics # Build with version tag (multi-stage; first build is slower, subsequent ones are fast) -docker build -t socket-basics:2.0.2 . +docker build -t socket-basics:2.0.3 . # Verify the build docker images | grep socket-basics @@ -166,7 +166,7 @@ docker images | grep socket-basics ### Build for a Specific Platform (M1/M2 Macs) ```bash -docker build --platform linux/amd64 -t socket-basics:2.0.2 . +docker build --platform linux/amd64 -t socket-basics:2.0.3 . ``` ### Build with Custom Tool Versions @@ -177,7 +177,7 @@ The image pins the bundled tools to specific versions. You can override them at docker build \ --build-arg TRUFFLEHOG_VERSION=3.93.8 \ --build-arg OPENGREP_VERSION=v1.16.5 \ - -t socket-basics:2.0.2 . + -t socket-basics:2.0.3 . ``` `TRIVY_VERSION` still exists in the Dockerfile for maintainers, but the current @@ -188,10 +188,10 @@ from the `app_tests` directory and use the same build args. ```bash # Check that all tools are available in the container -docker run --rm socket-basics:2.0.2 socket-basics --version -docker run --rm socket-basics:2.0.2 socket --version -docker run --rm socket-basics:2.0.2 opengrep --version -docker run --rm socket-basics:2.0.2 trufflehog --version +docker run --rm socket-basics:2.0.3 socket-basics --version +docker run --rm socket-basics:2.0.3 socket --version +docker run --rm socket-basics:2.0.3 opengrep --version +docker run --rm socket-basics:2.0.3 trufflehog --version ``` ### Smoke Test @@ -226,7 +226,7 @@ Mount your project directory into the container: # Scan current directory docker run --rm \ -v "$PWD:/workspace" \ - socket-basics:2.0.2 \ + socket-basics:2.0.3 \ --workspace /workspace \ --python \ --secrets \ @@ -243,7 +243,7 @@ docker run --rm \ # Scan a specific project directory docker run --rm \ -v "/path/to/your/project:/workspace" \ - socket-basics:2.0.2 \ + socket-basics:2.0.3 \ --workspace /workspace \ --javascript \ --secrets @@ -254,7 +254,7 @@ docker run --rm \ ```bash docker run --rm \ -v "$PWD:/workspace" \ - socket-basics:2.0.2 \ + socket-basics:2.0.3 \ --workspace /workspace \ --all-languages \ --secrets \ @@ -302,7 +302,7 @@ VERBOSE=false docker run --rm \ -v "$PWD:/workspace" \ --env-file .env \ - socket-basics:2.0.2 \ + socket-basics:2.0.3 \ --workspace /workspace \ --python \ --secrets @@ -317,7 +317,7 @@ docker run --rm \ -v "$PWD:/workspace" \ -e "SOCKET_SECURITY_API_KEY=scrt_your_api_key" \ -e "SOCKET_ORG=your-org-slug" \ - socket-basics:2.0.2 \ + socket-basics:2.0.3 \ --workspace /workspace \ --python \ --secrets \ @@ -339,7 +339,7 @@ docker run --rm \ --env-file .env.socket \ --env-file .env.notifiers \ --env-file .env.scanning \ - socket-basics:2.0.2 \ + socket-basics:2.0.3 \ --workspace /workspace \ --all-languages ``` @@ -358,7 +358,7 @@ docker run --rm \ -v "$PWD:/workspace" \ -e "SOCKET_SECURITY_API_KEY=$SOCKET_SECURITY_API_KEY" \ -e "SOCKET_ORG=$SOCKET_ORG" \ - socket-basics:2.0.2 \ + socket-basics:2.0.3 \ --workspace /workspace \ --python ``` @@ -390,7 +390,7 @@ docker run --rm \ -v "$PWD:/workspace" \ -v "$PWD/scan-results:/results" \ --env-file .env \ - socket-basics:2.0.2 \ + socket-basics:2.0.3 \ --workspace /workspace \ --python \ --secrets \ @@ -407,7 +407,7 @@ docker run --rm -it \ -v "$PWD:/workspace" \ --env-file .env \ --entrypoint /bin/bash \ - socket-basics:2.0.2 + socket-basics:2.0.3 # Inside container, run commands manually: # cd /workspace @@ -436,7 +436,7 @@ docker run --rm \ -v "$PWD:/workspace" \ -v "$PWD/socket-config.json:/config.json" \ --env-file .env \ - socket-basics:2.0.2 \ + socket-basics:2.0.3 \ --workspace /workspace \ --config /config.json ``` @@ -460,7 +460,7 @@ for PROJECT in "${PROJECTS[@]}"; do docker run --rm \ -v "$PROJECT:/workspace" \ --env-file .env \ - socket-basics:2.0.2 \ + socket-basics:2.0.3 \ --workspace /workspace \ --all-languages \ --secrets \ @@ -484,7 +484,7 @@ pipeline { stage('Security Scan') { steps { script { - docker.image('ghcr.io/socketdev/socket-basics:2.0.2').inside( + docker.image('ghcr.io/socketdev/socket-basics:2.0.3').inside( "-v ${WORKSPACE}:/workspace --env-file .env" ) { sh ''' @@ -506,7 +506,7 @@ pipeline { ```yaml security-scan: - image: ghcr.io/socketdev/socket-basics:2.0.2 + image: ghcr.io/socketdev/socket-basics:2.0.3 stage: test script: - socket-basics @@ -532,7 +532,7 @@ security-scan: docker run --rm \ -v "$PWD:/workspace" \ --user "$(id -u):$(id -g)" \ - socket-basics:2.0.2 \ + socket-basics:2.0.3 \ --workspace /workspace ``` @@ -551,14 +551,14 @@ security-scan: ```bash docker run --rm \ -v "$(pwd):/workspace" \ # Use $(pwd) instead of $PWD - socket-basics:2.0.2 + socket-basics:2.0.3 ``` 2. Verify mount: ```bash docker run --rm \ -v "$PWD:/workspace" \ - socket-basics:2.0.2 \ + socket-basics:2.0.3 \ ls -la /workspace ``` @@ -588,7 +588,7 @@ security-scan: docker run --rm \ -v "$PWD:/workspace" \ --env-file "$(pwd)/.env" \ - socket-basics:2.0.2 + socket-basics:2.0.3 ``` ### Container Image Too Large @@ -619,7 +619,7 @@ security-scan: ```bash docker run --rm \ -v "$PWD:/workspace" \ - socket-basics:2.0.2 \ + socket-basics:2.0.3 \ --workspace /workspace \ --python \ --secrets \ @@ -640,7 +640,7 @@ security-scan: ```bash docker run --rm \ -v "$PWD:/workspace" \ - socket-basics:2.0.2 \ + socket-basics:2.0.3 \ --workspace /workspace \ --output /workspace/results.json # Save to mounted directory ``` @@ -651,7 +651,7 @@ security-scan: docker run --rm \ -v "$PWD:/workspace" \ -v "$PWD/results:/results" \ - socket-basics:2.0.2 \ + socket-basics:2.0.3 \ --workspace /workspace \ --output /results/scan.json ``` @@ -662,7 +662,7 @@ Add these to your `~/.bashrc` or `~/.zshrc` for quick access: ```bash # Socket Basics Docker aliases -alias sb-docker='docker run --rm -v "$PWD:/workspace" --env-file .env ghcr.io/socketdev/socket-basics:2.0.2 --workspace /workspace' +alias sb-docker='docker run --rm -v "$PWD:/workspace" --env-file .env ghcr.io/socketdev/socket-basics:2.0.3 --workspace /workspace' alias sb-quick='sb-docker --secrets --console-tabular-enabled' alias sb-python='sb-docker --python --secrets --console-tabular-enabled' alias sb-js='sb-docker --javascript --secrets --console-tabular-enabled' @@ -687,7 +687,7 @@ sb-all ## Best Practices 1. **Use pre-built images** — Pull `ghcr.io/socketdev/socket-basics:` instead of building locally -2. **Pin to a specific version** — Avoid `:latest` in production CI; pin to `2.0.2` and upgrade deliberately +2. **Pin to a specific version** — Avoid `:latest` in production CI; pin to `2.0.3` and upgrade deliberately 3. **Use Dependabot** — Reference the image in your Dockerfile/Compose to get automatic upgrade PRs 4. **Inspect baked-in labels** — Run `docker inspect | jq '.