add socket tier 1 reachability analysis#646
Conversation
There was a problem hiding this comment.
Pull request overview
Adds a scheduled GitHub Actions workflow to run Socket’s full-application reachability scan (Tier 1 where possible) against the wallet-backend repository, with a non-failing warning when the scan falls back to Tier 2 reachability.
Changes:
- Introduces a new scheduled + manual “Socket reachability scan” workflow.
- Installs required toolchains (Go, Node/Corepack) and Socket CLI, then runs
socket scan create --reach. - Parses scan output to emit a GitHub Actions
::warning::when Tier 2 fallback markers are detected.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| env: | ||
| # Force JS-based GitHub actions (actions/checkout, actions/setup-*, etc.) to | ||
| # use Node 24 instead of the soon-to-be-deprecated Node 20. Safe to remove | ||
| # after 2026-06-16 (when Node 24 becomes the default and this becomes a no-op). | ||
| FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true |
| - name: Install Socket CLI | ||
| run: npm install -g socket |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 18ea6862b4
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
| socket scan create --reach \ | ||
| --org=stellar \ |
There was a problem hiding this comment.
Pass repo and branch to Socket scans
When this scheduled/manual workflow runs, this command creates scans under Socket's generic defaults rather than wallet-backend: the Socket CLI docs for socket scan create say --repo and --branch tell Socket which dashboard repo/branch to associate, and missing flags default to socket-default-repository/socket-default-branch; I also did not find a socket.json in the repo to supply those defaults. The scan will not update the wallet-backend default-branch alerts, so pass ${{ github.event.repository.name }}/${{ github.ref_name }} (and set the default branch on first run).
Useful? React with 👍 / 👎.
| - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | ||
| - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 | ||
| with: | ||
| go-version: "1.26.4" |
There was a problem hiding this comment.
Use the repository Go version for reachability
For Go reachability runs, Socket's requirements say the analyzer needs the same Go version used to build the project. This repo's go.mod and existing Go CI use 1.25.9, but this new workflow installs 1.26.4, so the scheduled scan can fail, fall back, or compute reachability under a toolchain that does not match the service build; use the repo Go version instead.
Useful? React with 👍 / 👎.
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
|
Codex usage limits have been reached for code reviews. Please check with the admins of this repo to increase the limits by adding credits. |
More info: https://stellarorg.atlassian.net/wiki/spaces/SCRT/pages/5689311233/Socket+Tier+1+Reachability+Analysis