From 59f7e2a3addbe4e691260f029252b9424ad62d8f Mon Sep 17 00:00:00 2001 From: Jeppe Fredsgaard Blaabjerg Date: Wed, 1 Jul 2026 10:03:31 +0200 Subject: [PATCH 1/3] fix(ci): build the Maven extension jar outside the Socket Firewall shims The release build failed because `pnpm run build:maven-extension` runs the whole build subtree (pnpm -> bash -> mvnw -> wget) under Socket Firewall, which shims the package managers it wraps. sfw then intercepts the Maven wrapper's download of Maven from Maven Central and fails on that non-package fetch. Invoke build-jar.sh directly instead. bash/mvnw/wget aren't shimmed, so the Maven download runs outside the sfw-wrapped process tree and succeeds. --- .github/workflows/provenance.yml | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/.github/workflows/provenance.yml b/.github/workflows/provenance.yml index 3cc35b6de..358a7b2d5 100644 --- a/.github/workflows/provenance.yml +++ b/.github/workflows/provenance.yml @@ -206,15 +206,19 @@ jobs: # Compile the Maven manifest extension jar so the dist build bundles it # into dist/manifest-scripts (the jar is never committed; it ships only in - # the published package). The org action allowlist forbids actions/setup-java, - # so use a JDK pre-installed on the runner image (JAVA_HOME_17_X64), falling - # back to the runner's default `java`. build-jar.sh uses the Maven wrapper. + # the published package). Invoke build-jar.sh directly, NOT via `pnpm run`: + # Socket Firewall wraps the package managers (npm/pnpm/...) it shims, so a + # `pnpm run` would route the Maven wrapper's download through sfw, which + # fails on the non-package fetch. Running bash directly keeps the Maven + # download outside the shimmed process tree. The org action allowlist forbids + # actions/setup-java, so use a JDK pre-installed on the runner image + # (JAVA_HOME_17_X64), falling back to the runner's default `java`. - name: Build Maven manifest extension jar run: | if [ -n "${JAVA_HOME_17_X64:-}" ]; then export JAVA_HOME="$JAVA_HOME_17_X64" fi - pnpm run build:maven-extension + bash src/commands/manifest/scripts/maven-extension/build-jar.sh - run: INLINED_SOCKET_CLI_PUBLISHED_BUILD=1 pnpm run build:dist - name: Publish socket From 6adfbb5d9af8934983be06fca154ae577e41104c Mon Sep 17 00:00:00 2001 From: Jeppe Fredsgaard Blaabjerg Date: Wed, 1 Jul 2026 10:05:40 +0200 Subject: [PATCH 2/3] chore(ci): remove the unused maven-extension-jar workflow The standalone PR-time jar-build workflow doesn't run behind Socket Firewall, so it never exercised the environment the release actually uses (and gave false confidence). The jar is built in the release workflow and the version-compat matrix runs locally via run-compat.sh, so drop it. --- .github/workflows/maven-extension-jar.yml | 46 ----------------------- 1 file changed, 46 deletions(-) delete mode 100644 .github/workflows/maven-extension-jar.yml diff --git a/.github/workflows/maven-extension-jar.yml b/.github/workflows/maven-extension-jar.yml deleted file mode 100644 index 258dc331c..000000000 --- a/.github/workflows/maven-extension-jar.yml +++ /dev/null @@ -1,46 +0,0 @@ -name: Maven extension jar - -# Builds (and smoke-tests) the Maven manifest extension jar in CI, separately -# from release. Uses only allowlisted actions — notably NOT actions/setup-java -# (the org allowlist forbids it), so it relies on a JDK pre-installed on the -# runner via JAVA_HOME_17_X64, the same approach provenance.yml uses to build -# the jar at release. Runs on changes to the extension and on demand. - -on: - pull_request: - paths: - - 