feat(fix): add --package-managers flag #422

Workflow file for this run

.github/workflows/e2e-tests.yml at f4627ed

	name: E2E Tests

	on:
	pull_request:
	branches: [main, v1.x]
	workflow_dispatch:

	permissions:
	contents: read

	jobs:
	e2e-tests:
	name: e2e-tests
	runs-on: ${{ matrix.os }}
	timeout-minutes: 20
	strategy:
	fail-fast: true
	matrix:
	node-version: [20, 22, 24]
	os: [ubuntu-latest]
	# os: [ubuntu-latest, windows-latest] - Windows tests disbaled (see project https://linear.app/socketdev/project/autofixes-windows-support-fc2f2a45f759)
	steps:
	- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	with:
	persist-credentials: false

	- name: Install pnpm
	shell: bash
	run: \| # zizmor: ignore[github-env]
	PNPM_VERSION="10.33.0"
	PNPM_DIR="${RUNNER_TEMP:-/tmp}/pnpm-bin"
	KERNEL="$(uname -s \| cut -d- -f1)"
	ARCH="$(uname -m)"
	case "${KERNEL}-${ARCH}" in
	Linux-x86_64) ASSET="pnpm-linux-x64" ; EXPECTED_SHA256="8d4e8f7d778e8ac482022e2577011706a872542f6f6f233e795a4d9f978ea8b5" ;;
	Linux-aarch64) ASSET="pnpm-linux-arm64" ; EXPECTED_SHA256="06755ad2817548b84317d857d5c8003dc6e9e28416a3ea7467256c49ab400d48" ;;
	Darwin-x86_64) ASSET="pnpm-macos-x64" ; EXPECTED_SHA256="c31e29554b0e3f4e03f4617195c949595e4dca36085922003de4896c3ca4057d" ;;
	Darwin-arm64) ASSET="pnpm-macos-arm64" ; EXPECTED_SHA256="ed8a1f140f4de457b01ebe0be3ae28e9a7e28863315dcd53d22ff1e5a32d63ae" ;;
	MINGW64_NT-x86_64\|MSYS_NT-x86_64) ASSET="pnpm-win-x64.exe" ; EXPECTED_SHA256="afc96009dc39fe23a835d65192049e6a995f342496b175585dc2beda7d42d33f" ;;
	*) echo "Unsupported platform: ${KERNEL}-${ARCH}" >&2; exit 1 ;;
	esac
	PNPM_BIN="$PNPM_DIR/$ASSET"
	if [ ! -x "$PNPM_BIN" ]; then
	mkdir -p "$PNPM_DIR"
	curl -fsSL -o "$PNPM_BIN" "https://github.com/pnpm/pnpm/releases/download/v${PNPM_VERSION}/${ASSET}"
	ACTUAL_SHA256="$( (sha256sum "$PNPM_BIN" 2>/dev/null \|\| shasum -a 256 "$PNPM_BIN") \| cut -d' ' -f1 \| tr -d '\\')"
	if [ "$ACTUAL_SHA256" != "$EXPECTED_SHA256" ]; then
	echo "Checksum mismatch for ${ASSET}!" >&2
	echo " Expected: ${EXPECTED_SHA256}" >&2
	echo " Actual: ${ACTUAL_SHA256}" >&2
	rm -f "$PNPM_BIN"
	exit 1
	fi
	chmod +x "$PNPM_BIN"
	# Create pnpm alias. Windows needs a .exe copy; Unix uses a symlink.
	if [[ "$ASSET" == *.exe ]]; then
	cp "$PNPM_BIN" "$PNPM_DIR/pnpm.exe"
	else
	ln -sf "$PNPM_BIN" "$PNPM_DIR/pnpm"
	fi
	fi
	echo "$PNPM_DIR" >> "${GITHUB_PATH:-/dev/null}"

	- uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
	with:
	node-version: ${{ matrix.node-version }}

