From 71d40e8a244b01a10d5c7eab9f176c879f3b66d4 Mon Sep 17 00:00:00 2001 From: Marguerite Martinez Date: Thu, 25 Jun 2026 16:41:29 -0400 Subject: [PATCH 1/3] Add Socket Basics workflow and gitignore entries Co-Authored-By: Claude Sonnet 4.6 --- .github/workflows/socket-basics.yml | 15 +++++++++++++++ .gitignore | 2 ++ 2 files changed, 17 insertions(+) create mode 100644 .github/workflows/socket-basics.yml diff --git a/.github/workflows/socket-basics.yml b/.github/workflows/socket-basics.yml new file mode 100644 index 0000000..a19fb45 --- /dev/null +++ b/.github/workflows/socket-basics.yml @@ -0,0 +1,15 @@ +name: Socket Basics Security Scan + +on: + pull_request: + types: [opened, synchronize, reopened] + +jobs: + socket-basics-security-scan: + # We intentionally run this shared action from @main, not from a pinned sha + # this is because we control the shared-actions repo, so there is not a significant risk of malicious changes being pushed. + # Plus, the shared action does use pinned dependencies, and so will be updated fairly often. When we do that, we do not + # want to have to update the sha in every repo that uses this shared action, before such updates apply. + uses: ynab/shared-actions/.github/workflows/socket-basics.yml@main + secrets: + SOCKET_SECURITY_API_KEY: ${{ secrets.SOCKET_SECURITY_API_KEY }} diff --git a/.gitignore b/.gitignore index 65b06b9..fc75583 100644 --- a/.gitignore +++ b/.gitignore @@ -64,3 +64,5 @@ target/ # Ipython Notebook .ipynb_checkpoints +.socket-scans/ +.socket.facts.json From 5cd13b0b9aec6333355cad51651a0cae9eccffb5 Mon Sep 17 00:00:00 2001 From: Marguerite Martinez Date: Mon, 29 Jun 2026 22:51:53 -0400 Subject: [PATCH 2/3] Implement repo-level suppressions --- .socket-basics.json | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 .socket-basics.json diff --git a/.socket-basics.json b/.socket-basics.json new file mode 100644 index 0000000..fb6cf72 --- /dev/null +++ b/.socket-basics.json @@ -0,0 +1,3 @@ +{ + "python_disabled_rules": "python-hardcoded-secret" +} From 8b9b2f4e785542bcf020401a0451611577509ae1 Mon Sep 17 00:00:00 2001 From: Buffy Miller Date: Thu, 2 Jul 2026 15:48:32 -0400 Subject: [PATCH 3/3] Use secrets: inherit for the Socket Basics reusable workflow The shared workflow (ynab/shared-actions#233) is gaining a required GH_YBOT_TOKEN secret (it now checks out shared-actions to run its helper actions from current main). `secrets: inherit` forwards the org secrets it needs today and means this file never needs touching when the shared workflow's secret needs change again. Safe to merge immediately: inherit also satisfies the current version of the shared workflow. Co-Authored-By: Claude Fable 5 --- .github/workflows/socket-basics.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/socket-basics.yml b/.github/workflows/socket-basics.yml index a19fb45..17d85f9 100644 --- a/.github/workflows/socket-basics.yml +++ b/.github/workflows/socket-basics.yml @@ -11,5 +11,4 @@ jobs: # Plus, the shared action does use pinned dependencies, and so will be updated fairly often. When we do that, we do not # want to have to update the sha in every repo that uses this shared action, before such updates apply. uses: ynab/shared-actions/.github/workflows/socket-basics.yml@main - secrets: - SOCKET_SECURITY_API_KEY: ${{ secrets.SOCKET_SECURITY_API_KEY }} + secrets: inherit