add socket tier 1 reachability analysis#550
Conversation
There was a problem hiding this comment.
Pull request overview
Adds a dedicated GitHub Actions workflow to run Socket “full application reachability” (Tier 1) analysis on this Rust workspace on a weekly schedule and via manual dispatch, surfacing Tier-2 fallback situations as a GitHub Actions warning without failing the job.
Changes:
- Introduces a new scheduled + on-demand workflow to run
socket scan create --reachagainst the repository. - Sets up Rust + Node tooling needed by the Socket CLI and parses scan output to emit a Tier-2 fallback warning.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| # Force JS-based GitHub actions (actions/checkout, actions/setup-*, etc.) to | ||
| # use Node 24 instead of the soon-to-be-deprecated Node 20. Safe to remove | ||
| # after 2026-06-16 (when Node 24 becomes the default and this becomes a no-op). |
| - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 | ||
| with: | ||
| node-version: "24.18.0" | ||
| - name: Enable Corepack (yarn/pnpm per repo packageManager) |
| - name: Install Socket CLI | ||
| run: npm install -g socket |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 57e8b935e2
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
| # annotation that GitHub Actions renders as a yellow run-level | ||
| # warning without failing the job. | ||
| set +e | ||
| socket scan create --reach \ |
There was a problem hiding this comment.
Pass repository metadata to Socket
This scheduled run uses the Node Socket CLI on an ephemeral runner without a checked-in socket.json, but socket scan create defaults missing --repo/--branch to socket-default-repository/socket-default-branch per the CLI docs. In that context the weekly scan for rs-stellar-xdr will be filed under the shared default Socket project/branch instead of this repository, so the repo's dashboard/alerts page will not reflect these results; pass the GitHub repo and branch explicitly, and set the default branch on the first run if needed.
Useful? React with 👍 / 👎.
More info: https://stellarorg.atlassian.net/wiki/spaces/SCRT/pages/5689311233/Socket+Tier+1+Reachability+Analysis