From 240823a5ea72607e995cb46afd08ea1384c82671 Mon Sep 17 00:00:00 2001
From: Martin Torp <martin@socket.dev>
Date: Thu, 19 Mar 2026 11:25:31 +0100
Subject: [PATCH 1/3] ci: add CI workflow for lint, typecheck, and unit tests
 on PRs

Add a GitHub Actions workflow that runs lint, type checking, and unit
tests on every push to a PR targeting main or v1.x. Includes test
fixture updates.
---
 .github/workflows/ci.yml                      | 52 +++++++++++++++++++
 src/commands/fix/cmd-fix.integration.test.mts |  1 +
 src/commands/fix/handle-fix-limit.test.mts    |  4 +-
 src/commands/scan/cmd-scan-create.test.mts    |  1 +
 src/commands/scan/cmd-scan-reach.test.mts     |  1 +
 5 files changed, 57 insertions(+), 2 deletions(-)
 create mode 100644 .github/workflows/ci.yml

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
new file mode 100644
index 000000000..fe515ddf6
--- /dev/null
+++ b/.github/workflows/ci.yml
@@ -0,0 +1,52 @@
+name: CI
+
+on:
+  push:
+    branches: [main, v1.x]
+  pull_request:
+    branches: [main, v1.x]
+
+permissions:
+  contents: read
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@51be85d39d3b4a42dd9d4712948b9d30a2e04794
+        with:
+          node-version: 22
+
+      - name: Lint
+        run: pnpm check:lint
+
+  typecheck:
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@51be85d39d3b4a42dd9d4712948b9d30a2e04794
+        with:
+          node-version: 22
+
+      - name: Type check
+        run: pnpm check:tsc
+
+  test:
+    runs-on: ${{ matrix.os }}
+    timeout-minutes: 15
+    strategy:
+      fail-fast: true
+      matrix:
+        node-version: [20, 22, 24]
+        os: [ubuntu-latest]
+    steps:
+      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@51be85d39d3b4a42dd9d4712948b9d30a2e04794
+        with:
+          node-version: ${{ matrix.node-version }}
+
+      - name: Build
+        run: pnpm run build
+
+      - name: Run unit tests
+        run: pnpm test:unit
diff --git a/src/commands/fix/cmd-fix.integration.test.mts b/src/commands/fix/cmd-fix.integration.test.mts
index 270a20d9a..084f1c33d 100644
--- a/src/commands/fix/cmd-fix.integration.test.mts
+++ b/src/commands/fix/cmd-fix.integration.test.mts
@@ -167,6 +167,7 @@ describe('socket fix', async () => {
             --autopilot         Enable auto-merge for pull requests that Socket opens.
                                 See GitHub documentation (https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/configuring-pull-request-merges/managing-auto-merge-for-pull-requests-in-your-repository) for managing auto-merge for pull requests in your repository.
             --debug             Enable debug logging in the Coana-based Socket Fix CLI invocation.
+            --disable-external-tool-checks  Disable external tool checks during fix analysis.
             --ecosystems        Limit fix analysis to specific ecosystems. Can be provided as comma separated values or as multiple flags. Defaults to all ecosystems.
             --exclude           Exclude workspaces matching these glob patterns. Can be provided as comma separated values or as multiple flags
             --fix-version       Override the version of @coana-tech/cli used for fix analysis. Default: <coana-version>.
diff --git a/src/commands/fix/handle-fix-limit.test.mts b/src/commands/fix/handle-fix-limit.test.mts
index ea8ed14a1..7028d02f8 100644
--- a/src/commands/fix/handle-fix-limit.test.mts
+++ b/src/commands/fix/handle-fix-limit.test.mts
@@ -217,7 +217,7 @@ describe('socket fix --pr-limit behavior verification', () => {
       })
 
       expect(result.ok).toBe(true)
-      expect(result.data?.fixed).toBe(false)
+      expect(result.data?.fixedAll).toBe(false)
 
       // Only discovery call, no fix call since no GHSAs found.
       expect(mockSpawnCoanaDlx).toHaveBeenCalledTimes(1)
@@ -374,7 +374,7 @@ describe('socket fix --pr-limit behavior verification', () => {
       })
 
       expect(result.ok).toBe(true)
-      expect(result.data?.fixed).toBe(false)
+      expect(result.data?.fixedAll).toBe(false)
 