[0].Config.Labels'` to verify tool versions 5. **Use .env files** — Keep credentials out of command history @@ -706,7 +706,7 @@ set -e # Configuration PROJECT_DIR="$(pwd)" RESULTS_DIR="./scan-results" -IMAGE_NAME="socket-basics:2.0.2" +IMAGE_NAME="socket-basics:2.0.3" ENV_FILE=".env" # Create results directory diff --git a/docs/pre-commit-hook.md b/docs/pre-commit-hook.md index b6aaedc..827f7e3 100644 --- a/docs/pre-commit-hook.md +++ b/docs/pre-commit-hook.md @@ -35,7 +35,7 @@ Best for: Teams wanting consistent environments without installing security tool ```bash # Pull the pre-built image (no build step required) -docker pull ghcr.io/socketdev/socket-basics:2.0.2 +docker pull ghcr.io/socketdev/socket-basics:2.0.3 ``` **2. Create pre-commit hook:** From e45cd9064ecaffbbe66cf04d990e91824e09dfc9 Mon Sep 17 00:00:00 2001 From: lelia <2418071+lelia@users.noreply.github.com> Date: Fri, 24 Apr 2026 16:33:20 -0400 Subject: [PATCH 3/3] ci: simplify publish workflow to comply with GitHub restrictions Signed-off-by: lelia <2418071+lelia@users.noreply.github.com> --- .github/PULL_REQUEST_TEMPLATE.md | 2 +- .github/workflows/_docker-pipeline.yml | 6 ++-- .github/workflows/publish-docker.yml | 50 ++++---------------------- scripts/update_changelog.py | 6 ++-- 4 files changed, 13 insertions(+), 51 deletions(-) diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md index 3e0beea..7b65fcf 100644 --- a/.github/PULL_REQUEST_TEMPLATE.md +++ b/.github/PULL_REQUEST_TEMPLATE.md @@ -26,4 +26,4 @@ - [ ] `socket_basics/version.py` updated to new version - [ ] `socket_basics/__init__.py` updated to the same version - [ ] `action.yml` `image:` ref updated to `docker://ghcr.io/socketdev/socket-basics:` -- [ ] `CHANGELOG.md` `[Unreleased]` section reviewed +- [ ] `CHANGELOG.md` updated with human-authored release notes for this version diff --git a/.github/workflows/_docker-pipeline.yml b/.github/workflows/_docker-pipeline.yml index 0fad966..91d8367 100644 --- a/.github/workflows/_docker-pipeline.yml +++ b/.github/workflows/_docker-pipeline.yml @@ -7,11 +7,11 @@ name: _docker-pipeline (reusable) # # Two modes: # push: false → build + smoke test + integration test (main image only) -# push: true → above + push to GHCR/Docker Hub + update floating v-tag +# push: true → above + push exact version tags to GHCR/Docker Hub # # Permissions required from the calling workflow: # push: false → contents: read -# push: true → contents: write, packages: write +# push: true → contents: read, packages: write on: workflow_call: @@ -41,7 +41,7 @@ on: tag_push: description: > True when the caller was triggered by a tag push (e.g. v2.0.0). - Controls the floating major-version tag update and the 'latest' Docker tag. + Controls semver metadata-action tagging for exact release tags. Passed explicitly rather than relying on github.ref_type inside the callee, since context propagation in reusable workflows can be ambiguous. type: boolean diff --git a/.github/workflows/publish-docker.yml b/.github/workflows/publish-docker.yml index e997c06..82d10fb 100644 --- a/.github/workflows/publish-docker.yml +++ b/.github/workflows/publish-docker.yml @@ -80,38 +80,22 @@ jobs: DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }} DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }} - # ── Job 