add socket tier 1 reachability analysis#104
Conversation
There was a problem hiding this comment.
Pull request overview
Adds a scheduled GitHub Actions workflow to run Socket’s “full application reachability” (Tier 1) scan for this Rust/Cargo repository, with a “yellow” warning state when Socket falls back to Tier 2 reachability.
Changes:
- Introduces a new scheduled + manually-triggerable workflow to run
socket scan create --reach. - Sets up Rust and Node toolchains and installs the Socket CLI for the scan run.
- Parses scan output to emit a GitHub Actions
::warning::when Tier 2 fallback markers are detected.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| on: | ||
| schedule: | ||
| - cron: '24 0 * * 0' | ||
| workflow_dispatch: | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
| env: | ||
| # Force JS-based GitHub actions (actions/checkout, actions/setup-*, etc.) to | ||
| # use Node 24 instead of the soon-to-be-deprecated Node 20. Safe to remove | ||
| # after 2026-06-16 (when Node 24 becomes the default and this becomes a no-op). | ||
| FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true |
| - name: Enable Corepack (yarn/pnpm per repo packageManager) | ||
| run: corepack enable | ||
|
|
| - name: Install Socket CLI | ||
| run: npm install -g socket |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 1761b31d52
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
| jobs: | ||
| socket-scan: | ||
| runs-on: ubuntu-latest | ||
| steps: |
There was a problem hiding this comment.
Install a Rust toolchain that satisfies Cargo.toml
On every scheduled/manual scan for this crate, this pins Rust to 1.86.0 while Cargo.toml declares rust-version = "1.93.0". The Cargo Book says Cargo reports an error on unsupported toolchains, and Socket's reachability docs say the analysis needs the language build toolchain and --reach-continue-on-install-errors falls back to precomputed reachability, so the workflow cannot produce the intended full Cargo reachability until it installs at least 1.93.0 or the repo's configured stable toolchain.
Useful? React with 👍 / 👎.
| socket scan create --reach \ | ||
| --org=stellar \ |
There was a problem hiding this comment.
Pass the real repo and branch to Socket
Because this socket scan create invocation supplies only --org and there is no socket.json in the repo, Socket will use its documented defaults (socket-default-repository / socket-default-branch) rather than associating the scheduled scan with rs-stellar-rpc-client and the checked-out branch. The Socket CLI reference explicitly says --repo and --branch identify the repository/branch for the scan, so these CI results can be filed under the generic default project instead of the dashboard entry this workflow is meant to update.
Useful? React with 👍 / 👎.
More info: https://stellarorg.atlassian.net/wiki/spaces/SCRT/pages/5689311233/Socket+Tier+1+Reachability+Analysis