Skip to content

add socket tier 1 reachability analysis#829

Open
kanwalpreetd wants to merge 1 commit into
stellar:mainfrom
kanwalpreetd:main
Open

add socket tier 1 reachability analysis#829
kanwalpreetd wants to merge 1 commit into
stellar:mainfrom
kanwalpreetd:main

Conversation

@kanwalpreetd

Copy link
Copy Markdown
Contributor

Copilot AI review requested due to automatic review settings June 30, 2026 06:45

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 79d1ed18af

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

toolchain: "1.86.0"
- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
with:
go-version: "1.26.4"

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Use the repository's Go build version

The reachability docs' language requirements say Go analysis should use the same version used to build the project (https://docs.socket.dev/docs/full-application-reachability#running-the-reachability-analysis), but this workflow installs Go 1.26.4 while go.mod declares go 1.25 and the existing Go setup action uses 1.25. In this repo's scheduled scan, that mismatch can make Socket analyze with a different toolchain than production/CI builds, leading to analysis failures or less trustworthy reachability results; pin this to the repo's actual Go version.

Useful? React with 👍 / 👎.

# annotation that GitHub Actions renders as a yellow run-level
# warning without failing the job.
set +e
socket scan create --reach \

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Pass Socket the actual repo and branch

The Node socket scan create reference says --repo and --branch default to socket-default-repository and socket-default-branch (https://docs.socket.dev/docs/socket-scan#repo--branch-names), and the full-application reachability page only calls out git auto-detection for the Python CLI, not this Node CLI. In this scheduled GitHub Actions job, omitting those flags means the weekly stellar-rpc scan can be filed under Socket's default repository/branch instead of the stellar-rpc default branch, so the dashboard/alerts page for this repo will not reflect these Tier 1 results.

Useful? React with 👍 / 👎.

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a scheduled GitHub Actions workflow to run Socket “Tier 1” reachability analysis for the stellar-rpc repo, surfacing Tier-2 fallback conditions as a workflow warning without failing the job.

Changes:

  • Introduces a new socket-scan workflow triggered weekly and via manual dispatch.
  • Installs Go/Rust/Node toolchains and runs socket scan create --reach, capturing output and emitting a ::warning:: when Tier 2 fallback markers are detected.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment on lines +50 to +52
- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
with:
go-version: "1.26.4"
Comment on lines +62 to +65
- name: Run Socket reachability scan
env:
SOCKET_SECURITY_API_TOKEN: ${{ secrets.SOCKET_SECURITY_API_TOKEN }}
run: |
--reach-continue-on-missing-lock-files \
. 2>&1 | tee /tmp/scan.log
rc=${PIPESTATUS[0]}
if [ $rc -eq 0 ] && grep -qE "Reachability falls back to Tier 2|fallback to the results from the pre-computed|Reachability falls back to precomputed" /tmp/scan.log; then
env:
# Force JS-based GitHub actions (actions/checkout, actions/setup-*, etc.) to
# use Node 24 instead of the soon-to-be-deprecated Node 20. Safe to remove
# after 2026-06-16 (when Node 24 becomes the default and this becomes a no-op).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants