add socket tier 1 reachability analysis#829
Conversation
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 79d1ed18af
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
| toolchain: "1.86.0" | ||
| - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 | ||
| with: | ||
| go-version: "1.26.4" |
There was a problem hiding this comment.
Use the repository's Go build version
The reachability docs' language requirements say Go analysis should use the same version used to build the project (https://docs.socket.dev/docs/full-application-reachability#running-the-reachability-analysis), but this workflow installs Go 1.26.4 while go.mod declares go 1.25 and the existing Go setup action uses 1.25. In this repo's scheduled scan, that mismatch can make Socket analyze with a different toolchain than production/CI builds, leading to analysis failures or less trustworthy reachability results; pin this to the repo's actual Go version.
Useful? React with 👍 / 👎.
| # annotation that GitHub Actions renders as a yellow run-level | ||
| # warning without failing the job. | ||
| set +e | ||
| socket scan create --reach \ |
There was a problem hiding this comment.
Pass Socket the actual repo and branch
The Node socket scan create reference says --repo and --branch default to socket-default-repository and socket-default-branch (https://docs.socket.dev/docs/socket-scan#repo--branch-names), and the full-application reachability page only calls out git auto-detection for the Python CLI, not this Node CLI. In this scheduled GitHub Actions job, omitting those flags means the weekly stellar-rpc scan can be filed under Socket's default repository/branch instead of the stellar-rpc default branch, so the dashboard/alerts page for this repo will not reflect these Tier 1 results.
Useful? React with 👍 / 👎.
There was a problem hiding this comment.
Pull request overview
Adds a scheduled GitHub Actions workflow to run Socket “Tier 1” reachability analysis for the stellar-rpc repo, surfacing Tier-2 fallback conditions as a workflow warning without failing the job.
Changes:
- Introduces a new
socket-scanworkflow triggered weekly and via manual dispatch. - Installs Go/Rust/Node toolchains and runs
socket scan create --reach, capturing output and emitting a::warning::when Tier 2 fallback markers are detected.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 | ||
| with: | ||
| go-version: "1.26.4" |
| - name: Run Socket reachability scan | ||
| env: | ||
| SOCKET_SECURITY_API_TOKEN: ${{ secrets.SOCKET_SECURITY_API_TOKEN }} | ||
| run: | |
| --reach-continue-on-missing-lock-files \ | ||
| . 2>&1 | tee /tmp/scan.log | ||
| rc=${PIPESTATUS[0]} | ||
| if [ $rc -eq 0 ] && grep -qE "Reachability falls back to Tier 2|fallback to the results from the pre-computed|Reachability falls back to precomputed" /tmp/scan.log; then |
| env: | ||
| # Force JS-based GitHub actions (actions/checkout, actions/setup-*, etc.) to | ||
| # use Node 24 instead of the soon-to-be-deprecated Node 20. Safe to remove | ||
| # after 2026-06-16 (when Node 24 becomes the default and this becomes a no-op). |
More info: https://stellarorg.atlassian.net/wiki/spaces/SCRT/pages/5689311233/Socket+Tier+1+Reachability+Analysis