	- name: Download sfw-free
	shell: bash
	env:
	GH_TOKEN: ${{ github.token }}
	run: \| # zizmor: ignore[github-env]
	# Pinned version + per-platform checksum pair. Bumping sfw-free
	# requires updating SFW_FREE_VERSION AND every platform's
	# SHA256 in the same commit, otherwise the download / verify
	# steps will diverge.
	SFW_FREE_VERSION="1.7.2"
	SFW_DIR="${RUNNER_TEMP:-/tmp}/sfw-bin"
	KERNEL="$(uname -s \| cut -d- -f1)"
	ARCH="$(uname -m)"
	case "${KERNEL}-${ARCH}" in
	Linux-x86_64) ASSET="sfw-free-linux-x86_64" ; SFW_BIN="$SFW_DIR/sfw" ; EXPECTED_SHA256="93e2d9dfa244b82a74e014dc26b1c6af18b4adec20f35254378943db5fe91411" ;;
	Linux-aarch64) ASSET="sfw-free-linux-arm64" ; SFW_BIN="$SFW_DIR/sfw" ; EXPECTED_SHA256="84a045e4e1bb320cc5c0d3929f02e53f199398b5be0637e8846d02d9ef0027b1" ;;
	Darwin-x86_64) ASSET="sfw-free-macos-x86_64" ; SFW_BIN="$SFW_DIR/sfw" ; EXPECTED_SHA256="a5427d479d440f08e3789fa191ba57599be64997196daf42e67d964fec0382b4" ;;
	Darwin-arm64) ASSET="sfw-free-macos-arm64" ; SFW_BIN="$SFW_DIR/sfw" ; EXPECTED_SHA256="248fb588e1e1a27e7192f7b079f739fc29a9de61f0bad7e90928363022dc5643" ;;
	MINGW64_NT-x86_64\|MSYS_NT-x86_64) ASSET="sfw-free-windows-x86_64.exe" ; SFW_BIN="$SFW_DIR/sfw.exe" ; EXPECTED_SHA256="6d333b4cac9d7c5712e2e99677ca634ac8a3020d550c6308312c60bea97f0a28" ;;
	*) echo "Unsupported platform: ${KERNEL}-${ARCH}" >&2; exit 1 ;;
	esac
	if [ ! -x "$SFW_BIN" ]; then
	mkdir -p "$SFW_DIR"
	DOWNLOAD_URL="$(gh api "repos/SocketDev/sfw-free/releases/tags/v${SFW_FREE_VERSION}" \
	--jq ".assets[] \| select(.name == \"$ASSET\") \| .browser_download_url")"
	if [ -z "$DOWNLOAD_URL" ]; then
	echo "Asset ${ASSET} not found in SocketDev/sfw-free@v${SFW_FREE_VERSION}" >&2
	exit 1
	fi
	curl -fsSL -o "$SFW_BIN" "$DOWNLOAD_URL"
	ACTUAL_SHA256="$( (sha256sum "$SFW_BIN" 2>/dev/null \|\| shasum -a 256 "$SFW_BIN") \| cut -d' ' -f1 \| tr -d '\\')"
	if [ "$ACTUAL_SHA256" != "$EXPECTED_SHA256" ]; then
	echo "Checksum mismatch for ${ASSET} (SocketDev/sfw-free@v${SFW_FREE_VERSION})!" >&2
	echo " Expected: ${EXPECTED_SHA256}" >&2
	echo " Actual: ${ACTUAL_SHA256}" >&2
	rm -f "$SFW_BIN"
	exit 1
	fi
	chmod +x "$SFW_BIN"
	fi
	echo "SFW_BIN=$SFW_BIN" >> "${GITHUB_ENV:-/dev/null}"

