-
Notifications
You must be signed in to change notification settings - Fork 2
Expand file tree
/
Copy pathexternal-tools.json
More file actions
161 lines (161 loc) · 8.16 KB
/
external-tools.json
File metadata and controls
161 lines (161 loc) · 8.16 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
{
"sfw": {
"notes": [
"SFW (Socket Firewall) is published in two flavors: free (public, SocketDev/sfw-free) and enterprise (private, SocketDev/firewall-release). Both ship the same 7-platform set: linux-{x64,arm64}{,-musl}, darwin-{x64,arm64}, win-x64. win-arm64 is intentionally absent — upstream does not yet build it. Unlike zizmor (a security audit), SFW is a required dependency of the install flow, so consumers on win-arm64 must skip SFW-dependent steps until upstream support lands.",
"Setup action picks the enterprise flavor when SOCKET_API_KEY is in env, otherwise the free flavor. Enterprise downloads require GITHUB_TOKEN auth (private repo); install-tool.mjs forwards GITHUB_TOKEN automatically when set."
],
"description": "Socket Firewall — package manager command wrapper",
"version": "1.7.2",
"release": "asset",
"free": {
"repository": "github:SocketDev/sfw-free",
"binaryName": "sfw",
"checksums": {
"darwin-arm64": {
"asset": "sfw-free-macos-arm64",
"integrity": "sha256-JI+1iOHhon5xkvewefc5/Cmp3mHwutfpCSg2MCLcVkM="
},
"darwin-x64": {
"asset": "sfw-free-macos-x86_64",
"integrity": "sha256-pUJ9R51EDwjjeJ+hkbpXWZvmSZcZba9C5n2WT+wDgrQ="
},
"linux-arm64": {
"asset": "sfw-free-linux-arm64",
"integrity": "sha256-hKBF5OG7MgzFwNOSnwLlPxmTmLW+BjfohG0C2e8AJ7E="
},
"linux-arm64-musl": {
"asset": "sfw-free-musl-linux-arm64",
"integrity": "sha256-jk24IBch1wxWb687hNfWeuxvLvRgri9kCMbPpQK28U0="
},
"linux-x64": {
"asset": "sfw-free-linux-x86_64",
"integrity": "sha256-k+LZ36JEuCp04BTcJrHGrxi0rewg81JUN4lD21/pFBE="
},
"linux-x64-musl": {
"asset": "sfw-free-musl-linux-x86_64",
"integrity": "sha256-LIJ3Z7s1CBjDn0vO3kvpFhMInKY3GXj2cpDjNAOFXdE="
},
"win-x64": {
"asset": "sfw-free-windows-x86_64.exe",
"integrity": "sha256-bTM7TKydfFcS4umWd8pjSsijAg1VDGMIMSxgvql/Cig="
}
}
},
"enterprise": {
"repository": "github:SocketDev/firewall-release",
"binaryName": "sfw",
"checksums": {
"darwin-arm64": {
"asset": "sfw-macos-arm64",
"integrity": "sha256-sc3Dvb0qMWEke9XMIV6zxEqQuH/guACjOImhT2G7DW0="
},
"darwin-x64": {
"asset": "sfw-macos-x86_64",
"integrity": "sha256-2iUtKppdDtsnG7dx4NAbnNb6FjW212X2Hv1h7bZznxI="
},
"linux-arm64": {
"asset": "sfw-linux-arm64",
"integrity": "sha256-wkp5wn4aAaWbehYMFlkwrgKYFscrFB/PzbL3Pgd0iYo="
},
"linux-arm64-musl": {
"asset": "sfw-musl-linux-arm64",
"integrity": "sha256-gbClAbHIZAkSKCq74kpd5MRmnSGVcMSzaOhEOvZ/ujg="
},
"linux-x64": {
"asset": "sfw-linux-x86_64",
"integrity": "sha256-RIK1LmNnvUYQUZv9V6EE1ZB+yH1TmRQu07s9Ii3h8z0="
},
"linux-x64-musl": {
"asset": "sfw-musl-linux-x86_64",
"integrity": "sha256-zjuULfGmZEqD3cYacplX0p+PhZiD/n5slTwear+CJW8="
},
"win-x64": {
"asset": "sfw-windows-x86_64.exe",
"integrity": "sha256-5SrYBqHEG0QPBAmOscfkB4RfA/V0Cmp5AGum/RcgVuw="
}
}
}
},
"zizmor": {
"notes": "Socket fleet targets 8 platforms: linux-x64, linux-arm64, linux-x64-musl, linux-arm64-musl, darwin-x64, darwin-arm64, win-x64, win-arm64. zizmor upstream (zizmorcore/zizmor) only publishes 5 of those: linux-gnu x64+arm64, darwin x64+arm64, win-x64. The three unsupported combos (linux-x64-musl, linux-arm64-musl, win-arm64) are intentionally absent below — adding alias keys with mismatched binaries would break sha256 verification on those runners. Workflows that need zizmor on linux-musl or win-arm64 must conditionally skip the audit on those cells until upstream ships matching binaries.",
"description": "GitHub Actions security linter",
"repository": "github:zizmorcore/zizmor",
"version": "1.23.1",
"release": "asset",
