add socket tier 1 reachability analysis#900
Conversation
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: ac1fc0d3a6
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
| # annotation that GitHub Actions renders as a yellow run-level | ||
| # warning without failing the job. | ||
| set +e | ||
| socket scan create --reach \ |
There was a problem hiding this comment.
This workflow is documented as covering the Android Gradle project, but the Socket invocation never enables manifest generation. I checked the repo and the Android dependencies are only described by android/settings.gradle, android/build.gradle, and android/app/build.gradle; Socket's scan create --help says --auto-manifest is necessary for Gradle/Kotlin, and socket ci --autoManifest similarly says it is needed to include locally generated manifests like Gradle. Without that flag or a pre-generated SBOM/lockfile, the scheduled run can succeed while omitting the Android dependency graph from the reachability scan.
Useful? React with 👍 / 👎.
There was a problem hiding this comment.
Pull request overview
Adds a scheduled GitHub Actions workflow to run Socket’s full-application (Tier 1) reachability scanning for freighter-mobile, covering the repo’s multi-ecosystem dependency surfaces (Node/Yarn, Ruby/Bundler, and Java/Gradle).
Changes:
- Introduces a new weekly + on-demand workflow to run
socket scan create --reach. - Sets up Java (Temurin 17), Ruby, and Node toolchains required for multi-ecosystem analysis.
- Emits a GitHub Actions
::warning::when the scan succeeds but reports Tier 2 reachability fallback markers.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| - name: Install Socket CLI | ||
| run: npm install -g socket |
|
Codex usage limits have been reached for code reviews. Please check with the admins of this repo to increase the limits by adding credits. |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: c4059f2240
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| ruby-version: "3.4.9" | ||
| - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 | ||
| with: | ||
| node-version: "20.20.2" |
There was a problem hiding this comment.
When the Socket reachability step pre-installs/analyzes the JavaScript workspaces, it will run the root Yarn project under Node 20.20.2. The repo's package.json declares engines.node as >=22, and the existing test/android/ios workflows all set Node 22; running this scan on Node 20 puts the app's install/postinstall and analysis outside the supported runtime and can cause the JS reachability portion to fail or fall back to Tier 2 under the --reach-continue-on-install-errors path. Set this to Node 22+ before invoking Socket.
Useful? React with 👍 / 👎.
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 07cd57c788
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| socket scan create --reach \ | ||
| --org=stellar \ |
There was a problem hiding this comment.
When this scheduled/manual workflow runs without a checked-in socket.json override (I checked the repo), socket scan create does not infer the GitHub repo/branch from Actions; Socket's scan create --help documents --repo as defaulting to socket-default-repository and --branch to socket-default-branch. As written, successful scans will be filed under those placeholder names instead of freighter-mobile and the scheduled/dispatch ref, so the repository's Socket alerts/history will not be updated for the code this workflow just analyzed. Pass --repo/--branch (and initialize the default branch if needed) from the GitHub context.
Useful? React with 👍 / 👎.
More info: https://stellarorg.atlassian.net/wiki/spaces/SCRT/pages/5689311233/Socket+Tier+1+Reachability+Analysis