From 9f367c843e14a93722ffb12ed3eb9b6d78ac88c2 Mon Sep 17 00:00:00 2001
From: Pradeep Jangid <pradeepjangid195@bitgo.com>
Date: Fri, 12 Dec 2025 16:42:27 +0530
Subject: [PATCH] build: added SFW in the build pipeline

Ticket: VL-3832
---
 .github/workflows/ci.yml      | 38 ++++++++++++++++++++++++++++-------
 .github/workflows/publish.yml |  8 ++++++--
 Dockerfile                    |  7 ++++---
 3 files changed, 41 insertions(+), 12 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 0a9db36c45..c5dabb74af 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -24,6 +24,10 @@ jobs:
         node-version: [20.x, 22.x]
 
     steps:
+      - uses: socketdev/action@v1
+        with:
+          mode: firewall-free
+
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ github.event.pull_request.head.sha }}
@@ -58,7 +62,7 @@ jobs:
 
       - name: Install Packages
         if: steps.lerna-cache.outputs.cache-hit != 'true' || contains( github.event.pull_request.labels.*.name, 'SKIP_CACHE')
-        run: yarn install --with-frozen-lockfile --ignore-scripts
+        run: sfw yarn install --with-frozen-lockfile --ignore-scripts
 
       - name: Check In-Repo Package Versions
         run: yarn run check-versions
@@ -90,6 +94,10 @@ jobs:
         check: ['lint', 'format', 'commit-lint', 'dependencies', 'audit']
 
     steps:
+      - uses: socketdev/action@v1
+        with:
+          mode: firewall-free
+
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ github.event.pull_request.head.sha }}
@@ -110,7 +118,7 @@ jobs:
 
       - name: Install Packages
         if: steps.lerna-cache.outputs.cache-hit != 'true' || contains( github.event.pull_request.labels.*.name, 'SKIP_CACHE')
-        run: yarn install --with-frozen-lockfile --ignore-scripts
+        run: sfw yarn install --with-frozen-lockfile --ignore-scripts
 
       - name: Lint Source Code
         if: matrix.check == 'lint'
@@ -138,6 +146,10 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
+      - uses: socketdev/action@v1
+        with:
+          mode: firewall-free
+
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Setup node 22
@@ -156,7 +168,7 @@ jobs:
 
       - name: Install Packages
         if: steps.lerna-cache.outputs.cache-hit != 'true'
-        run: yarn install --with-frozen-lockfile --ignore-scripts
+        run: sfw yarn install --with-frozen-lockfile --ignore-scripts
 
       - name: build packages
         env:
@@ -175,6 +187,10 @@ jobs:
     runs-on: ubuntu-22.04
 
     steps:
+      - uses: socketdev/action@v1
+        with:
+          mode: firewall-free
+
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
         with:
           ref: ${{ github.event.pull_request.head.sha }}
@@ -249,7 +265,7 @@ jobs:
 
       - name: Install Packages
         if: steps.lerna-cache.outputs.cache-hit != 'true' || contains( github.event.pull_request.labels.*.name, 'SKIP_CACHE')
-        run: yarn install --with-frozen-lockfile
+        run: sfw yarn install --with-frozen-lockfile
 
       - name: build packages
         if: steps.lerna-cache.outputs.cache-hit == 'true'
@@ -338,6 +354,10 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
+      - uses: socketdev/action@v1
+        with:
+          mode: firewall-free
+
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
         with:
           ref: ${{ github.event.pull_request.head.sha }}
@@ -358,7 +378,7 @@ jobs:
 
       - name: Install Packages
         if: steps.lerna-cache.outputs.cache-hit != 'true' || contains( github.event.pull_request.labels.*.name, 'SKIP_CACHE')
-        run: yarn install --with-frozen-lockfile --ignore-scripts
+        run: sfw yarn install --with-frozen-lockfile --ignore-scripts
 
       - name: Check Dockerfile is up to date
         run: |
@@ -373,6 +393,10 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
+      - uses: socketdev/action@v1
+        with:
+          mode: firewall-free
+
       - name: Checkout PR
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
@@ -394,7 +418,7 @@ jobs:
 
       - name: Install Packages
         if: steps.lerna-cache.outputs.cache-hit != 'true'
-        run: yarn install --with-frozen-lockfile --ignore-scripts
+        run: sfw yarn install --with-frozen-lockfile --ignore-scripts
 
       - name: Build packages
         env:
@@ -402,7 +426,7 @@ jobs:
         run: yarn run postinstall
 
       - name: Install OpenAPI Generator at root
-        run: yarn add -W @api-ts/openapi-generator@v5
+        run: sfw yarn add -W @api-ts/openapi-generator@v5
 
       - name: Download and install vacuum v0.18.1
         run: |
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 182203e4cc..af342b3db7 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -17,6 +17,10 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
+      - uses: socketdev/action@v1
+        with:
+          mode: firewall-free
+
       - name: Checkout repository
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
 
@@ -26,7 +30,7 @@ jobs:
           node-version-file: .nvmrc
 
       - name: Install BitGoJS
-        run: yarn install --with-frozen-lockfile
+        run: sfw yarn install --with-frozen-lockfile
 
       - name: Set Environment Variable for Alpha
         if: github.ref != 'refs/heads/master' # only publish changes if on feature branches
@@ -56,7 +60,7 @@ jobs:
           npx tsx ./scripts/prepare-release.ts ${{ env.preid }}
 
       - name: Rebuild packages
-        run: yarn
+        run: sfw yarn
 
       - name: Commit Local Changes
         run: git commit -am "Auto updated ${{ env.preid }} branch" --no-verify || echo "No changes to commit"
diff --git a/Dockerfile b/Dockerfile
index 159026d102..1edaab1b21 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -14,19 +14,20 @@ RUN find modules \! -name "package.json" -mindepth 2 -maxdepth 2 -print | xargs
 
 FROM node:22.16.0-bookworm-slim@sha256:2f3571619daafc6b53232ebf2fcc0817c1e64795e92de317c1684a915d13f1a5 AS builder
 RUN apt-get update && apt-get install -y git python3 make g++ libtool autoconf automake
+RUN npm install -g @socketregistry/sfw
 WORKDIR /tmp/bitgo
 COPY --from=filter-packages-json /tmp/bitgo .
 # (skip postinstall) https://github.com/yarnpkg/yarn/issues/4100#issuecomment-388944260
-RUN NOYARNPOSTINSTALL=1 yarn install --pure-lockfile --network-timeout 120000
+RUN NOYARNPOSTINSTALL=1 sfw yarn install --pure-lockfile --network-timeout 120000
 
 COPY . .
 RUN \
     # clean up unnecessary local node_modules and dist
     rm -rf modules/**/node_modules modules/**/dist && \
     # install with dev deps so we can run the prepare script
-    yarn install --frozen-lockfile && \
+    sfw yarn install --frozen-lockfile && \
     # install again to prune dev deps
-    yarn install --production --frozen-lockfile --non-interactive --ignore-scripts && \
+    sfw yarn install --production --frozen-lockfile --non-interactive --ignore-scripts && \
     # remove any src code leftover (we only want dist)
     rm -r modules/*/src