ci(dependency-review): bundle SFW reports as artifacts

lelia · lelia · commit 0819738f1e0f · 2026-06-02T19:27:25.000-04:00
Collect each Socket Firewall smoke job's output into an sfw-artifacts/
directory and upload it (if: always(), so the report survives even when
sfw BLOCKS an install):

  - context.txt   -- provenance (mode, manifest, PR#, head SHA)
  - sfw-*.log      -- teed firewall console output (pipefail preserves the
                      sfw exit code so a block still fails the job)
  - import-smoke.log (python jobs)
  - sfw-report.json -- the structured firewall report, copied from
                       $SFW_JSON_REPORT_PATH (the path socketdev/action
                       exports); a sfw-report-missing.txt breadcrumb is
                       written instead when no report is produced

Copy rather than redirect the JSON: socketdev/action's post step reads
$SFW_JSON_REPORT_PATH to render its job summary, so the report must stay
at its temp path. Artifacts are named per edition+manifest to stay unique
within a run. Pins actions/upload-artifact to v7.0.1.

Signed-off-by: lelia &lt;2418071+lelia@users.noreply.github.com&gt;
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
@@ -18,7 +18,12 @@ name: dependency-review
 # Only Enterprise jobs declare the socket-firewall environment. Free jobs do
 # not touch that environment or its token.
 #
-# Pattern adapted from SocketDev/socket-basics.
+# Each sfw smoke job collects an sfw-artifacts/ directory (provenance context
+# + the firewall's console logs) and uploads it as a build artifact
+# (if: always(), so the report survives even when sfw BLOCKS an install --
+# which is exactly when you want to read it).
+#
+# Pattern adapted from SocketDev/socket-basics and SocketDev/socket-sdk-python.
 
 on:
   pull_request:
@@ -135,6 +140,16 @@ jobs:
           fetch-depth: 1
           persist-credentials: false
 
+      - name: Prepare SFW artifact directory
+        run: |
+          mkdir -p sfw-artifacts
+          {
+            echo "mode=firewall-free"
+            echo "manifest=python"
+            echo "pr=${{ github.event.pull_request.number }}"
+            echo "sha=${{ github.event.pull_request.head.sha }}"
+          } > sfw-artifacts/context.txt
+
       - uses: ./.github/actions/setup-sfw
         with:
           uv: "true"
@@ -151,16 +166,22 @@ jobs:
         # Use the runner's setup-python interpreter and forbid managed-Python
         # downloads. The firewall is here to vet PyPI installs, not the
         # interpreter/toolchain download path.
+        #
+        # pipefail keeps sfw's exit code through the tee so a firewall block
+        # still fails the job; tee captures the report for the artifact upload.
         env:
           UV_PYTHON: "3.12"
           UV_PYTHON_DOWNLOADS: never
-        run: sfw uv sync --locked --extra test --extra dev
+        run: |
+          set -o pipefail
+          sfw uv sync --locked --extra test --extra dev 2>&1 | tee sfw-artifacts/sfw-uv-sync.log
 
       - name: Import smoke test
         env:
           UV_PYTHON: "3.12"
           UV_PYTHON_DOWNLOADS: never
         run: |
+          set -o pipefail
           uv run python -c "
           from socketsecurity.socketcli import cli, build_socket_sdk
           from socketsecurity.core import Core
@@ -170,7 +191,31 @@ jobs:
           from socketsecurity.core.git_interface import Git
           from socketsecurity.config import CliConfig
           print('import smoke OK')
-          "
+          " 2>&1 | tee sfw-artifacts/import-smoke.log
+
+      - name: Collect SFW JSON report
+        # socketdev/action points sfw at SFW_JSON_REPORT_PATH (a $RUNNER_TEMP
+        # file) and reads it back in its post step to render the job summary, so
+        # COPY (don't move) the report into the bundle. sfw writes it even when
+        # it blocks an install -- always() keeps it on failures too.
+        if: always()
+        run: |
+          if [ -n "${SFW_JSON_REPORT_PATH:-}" ] && [ -f "$SFW_JSON_REPORT_PATH" ]; then
+            cp "$SFW_JSON_REPORT_PATH" "$GITHUB_WORKSPACE/sfw-artifacts/sfw-report.json"
+            echo "Collected SFW report -> sfw-artifacts/sfw-report.json"
+          else
+            echo "No SFW JSON report found at '${SFW_JSON_REPORT_PATH:-<unset>}'." \
+              > "$GITHUB_WORKSPACE/sfw-artifacts/sfw-report-missing.txt"
+          fi
+
+      - name: Upload SFW report artifact
+        if: always()
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        with:
+          name: socket-firewall-free-python-${{ github.event.pull_request.number }}
+          path: sfw-artifacts/
+          if-no-files-found: warn
+          retention-days: 14
 
   python-sfw-smoke-enterprise:
     needs: inspect
@@ -186,6 +231,16 @@ jobs:
           fetch-depth: 1
           persist-credentials: false
 
+      - name: Prepare SFW artifact directory
+        run: |
+          mkdir -p sfw-artifacts
+          {
+            echo "mode=firewall-enterprise"
+            echo "manifest=python"
+            echo "pr=${{ github.event.pull_request.number }}"
+            echo "sha=${{ github.event.pull_request.head.sha }}"
+          } > sfw-artifacts/context.txt
+
       - uses: ./.github/actions/setup-sfw
         with:
           uv: "true"
@@ -203,16 +258,22 @@ jobs:
         # Use the runner's setup-python interpreter and forbid managed-Python
         # downloads. The firewall is here to vet PyPI installs, not the
         # interpreter/toolchain download path.
+        #
+        # pipefail keeps sfw's exit code through the tee so a firewall block
+        # still fails the job; tee captures the report for the artifact upload.
         env:
           UV_PYTHON: "3.12"
           UV_PYTHON_DOWNLOADS: never
-        run: sfw uv sync --locked --extra test --extra dev
+        run: |
+          set -o pipefail
+          sfw uv sync --locked --extra test --extra dev 2>&1 | tee sfw-artifacts/sfw-uv-sync.log
 
       - name: Import smoke test
         env:
           UV_PYTHON: "3.12"
           UV_PYTHON_DOWNLOADS: never
         run: |
+          set -o pipefail
           uv run python -c "
           from socketsecurity.socketcli import cli, build_socket_sdk
           from socketsecurity.core import Core
@@ -222,7 +283,31 @@ jobs:
           from socketsecurity.core.git_interface import Git
           from socketsecurity.config import CliConfig
           print('import smoke OK')
-          "
+          " 2>&1 | tee sfw-artifacts/import-smoke.log
+
+      - name: Collect SFW JSON report
+        # socketdev/action points sfw at SFW_JSON_REPORT_PATH (a $RUNNER_TEMP
+        # file) and reads it back in its post step to render the job summary, so
+        # COPY (don't move) the report into the bundle. sfw writes it even when
+        # it blocks an install -- always() keeps it on failures too.
+        if: always()
+        run: |
+          if [ -n "${SFW_JSON_REPORT_PATH:-}" ] && [ -f "$SFW_JSON_REPORT_PATH" ]; then
+            cp "$SFW_JSON_REPORT_PATH" "$GITHUB_WORKSPACE/sfw-artifacts/sfw-report.json"
+            echo "Collected SFW report -> sfw-artifacts/sfw-report.json"
+          else
+            echo "No SFW JSON report found at '${SFW_JSON_REPORT_PATH:-<unset>}'." \
+              > "$GITHUB_WORKSPACE/sfw-artifacts/sfw-report-missing.txt"
+          fi
+
+      - name: Upload SFW report artifact
+        if: always()
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        with:
+          name: socket-firewall-enterprise-python-${{ github.event.pull_request.number }}
+          path: sfw-artifacts/
+          if-no-files-found: warn
+          retention-days: 14
 
   fixture-npm-sfw-smoke-free:
     needs: inspect
@@ -237,14 +322,52 @@ jobs:
           fetch-depth: 1
           persist-credentials: false
 
+      - name: Prepare SFW artifact directory
+        run: |
+          mkdir -p sfw-artifacts
+          {
+            echo "mode=firewall-free"
+            echo "manifest=npm"
+            echo "pr=${{ github.event.pull_request.number }}"
+            echo "sha=${{ github.event.pull_request.head.sha }}"
+          } > sfw-artifacts/context.txt
+
       - uses: ./.github/actions/setup-sfw
         with:
           node: "true"
           mode: firewall-free
 
       - name: Install fixture through Socket Firewall
         working-directory: tests/e2e/fixtures/simple-npm
-        run: sfw npm install --no-audit --no-fund --ignore-scripts
+        # Tee to an absolute path under the workspace so the log lands in the
+        # repo-root sfw-artifacts/ dir despite this step's working-directory.
+        run: |
+          set -o pipefail
+          sfw npm install --no-audit --no-fund --ignore-scripts 2>&1 | tee "$GITHUB_WORKSPACE/sfw-artifacts/sfw-npm-install.log"
+
+      - name: Collect SFW JSON report
+        # socketdev/action points sfw at SFW_JSON_REPORT_PATH (a $RUNNER_TEMP
+        # file) and reads it back in its post step to render the job summary, so
+        # COPY (don't move) the report into the bundle. sfw writes it even when
+        # it blocks an install -- always() keeps it on failures too.
+        if: always()
+        run: |
+          if [ -n "${SFW_JSON_REPORT_PATH:-}" ] && [ -f "$SFW_JSON_REPORT_PATH" ]; then
+            cp "$SFW_JSON_REPORT_PATH" "$GITHUB_WORKSPACE/sfw-artifacts/sfw-report.json"
+            echo "Collected SFW report -> sfw-artifacts/sfw-report.json"
+          else
+            echo "No SFW JSON report found at '${SFW_JSON_REPORT_PATH:-<unset>}'." \
+              > "$GITHUB_WORKSPACE/sfw-artifacts/sfw-report-missing.txt"
+          fi
+
+      - name: Upload SFW report artifact
+        if: always()
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        with:
+          name: socket-firewall-free-npm-${{ github.event.pull_request.number }}
+          path: sfw-artifacts/
+          if-no-files-found: warn
+          retention-days: 14
 
   fixture-npm-sfw-smoke-enterprise:
     needs: inspect
@@ -260,6 +383,16 @@ jobs:
           fetch-depth: 1
           persist-credentials: false
 
+      - name: Prepare SFW artifact directory
+        run: |
+          mkdir -p sfw-artifacts
+          {
+            echo "mode=firewall-enterprise"
+            echo "manifest=npm"
+            echo "pr=${{ github.event.pull_request.number }}"
+            echo "sha=${{ github.event.pull_request.head.sha }}"
+          } > sfw-artifacts/context.txt
+
       - uses: ./.github/actions/setup-sfw
         with:
           node: "true"
@@ -268,7 +401,35 @@ jobs:
 
       - name: Install fixture through Socket Firewall
         working-directory: tests/e2e/fixtures/simple-npm
-        run: sfw npm install --no-audit --no-fund --ignore-scripts
+        # Tee to an absolute path under the workspace so the log lands in the
+        # repo-root sfw-artifacts/ dir despite this step's working-directory.
+        run: |
+          set -o pipefail
+          sfw npm install --no-audit --no-fund --ignore-scripts 2>&1 | tee "$GITHUB_WORKSPACE/sfw-artifacts/sfw-npm-install.log"
+
+      - name: Collect SFW JSON report
+        # socketdev/action points sfw at SFW_JSON_REPORT_PATH (a $RUNNER_TEMP
+        # file) and reads it back in its post step to render the job summary, so
+        # COPY (don't move) the report into the bundle. sfw writes it even when
+        # it blocks an install -- always() keeps it on failures too.
+        if: always()
+        run: |
+          if [ -n "${SFW_JSON_REPORT_PATH:-}" ] && [ -f "$SFW_JSON_REPORT_PATH" ]; then
+            cp "$SFW_JSON_REPORT_PATH" "$GITHUB_WORKSPACE/sfw-artifacts/sfw-report.json"
+            echo "Collected SFW report -> sfw-artifacts/sfw-report.json"
+          else
+            echo "No SFW JSON report found at '${SFW_JSON_REPORT_PATH:-<unset>}'." \
+              > "$GITHUB_WORKSPACE/sfw-artifacts/sfw-report-missing.txt"
+          fi
+
+      - name: Upload SFW report artifact
+        if: always()
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        with:
+          name: socket-firewall-enterprise-npm-${{ github.event.pull_request.number }}
+          path: sfw-artifacts/
+          if-no-files-found: warn
+          retention-days: 14
 
   fixture-pypi-sfw-smoke-free:
     needs: inspect
@@ -283,18 +444,55 @@ jobs:
           fetch-depth: 1
           persist-credentials: false
 
+      - name: Prepare SFW artifact directory
+        run: |
+          mkdir -p sfw-artifacts
+          {
+            echo "mode=firewall-free"
+            echo "manifest=pypi"
+            echo "pr=${{ github.event.pull_request.number }}"
+            echo "sha=${{ github.event.pull_request.head.sha }}"
+          } > sfw-artifacts/context.txt
+
       - uses: ./.github/actions/setup-sfw
         with:
           python: "true"
           mode: firewall-free
 
       - name: Install fixture through Socket Firewall
         working-directory: tests/e2e/fixtures/simple-pypi
+        # Tee to an absolute path under the workspace so the log lands in the
+        # repo-root sfw-artifacts/ dir despite this step's working-directory.
         run: |
+          set -o pipefail
           python -m venv .venv
           # shellcheck disable=SC1091
           source .venv/bin/activate
-          sfw pip install -r requirements.txt
+          sfw pip install -r requirements.txt 2>&1 | tee "$GITHUB_WORKSPACE/sfw-artifacts/sfw-pip-install.log"
+
+      - name: Collect SFW JSON report
+        # socketdev/action points sfw at SFW_JSON_REPORT_PATH (a $RUNNER_TEMP
+        # file) and reads it back in its post step to render the job summary, so
+        # COPY (don't move) the report into the bundle. sfw writes it even when
+        # it blocks an install -- always() keeps it on failures too.
+        if: always()
+        run: |
+          if [ -n "${SFW_JSON_REPORT_PATH:-}" ] && [ -f "$SFW_JSON_REPORT_PATH" ]; then
+            cp "$SFW_JSON_REPORT_PATH" "$GITHUB_WORKSPACE/sfw-artifacts/sfw-report.json"
+            echo "Collected SFW report -> sfw-artifacts/sfw-report.json"
+          else
+            echo "No SFW JSON report found at '${SFW_JSON_REPORT_PATH:-<unset>}'." \
+              > "$GITHUB_WORKSPACE/sfw-artifacts/sfw-report-missing.txt"
+          fi
+
+      - name: Upload SFW report artifact
+        if: always()
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        with:
+          name: socket-firewall-free-pypi-${{ github.event.pull_request.number }}
+          path: sfw-artifacts/
+          if-no-files-found: warn
+          retention-days: 14
 
   fixture-pypi-sfw-smoke-enterprise:
     needs: inspect
@@ -310,6 +508,16 @@ jobs:
           fetch-depth: 1
           persist-credentials: false
 
+      - name: Prepare SFW artifact directory
+        run: |
+          mkdir -p sfw-artifacts
+          {
+            echo "mode=firewall-enterprise"
+            echo "manifest=pypi"
+            echo "pr=${{ github.event.pull_request.number }}"
+            echo "sha=${{ github.event.pull_request.head.sha }}"
+          } > sfw-artifacts/context.txt
+
       - uses: ./.github/actions/setup-sfw
         with:
           python: "true"
@@ -318,11 +526,38 @@ jobs:
 
       - name: Install fixture through Socket Firewall
         working-directory: tests/e2e/fixtures/simple-pypi
+        # Tee to an absolute path under the workspace so the log lands in the
+        # repo-root sfw-artifacts/ dir despite this step's working-directory.
         run: |
+          set -o pipefail
           python -m venv .venv
           # shellcheck disable=SC1091
           source .venv/bin/activate
-          sfw pip install -r requirements.txt
+          sfw pip install -r requirements.txt 2>&1 | tee "$GITHUB_WORKSPACE/sfw-artifacts/sfw-pip-install.log"
+
+      - name: Collect SFW JSON report
+        # socketdev/action points sfw at SFW_JSON_REPORT_PATH (a $RUNNER_TEMP
+        # file) and reads it back in its post step to render the job summary, so
+        # COPY (don't move) the report into the bundle. sfw writes it even when
+        # it blocks an install -- always() keeps it on failures too.
+        if: always()
+        run: |
+          if [ -n "${SFW_JSON_REPORT_PATH:-}" ] && [ -f "$SFW_JSON_REPORT_PATH" ]; then
+            cp "$SFW_JSON_REPORT_PATH" "$GITHUB_WORKSPACE/sfw-artifacts/sfw-report.json"
+            echo "Collected SFW report -> sfw-artifacts/sfw-report.json"
+          else
+            echo "No SFW JSON report found at '${SFW_JSON_REPORT_PATH:-<unset>}'." \
+              > "$GITHUB_WORKSPACE/sfw-artifacts/sfw-report-missing.txt"
+          fi
+
+      - name: Upload SFW report artifact
+        if: always()
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        with:
+          name: socket-firewall-enterprise-pypi-${{ github.event.pull_request.number }}
+          path: sfw-artifacts/
+          if-no-files-found: warn
+          retention-days: 14
 
   dockerfile-smoke:
     needs: inspect