	- name: Create sfw shims
	shell: bash
	run: \| # zizmor: ignore[github-env]
	SHIM_DIR="${RUNNER_TEMP:-/tmp}/sfw-shim"
	rm -rf "$SHIM_DIR"
	mkdir -p "$SHIM_DIR"
	IS_WINDOWS=false
	[[ "$OSTYPE" == msys* \|\| "$OSTYPE" == cygwin* ]] && IS_WINDOWS=true
	msys_to_win_path() {
	if $IS_WINDOWS && [[ "$1" =~ ^/([a-zA-Z])/(.*) ]]; then
	echo "${BASH_REMATCH[1]^^}:\\${BASH_REMATCH[2]//\//\\}"
	else
	echo "$1"
	fi
	}
	strip_shim_dir() { echo "$PATH" \| tr ':' '\n' \| grep -vxF "$SHIM_DIR" \| paste -sd: -; }
	CLEAN_PATH="$(strip_shim_dir)"
	# https://docs.socket.dev/docs/socket-firewall-free#what-ecosystems-and-package-managers-are-supported
	for CMD in npm yarn pnpm pip uv cargo; do
	REAL="$(PATH="$CLEAN_PATH" command -v "$CMD" 2>/dev/null \|\| true)"
	[ -z "$REAL" ] && continue
	REAL="$(msys_to_win_path "$REAL")"
	printf '%s\n' \
	'#!/bin/bash' \
	"export PATH=\"\$(echo \"\$PATH\" \| tr ':' '\n' \| grep -vxF '${SHIM_DIR}' \| paste -sd: -)\"" \
	'export GIT_SSL_NO_VERIFY=true # Workaround: sfw-free does not yet set GIT_SSL_CAINFO.' \
	"exec \"${SFW_BIN}\" \"${REAL}\" \"\$@\"" \
	> "$SHIM_DIR/$CMD"
	chmod +x "$SHIM_DIR/$CMD"
	if $IS_WINDOWS; then
	printf '@echo off\r\nset "PATH=;%%PATH%%;"\r\nset "PATH=%%PATH:;%s;=;%%"\r\nset "PATH=%%PATH:~1,-1%%"\r\n"%s" "%s" %%*\r\n' \
	"$SHIM_DIR" "$SFW_BIN" "$REAL" > "$SHIM_DIR/$CMD.cmd"
	fi
	done
	echo "$SHIM_DIR" >> "${GITHUB_PATH:-/dev/null}"
	echo "SFW_SHIM_DIR=$SHIM_DIR" >> "${GITHUB_ENV:-/dev/null}"

	- name: Install dependencies
	run: pnpm install --loglevel error

	- name: Install uv
	run: curl -LsSf https://astral.sh/uv/install.sh \| sh

	- name: Build
	run: pnpm run build

	# TEMPORARY: probe the tier1-reachability-scan endpoint to capture the
	# legacy_mode field returned by depscan for the API token's org. Only
	# purpose is to diagnose why Coana v15 e2e tests halt as if the org were
	# promoted out of legacy mode. Remove this step once the response has
	# been captured in CI logs.
	- name: Probe tier1 legacy_mode (DIAGNOSTIC - REMOVE AFTER USE)
	if: matrix.node-version == 22
	env:
	SOCKET_CLI_API_TOKEN: ${{ secrets.SOCKET_API_TOKEN }} # zizmor: ignore[secrets-outside-env]
	run: \|
	set -eu
	auth=$(printf '%s:' "$SOCKET_CLI_API_TOKEN" \| base64 -w0)
	response=$(curl -sS -X PUT https://api.socket.dev/v0/tier1-reachability-scan \
	-H "Authorization: Basic $auth" \
	-H "Content-Type: application/json" \
	-d '{"cli_options":null,"coana_cli_version":"15.1.0","socket_cli_version":"legacy-mode-probe","system_information":null}')
	echo "Raw response:"
	echo "$response"
	echo "---"
	echo "$response" \| python3 -c "import json,sys
	try:
	d = json.load(sys.stdin)
	except Exception as e:
	print('response was not valid JSON:', e)
	sys.exit(0)
	print('response keys:', sorted(d.keys()))
	print('legacy_mode present:', 'legacy_mode' in d)
	print('legacy_mode value:', d.get('legacy_mode', '(absent)'))
	print('scan_id present:', bool(d.get('tier1_reachability_scan_id')))"

	- name: Run e2e tests
	env:
	SOCKET_CLI_API_TOKEN: ${{ secrets.SOCKET_API_TOKEN }} # zizmor: ignore[secrets-outside-env]
	run: pnpm run e2e-tests

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat(fix): add --package-managers flag #422

Workflow file

feat(fix): add --package-managers flag #422

Uh oh!

Workflow file for this run