'src/commands/manifest/scripts/maven-extension/**' - - 'src/commands/manifest/scripts/test/maven-compat/**' - - '.github/workflows/maven-extension-jar.yml' - workflow_dispatch: - -permissions: - contents: read - -jobs: - build: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - with: - persist-credentials: false - - name: Build the Maven extension jar (pre-installed JDK; no setup-java) - run: | - if [ -n "${JAVA_HOME_17_X64:-}" ]; then - export JAVA_HOME="$JAVA_HOME_17_X64" - fi - java -version - bash src/commands/manifest/scripts/maven-extension/build-jar.sh - - name: Verify the jar was produced - run: test -f src/commands/manifest/scripts/maven-extension/coana-maven-extension.jar - - name: Smoke-test the extension on Maven 3.9.9 - run: | - if [ -n "${JAVA_HOME_17_X64:-}" ]; then - export JAVA_HOME="$JAVA_HOME_17_X64" - fi - ver=3.9.9 - curl -fsSL "https://archive.apache.org/dist/maven/maven-3/$ver/binaries/apache-maven-$ver-bin.zip" -o maven.zip - unzip -q maven.zip - bash src/commands/manifest/scripts/test/maven-compat/smoke-test.sh \ - "$PWD/apache-maven-$ver/bin/mvn" \ - "$PWD/src/commands/manifest/scripts/maven-extension/coana-maven-extension.jar" From c0c86293a7f83aabdd3b43ffc61e4213d8e8ee81 Mon Sep 17 00:00:00 2001 From: Jeppe Fredsgaard Blaabjerg Date: Wed, 1 Jul 2026 10:32:15 +0200 Subject: [PATCH 3/3] bump coana cli version --- CHANGELOG.md | 2 +- package.json | 2 +- pnpm-lock.yaml | 10 +++++----- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index ce273d8df..55b3e728e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,7 +9,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/). ### Changed - More reliable reachability for Gradle, sbt, and Maven projects with dynamic versions (git versions, CI build numbers, timestamps): the build is resolved once and its artifact paths reused, avoiding spurious "failed to install" errors. - `socket manifest` and `--auto-manifest` now prefer your project's build-tool wrapper (`./gradlew`, `./mvnw`) when present, falling back to `gradle`/`mvn` on PATH. -- Updated the Coana CLI to v `15.6.3`. +- Updated the Coana CLI to v `15.6.6`. ## [1.1.131](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.131) - 2026-06-29 diff --git a/package.json b/package.json index c0467e3a0..eb07a3472 100644 --- a/package.json +++ b/package.json @@ -97,7 +97,7 @@ "@babel/preset-typescript": "7.27.1", "@babel/runtime": "7.28.4", "@biomejs/biome": "2.2.4", - "@coana-tech/cli": "15.6.3", + "@coana-tech/cli": "15.6.6", "@cyclonedx/cdxgen": "12.1.2", "@dotenvx/dotenvx": "1.49.0", "@eslint/compat": "1.3.2", diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index 7d6adcf9b..fd3b8c5f5 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -128,8 +128,8 @@ importers: specifier: 2.2.4 version: 2.2.4 '@coana-tech/cli': - specifier: 15.6.3 - version: 15.6.3 + specifier: 15.6.6 + version: 15.6.6 '@cyclonedx/cdxgen': specifier: 12.1.2 version: 12.1.2 @@ -749,8 +749,8 @@ packages: resolution: {integrity: sha512-hAs5PPKPCQ3/Nha+1fo4A4/gL85fIfxZwHPehsjCJ+BhQH2/yw6/xReuaPA/RfNQr6iz1PcD7BZcE3ctyyl3EA==} cpu: [x64] - '@coana-tech/cli@15.6.3': - resolution: {integrity: sha512-Z2gfuZURKd7fmYuyBgy/WsxGUKbSjCcI5nNU4Hjrk5/DjP1ihxHJK3sJp4/zcU/TwdCaqU4J13ZhuaXO4nkYPw==} + '@coana-tech/cli@15.6.6': + resolution: {integrity: sha512-UQLVEk73PExNBtc3skTt7dhiW9JrPkzCgXFNfOkVHx823v2721ZPTv6wWXM/JFMwbAQaij06mtESqm17IwxgQw==} hasBin: true '@colors/colors@1.5.0': @@ -5388,7 +5388,7 @@ snapshots: '@cdxgen/cdxgen-plugins-bin@2.0.2': optional: true - '@coana-tech/cli@15.6.3': {} + '@coana-tech/cli@15.6.6': {} '@colors/colors@1.5.0': optional: true