chore(ci): cascade socket-registry pin to 85a2fc0d#1285
Closed
John-David Dalton (jdalton) wants to merge 4 commits intomainfrom
Closed
chore(ci): cascade socket-registry pin to 85a2fc0d#1285John-David Dalton (jdalton) wants to merge 4 commits intomainfrom
John-David Dalton (jdalton) wants to merge 4 commits intomainfrom
Conversation
Picks up the latest socket-registry workflow updates (currently the bootstrap-from-registry step in install/action.yml + the path-guard fleet rollout cascade). Self-landable split from #1279.
Picks up the firewall-checker fix in @SocketDev/socket-registry — any alert from Socket Firewall now blocks the bootstrap (no severity threshold; the API only returns alerts when a package is flagged as malware, so any alert means malware). Cascade chain: check-firewall.mts Layer 1 e4193847 setup-and-install Layer 2 b94c9571 reusable workflows Layer 3 85a2fc0d ← propagation SHA _local-not-for-reuse-* Layer 4 25ec2c76 (socket-registry only)
John-David Dalton (jdalton)
force-pushed
the
chore/registry-cascade
branch
from
7872ca4 to
9ef28f8
Compare
Collaborator
Author
|
bugbot run |
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
✅ Bugbot reviewed your changes and found no new issues!
Comment @cursor review or bugbot run to trigger another review on this PR
Reviewed by Cursor Bugbot for commit 9ef28f8. Configure here.
Bill Li (billxinli)
approved these changes
Apr 27, 2026
Collaborator
Author
John-David Dalton (jdalton)
added a commit
that referenced
this pull request
May 5, 2026
Bumps the three workflow files (ci.yml, provenance.yml, weekly-update.yml) to socket-registry@51f34ffb. That commit includes: - 4c4b12cc — pnpm 11.0.6 GA + Rust toolchain pin for Node 26 Temporal + SRI integrity migration in external-tools.json - e5f83c31 — wire updating-xport into the umbrella drift flow - 51f34ffb — release-workflow-guard quote-mask false-positive fix Closes the chore/registry-cascade branch (PR #1285) which had gone stale at @0fc1abfd while @ea1986b8 merged via #1278.
John-David Dalton (jdalton)
added a commit
that referenced
this pull request
May 5, 2026
Synced from socket-repo-template canonical. The fleet CLAUDE.md
moved to a fleet-canonical / project-specific layout — public-surface
hygiene rules, parallel-session safeguards, code style, and tooling
go in CLAUDE.md; project-specific extensions (build commands, test
targets, repo-particular conventions) go below.
Skills added:
- path-guard — audit and fix path duplication ("1 path, 1 reference")
- programmatic-claude-lockdown — reference for locking down headless
Claude invocations (claude CLI in workflows, agent-sdk query() in
code) per the four-flag lockdown pattern
- promise-race-pitfall — reference for the Promise.race
cross-iteration handler-leak bug
Skills updated:
- security-scan — wires AgentShield + zizmor + Socket CLI dependency
scanning, A-F graded report
Path-guard infra:
- scripts/check-paths.mts — repo-level path-duplication scanner
- .github/paths-allowlist.yml — known-acceptable duplicates
- .claude/skills/path-guard/reference/* — templates for new repos
Doctrine references:
- docs/references/inclusive-language.md — substitution table
- docs/references/sorting.md — alphanumeric sort rules
Repo-template integration:
- .socket-repo-template.json — repo-particular kind config
- scripts/socket-repo-template-{schema,emit-schema}.mts — schema tooling
- socket-repo-template-schema.json — emitted JSON schema
Splits content out of #1286. Companion split PR #1300 covers hooks +
harness config; deps_misc bucket folds into #1285 SHA cascade per
project direction.
John-David Dalton (jdalton)
added a commit
that referenced
this pull request
May 5, 2026
…1301) * docs(claude+skills): CLAUDE.md restructure + path-guard + new skills Synced from socket-repo-template canonical. The fleet CLAUDE.md moved to a fleet-canonical / project-specific layout — public-surface hygiene rules, parallel-session safeguards, code style, and tooling go in CLAUDE.md; project-specific extensions (build commands, test targets, repo-particular conventions) go below. Skills added: - path-guard — audit and fix path duplication ("1 path, 1 reference") - programmatic-claude-lockdown — reference for locking down headless Claude invocations (claude CLI in workflows, agent-sdk query() in code) per the four-flag lockdown pattern - promise-race-pitfall — reference for the Promise.race cross-iteration handler-leak bug Skills updated: - security-scan — wires AgentShield + zizmor + Socket CLI dependency scanning, A-F graded report Path-guard infra: - scripts/check-paths.mts — repo-level path-duplication scanner - .github/paths-allowlist.yml — known-acceptable duplicates - .claude/skills/path-guard/reference/* — templates for new repos Doctrine references: - docs/references/inclusive-language.md — substitution table - docs/references/sorting.md — alphanumeric sort rules Repo-template integration: - .socket-repo-template.json — repo-particular kind config - scripts/socket-repo-template-{schema,emit-schema}.mts — schema tooling - socket-repo-template-schema.json — emitted JSON schema Splits content out of #1286. Companion split PR #1300 covers hooks + harness config; deps_misc bucket folds into #1285 SHA cascade per project direction. * fix(check-paths): Rule F requires >=2 distinct files, not just >=2 hits Cursor Bugbot caught: `checkRuleF` grouped Rule-A findings purely by string-literal shape and promoted to Rule F whenever count >= 2, without checking distinct files. Two hand-builds of the same path shape in the SAME file would be incorrectly flagged as 'cross-file repetition' — but Rule F's whole point is cross-file duplication. Fix: build a Set of distinct file paths and gate the promotion on size >= 2. Also include the file count in the message (`in N files (M places)`) so the reviewer knows both numbers. Synced to socket-repo-template canonical.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Self-landable split from #1279.
Bumps
SocketDev/socket-registryworkflow pins from ea1986b8 to 85a2fc0d. Picks up:Test plan
Note
Medium Risk
Medium risk because it changes the pinned versions of shared CI/publish automation (
setup-and-installand git-signing actions), which can affect build, test, and release behavior even though no product code changes.Overview
Bumps the pinned
SocketDev/socket-registryaction revision acrossci.yml,provenance.yml, andweekly-update.yml(fromea1986b8…to85a2fc0d…).This updates the versions used for dependency setup/installation and the weekly-update git signing/cleanup steps, aligning CI, publishing, and automation with the newer shared workflow implementation.
Reviewed by Cursor Bugbot for commit 9ef28f8. Configure here.