       // With 5 open PRs and prLimit 3, adjusted limit is 0, so no processing.
       expect(mockSpawnCoanaDlx).not.toHaveBeenCalled()
diff --git a/src/commands/scan/cmd-scan-create.test.mts b/src/commands/scan/cmd-scan-create.test.mts
index aeffc1e14..ae75756c3 100644
--- a/src/commands/scan/cmd-scan-create.test.mts
+++ b/src/commands/scan/cmd-scan-create.test.mts
@@ -61,6 +61,7 @@ describe('socket scan create', async () => {
             --reach-debug       Enable debug mode for reachability analysis. Provides verbose logging from the reachability CLI.
             --reach-detailed-analysis-log-file  A log file with detailed analysis logs is written to root of each analyzed workspace.
             --reach-disable-analytics  Disable reachability analytics sharing with Socket. Also disables caching-based optimizations.
+            --reach-disable-external-tool-checks  Disable external tool checks during reachability analysis.
             --reach-ecosystems  List of ecosystems to conduct reachability analysis on, as either a comma separated value or as multiple flags. Defaults to all ecosystems.
             --reach-enable-analysis-splitting  Allow the reachability analysis to partition CVEs into buckets that are processed in separate analysis runs. May improve accuracy, but not recommended by default.
             --reach-exclude-paths  List of paths to exclude from reachability analysis, as either a comma separated value or as multiple flags.
diff --git a/src/commands/scan/cmd-scan-reach.test.mts b/src/commands/scan/cmd-scan-reach.test.mts
index 4bf538211..3883c9c28 100644
--- a/src/commands/scan/cmd-scan-reach.test.mts
+++ b/src/commands/scan/cmd-scan-reach.test.mts
@@ -43,6 +43,7 @@ describe('socket scan reach', async () => {
             --reach-debug       Enable debug mode for reachability analysis. Provides verbose logging from the reachability CLI.
             --reach-detailed-analysis-log-file  A log file with detailed analysis logs is written to root of each analyzed workspace.
             --reach-disable-analytics  Disable reachability analytics sharing with Socket. Also disables caching-based optimizations.
+            --reach-disable-external-tool-checks  Disable external tool checks during reachability analysis.
             --reach-ecosystems  List of ecosystems to conduct reachability analysis on, as either a comma separated value or as multiple flags. Defaults to all ecosystems.
             --reach-enable-analysis-splitting  Allow the reachability analysis to partition CVEs into buckets that are processed in separate analysis runs. May improve accuracy, but not recommended by default.
             --reach-exclude-paths  List of paths to exclude from reachability analysis, as either a comma separated value or as multiple flags.

From 0753b664145bf5eae30310899ce57fe803c6c39a Mon Sep 17 00:00:00 2001
From: Martin Torp <martin@socket.dev>
Date: Thu, 19 Mar 2026 12:40:59 +0100
Subject: [PATCH 2/3] fix: use test-ci in CI workflow for correct build
 environment

The separate build + test:unit steps caused snapshot mismatches because
pnpm build does not set VITEST=1, which gets inlined at build time.
Using test-ci runs test:prepare (which builds with .env.test setting
VITEST=1) followed by test:unit, matching local test behavior.
---
 .github/workflows/ci.yml | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index fe515ddf6..1a9a24204 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -45,8 +45,5 @@ jobs:
         with:
           node-version: ${{ matrix.node-version }}
 
-      - name: Build
-        run: pnpm run build
-
-      - name: Run unit tests
-        run: pnpm test:unit
+      - name: Build and run unit tests
+        run: pnpm test-ci

From b829fd38448c772ab900b2ff621efa9c3e28ef96 Mon Sep 17 00:00:00 2001
From: Martin Torp <martin@socket.dev>
Date: Thu, 19 Mar 2026 13:00:26 +0100
Subject: [PATCH 3/3] fix: set initial branch to main in branch-cleanup tests

The test was failing on CI because git's default branch name may not
be 'main'. Using --initial-branch main ensures consistent behavior.
---
 src/commands/fix/branch-cleanup.integration.test.mts | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/src/commands/fix/branch-cleanup.integration.test.mts b/src/commands/fix/branch-cleanup.integration.test.mts
index c9c83f46d..cf31567c6 100644
--- a/src/commands/fix/branch-cleanup.integration.test.mts
+++ b/src/commands/fix/branch-cleanup.integration.test.mts
@@ -37,9 +37,12 @@ describe('branch-cleanup integration tests', () => {
     remoteDir = path.join(tempDir, 'remote.git')
     repoDir = path.join(tempDir, 'repo')
 
-    // Initialize bare remote repository.
+    // Initialize bare remote repository with main as default branch.
     await fs.mkdir(remoteDir, { recursive: true })
-    await spawn('git', ['init', '--bare'], { cwd: remoteDir, stdio: 'ignore' })
+    await spawn('git', ['init', '--bare', '--initial-branch', 'main'], {
+      cwd: remoteDir,
+      stdio: 'ignore',
+    })
 
     // Clone the remote to create local repository.
     await spawn('git', ['clone', remoteDir, repoDir], {