chore(deps): bundle Dependabot updates + harden dependency review workflows

[lelia]

Summary

Mirrors the Dependabot hardening from socket-sdk-python (#84) and socket-python-cli (#207 / #217 / #224), adapted to socket-basics — which ships both a uv.lock and two Dockerfiles — then adds a supply-chain watch for the four core OSS tools Dependabot can't track, and closes the SFW-bypass blindspot the CLI/SDK pattern introduced. Four threads:

1. Bundle dependency updates — supersedes the 8 open Dependabot PRs in one verified change.
2. Dependabot config — adds the missing uv ecosystem and groups every ecosystem into minor/patch + major bundles.
3. Dependency review — Socket Firewall on every dependency PR (anonymous for forks/Dependabot, enterprise for trusted members), report artifacts, and a single always-on required gate.
4. Core-tool supply-chain watch — discovers and Socket-scores the upstream versions of OpenGrep / TruffleHog / Trivy / Socket SCA.

1. Dependencies (supersedes 8 Dependabot PRs)

PR	Package	Bump	Notes
#72	idna	3.10 → 3.18	CVE-2026-45409 fix (newer than Dependabot's 3.15)
#71	pygments	2.19.2 → 2.20.0
#70	urllib3	2.6.3 → 2.7.0
#67	pytest	8.4.2 → 9.0.3
#76	docker/metadata-action	5.10.0 → 6.1.0	major
#75	docker/login-action	3.7.0 → 4.2.0	major
#74	docker/build-push-action	6.19.2 → 7.2.0	major
#73	docker/setup-buildx-action	4.0.0 → 4.1.0	grouped

Python bumps are transitive/dev deps (runtime constraints in pyproject.toml unchanged; targeted uv lock --upgrade-package only). The four docker/* action SHAs live in _docker-pipeline.yml (majors pinned by SHA). The 8 Dependabot PRs were closed manually, each pointing here.

2. Dependabot config (.github/dependabot.yml)

• Adds the uv ecosystem — the gap that let the Python PRs pile up ungrouped.
• Every ecosystem (uv, docker ×2, github-actions) groups into a weekly minor/patch bundle + a separate major PR.
• GitHub Actions also scans /.github/actions/* (the new composite action). 7-day cooldown retained.

3. Dependency review (.github/workflows/dependency-review.yml)

Renamed from dependabot-review.yml, runs on every PR. inspect classifies the PR; exactly one Socket Firewall job runs when Python deps change:

• Enterprise (firewall-enterprise + token) — trusted in-repo non-Dependabot PRs (write-access holders). Only this job references the secret.
• Free (firewall-free, anonymous) — Dependabot, forks, externals, or whenever the token is absent.

The enterprise path degrades to free when the token is missing, so secretless contexts never hard-error. Both jobs capture the structured SFW report ($SFW_JSON_REPORT_PATH) into a sfw-report-free / sfw-report-enterprise artifact.

Environment kept for secret scoping; approval rule forbidden (uniform with socket-python-cli#224). environment: socket-firewall scopes the token so only the enterprise job can read it. The trap is a required-reviewers rule on that environment: it's self-approvable (prevent_self_review defaults off; admins bypass) yet skippable, so the meaningful check silently never runs. Configure with no reviewers:

gh api -X PUT repos/SocketDev/socket-basics/environments/socket-firewall \
  --input - <<<'{"wait_timer":0,"prevent_self_review":false,"reviewers":null,"deployment_branch_policy":null}'

Coverage is enforced instead by the always-on dependency-review-gate aggregator (Pattern 2): it needs every conditional job, fails on any failure/cancelled (success/skipped pass), and additionally requires the trust-appropriate SFW edition to have succeeded when Python deps changed. It runs if: always() so the required context is always created (no Pattern-1 bypass twin needed). Mark only dependency-review-gate as the required check — and merge it to main first, then add it to branch protection (requiring a check before it exists on main strands every open PR).

Docker dep changes: the main image is already build-smoke-tested by smoke-test.yml, so only the app_tests image (uncovered elsewhere) is built here.

4. Core-tool supply-chain watch (core-tool-watch.yml + scripts/check_core_tools.py)

Three of the four core tools — OpenGrep, TruffleHog, Trivy — ship as binaries / images / GitHub releases Dependabot can't track; the fourth, Socket SCA (socketdev), is a PyPI package. The watcher:

• Discovers the latest upstream version of each (GitHub Releases + PyPI) vs the repo pins (Dockerfile ARGs + uv.lock).
• Scores the package coordinates through the Socket API — dogfooding the socketdev SDK's purl.post() that socket-basics already depends on (pkg:pypi/..., pkg:golang/..., pkg:github/...).
• schedule / dispatch → watch: report drift, upsert a core-tool-drift issue. PR / push touching pins → build: analyze the versions a build would bake in and fail on a malware/critical alert.
• Uploads a core-tools-report artifact (markdown + JSON); degrades to discovery-only without a token.

OpenGrep Socket coverage (new): Socket has no data for OpenGrep's pkg:github coordinate. Since OpenGrep is a hard fork of Semgrep, the watcher now falls back to scoring the upstream Semgrep lineage (pkg:pypi/semgrep) as a project-health proxy — clearly labeled (via semgrep upstream proxy) and report-only, never build-failing (it doesn't analyze OpenGrep's own release artifacts). The npm opengrep package is a single-version squat and is deliberately not used.

5. Workflow plumbing

• .github/actions/setup-sfw composite action (Python 3.12 + uv + Socket Firewall, free/enterprise; resolves effective mode and falls back to free when enterprise is requested without a token, so it never hard-errors).
• python-tests.yml gains a uv lock --locked drift guard.

Setup / follow-ups

• The socket-firewall environment + SOCKET_SFW_API_TOKEN secret are in place (no reviewers rule) — the enterprise path and core-tool Socket scoring run authenticated.
• After this PR merges, mark dependency-review-gate as the single required status check on main. Do not add a required-reviewers rule to the socket-firewall environment — that's the bypass blindspot this PR avoids.

Test plan (live CI, green)

• python-tests — uv lock --locked drift guard + 139 tests pass
• smoke-test — full Docker build + smoke + integration
• dependency-review — enterprise SFW (firewall-enterprise, authenticated) + dependency-review-gate enforcing; gate fail-closed when enterprise failed, passing once it succeeded
• core-tool-watch build mode — TruffleHog / Trivy / socketdev scored clean; OpenGrep via Semgrep proxy; no spurious drift issue
• SFW report artifacts uploaded; actionlint / zizmor --offline clean

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	pypi/​pytest@​8.4.2 ⏵ 9.0.3	-3	+2

View full report

[socket-security-staging]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	pypi/​pytest@​8.4.2 ⏵ 9.0.3	-3	+2

View full report