"checksums": {
"darwin-arm64": {
"asset": "zizmor-aarch64-apple-darwin.tar.gz",
"integrity": "sha256-JjJWG5dMaflSJYwatLdDLVx/kuVVcEFVw6woopEL1xc="
},
"darwin-x64": {
"asset": "zizmor-x86_64-apple-darwin.tar.gz",
"integrity": "sha256-idXtQggd2dBDOhC3VF+sQrNfHwMIhcJ4uXErMsZvJZc="
},
"linux-arm64": {
"asset": "zizmor-aarch64-unknown-linux-gnu.tar.gz",
"integrity": "sha256-NyXXzXEC5NcIJxhjiffVkwtoeCMpMNCj6wWNfltH5lg="
},
"linux-x64": {
"asset": "zizmor-x86_64-unknown-linux-gnu.tar.gz",
"integrity": "sha256-Z6jfChQ1LdgYguFIdmU9CXuZsPT2tv55jtwDIM/yev8="
},
"win-x64": {
"asset": "zizmor-x86_64-pc-windows-msvc.zip",
"integrity": "sha256-M8IpP/AoNHIN182LRzSKr7LpWhm9yZPA7KypyASt6So="
}
}
},
"rust": {
"notes": "Rust toolchain — required by socket-btm's Node 26+ build to link the temporal_rs Rust crate that backs Temporal. Per Node BUILDING.md \"Building Node.js with Temporal support\": rustc/cargo >= 1.82 with LLVM >= 19. The minimum is what configure.py asserts at build time; downstream consumers (CI runners + local dev machines) typically have a newer stable toolchain via rustup, which is fine. Unlike pnpm/sfw/zizmor this entry has no per-platform integrity — Rust is installed via rustup or a runner-image preinstall, not by downloading a single tarball. Workflows install it via `dtolnay/rust-toolchain@stable` (CI) or `rustup default stable` (local).",
"description": "Rust toolchain — required for Node 26+ Temporal support",
"repository": "rust-lang/rust",
"minVersion": "1.82.0",
"minLlvmVersion": "19",
"release": "rustup",
"components": ["rustc", "cargo"]
},
"pnpm": {
"notes": "pnpm upstream publishes 7 platform-native binaries: linux-{x64,arm64}{,-musl}, darwin-arm64, win-{x64,arm64}. The linux-*-musl entries are first-class assets (pnpm-linux-{x64,arm64}-musl.tar.gz), NOT aliases of the glibc tarballs — their hashes are genuinely distinct. Do not \"simplify\" them by pointing at the glibc asset; the binaries are linked against different libcs and only the matching one runs on its target. darwin-x64 is intentionally a different shape: upstream dropped the SEA binary in 11.0.5 because of an upstream Node.js LIEF/Mach-O bug (nodejs/node#62893) that the Node team has declined to fix. Intel Mac instead installs the npm-registry JS tarball + runs it through the system Node — see source/binary fields below.",
"description": "Fast, disk space efficient package manager",
"repository": "github:pnpm/pnpm",
"version": "11.0.8",
"release": "asset",
"checksums": {
"darwin-arm64": {
"asset": "pnpm-darwin-arm64.tar.gz",
"integrity": "sha256-2Yijgk2f/W90652dcD0kt6QmMNrPp943W4vs7wcGKVw="
},
"darwin-x64": {
"asset": "pnpm-11.0.8.tgz",
"integrity": "sha512-TECX4d0tQjcsTn+lp5H/KPx1pITHrBkuZLHfD97xdZS6mC+bT+2a37PHV4RvVlt5mydj+zcz0d4by4LPRmhJEg==",
"source": "npm-registry",
"binary": "package/dist/pnpm.cjs",
"notes": "Intel Mac uses the npm-registry JS tarball + system Node (no SEA binary). Upstream dropped darwin-x64 SEA in pnpm 11.0.5 due to nodejs/node#62893 (upstream LIEF/Mach-O bug Node has declined to fix)."
},
"linux-arm64": {
"asset": "pnpm-linux-arm64.tar.gz",
"integrity": "sha256-Q5PtumS4yHQSO4/KhfqUDMUiSjkmUJk+XoSQnfr4D58="
},
"linux-arm64-musl": {
"asset": "pnpm-linux-arm64-musl.tar.gz",
"integrity": "sha256-PirzIyLAObVcjuyukR/NKf6/Kky/UM/UhgdwABExsjI="
},
"linux-x64": {
"asset": "pnpm-linux-x64.tar.gz",
"integrity": "sha256-rJ/tms94y56s87bnlk403Bluk8Kq0u01QP5e9cLv+us="
},
"linux-x64-musl": {
"asset": "pnpm-linux-x64-musl.tar.gz",
"integrity": "sha256-pQcM/aQTtvzaOlAfxrCxxXMJ7lkOrci6UfBeOiskGV8="
},
"win-arm64": {
"asset": "pnpm-win32-arm64.zip",
"integrity": "sha256-bZ6eWdJVv8BALF2Mb4nIUhNxdD4DBO2iLyiPePd2VwU="
},
"win-x64": {
"asset": "pnpm-win32-x64.zip",
"integrity": "sha256-GcSi1nWSCt8CpmFMIFWkQ5OiIcW6kUcISJvjluF2O9E="
}
}
}
}