3: Create GitHub release + update CHANGELOG ──────────────────────── + # ── Job 3: Create GitHub release ─────────────────────────────────────────── # Runs once after the image is successfully pushed (not for workflow_dispatch # re-publishes — those don't create new releases). - # Generates categorised release notes from merged PR labels (.github/release.yml), - # creates the GitHub Release, then commits the CHANGELOG update back to main. + # Generates categorised release notes from merged PR labels (.github/release.yml). + # CHANGELOG updates are intentionally human-authored in the release PR so this + # workflow never needs to push commits to the protected default branch. create-release: needs: [resolve-version, build-test-push] if: github.ref_type == 'tag' permissions: - contents: write # create GitHub release + commit CHANGELOG back to main + contents: write # create GitHub release runs-on: ubuntu-latest - env: - VERSION: ${{ needs.resolve-version.outputs.version }} steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - with: - ref: main - fetch-depth: 0 - persist-credentials: false - - - name: 🤖 Generate socket-release-bot token - id: bot - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1 - with: - app-id: ${{ secrets.GH_BOT_APP_ID }} - private-key: ${{ secrets.GH_BOT_APP_PEM_FILE }} - owner: SocketDev - repositories: socket-basics - - name: 📝 Create GitHub release with auto-generated notes env: - GH_TOKEN: ${{ steps.bot.outputs.token }} + GH_TOKEN: ${{ github.token }} REF_NAME: ${{ github.ref_name }} run: | gh release create "$REF_NAME" \ @@ -119,25 +103,3 @@ jobs: --generate-notes \ --verify-tag \ || echo "Release already exists (re-run scenario) — skipping creation" - - - name: 📋 Update CHANGELOG.md - env: - GH_TOKEN: ${{ steps.bot.outputs.token }} - REF_NAME: ${{ github.ref_name }} - run: | - NOTES=$(gh release view "$REF_NAME" --json body --jq .body) - DATE=$(date +%Y-%m-%d) - echo "$NOTES" | python scripts/update_changelog.py \ - --version "$VERSION" \ - --date "$DATE" - - - name: 🔀 Commit CHANGELOG back to main - env: - BOT_TOKEN: ${{ steps.bot.outputs.token }} - run: | - git config user.name "socket-release-bot[bot]" - git config user.email "socket-release-bot[bot]@users.noreply.github.com" - git remote set-url origin "https://x-access-token:${BOT_TOKEN}@github.com/SocketDev/socket-basics.git" - git add CHANGELOG.md - git diff --cached --quiet || git commit -m "chore: release ${github.ref_name} — update CHANGELOG [skip ci]" - git push origin HEAD:main diff --git a/scripts/update_changelog.py b/scripts/update_changelog.py index 4ce45ec..373f4cc 100755 --- a/scripts/update_changelog.py +++ b/scripts/update_changelog.py @@ -2,9 +2,9 @@ """ update_changelog.py — Prepend a new release section to CHANGELOG.md. -Called automatically by the publish-docker workflow after a GitHub Release -is created. Reads the generated release notes, inserts a new version section -immediately after [Unreleased], and updates the comparison links at the bottom. +Legacy helper for applying generated release notes locally. The publish-docker +workflow intentionally does not call this script anymore, because release +changelog updates are human-authored in the release PR. Usage: # Notes from a file: