ci(tooling): add socket-cli scan step to validate job

Adds a supply-chain scan step that runs `socket-cli` against the lockfile on PRs that touch package.json or pnpm-lock.yaml. The step is gated behind a git-diff paths check so it only fires when dependency files change. The repo-root .socket.json (critical → error) causes the step to exit non-zero on any critical finding, blocking the PR. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-14 17:15:08 +00:00
parent 49619931d5
commit ea5db36da6
1 changed files with 9 additions and 0 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -51,6 +51,15 @@ jobs:
          node-version: 22
          cache: pnpm
      - run: pnpm install --frozen-lockfile
+      - name: Socket supply-chain scan
+        if: github.event_name == 'pull_request'
+        run: |
+          if git diff --name-only origin/${{ github.base_ref }}...HEAD \
+              | grep -qE '(^|/)package\.json$|(^|/)pnpm-lock\.yaml$'; then
+            npx --yes socket-cli@latest scan .
+          else
+            echo "No package.json or pnpm-lock.yaml changes — skipping Socket scan."
+          fi
      - run: pnpm typecheck
      - run: pnpm lint
      - run: pnpm conformance