Skip to content

add socket tier 1 reachability analysis#5333

Open
kanwalpreetd wants to merge 1 commit into
stellar:masterfrom
kanwalpreetd:master
Open

add socket tier 1 reachability analysis#5333
kanwalpreetd wants to merge 1 commit into
stellar:masterfrom
kanwalpreetd:master

Conversation

@kanwalpreetd

Copy link
Copy Markdown

Copilot AI review requested due to automatic review settings June 29, 2026 18:59

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a new GitHub Actions workflow to run Socket (Coana) full-application reachability scanning for Stellar Core’s Tier 1 dependency reachability (Cargo + PyPI), on a weekly schedule and via manual dispatch.

Changes:

  • Introduces .github/workflows/socket-scan.yml to run socket scan create --reach with an explicit --reach-ecosystems=cargo,pypi configuration.
  • Sets up Rust, Python, and Node toolchains needed for analysis, and emits a workflow warning when Tier 2 reachability fallbacks are detected.
  • Documents expected job “green/yellow/red” meanings and known baseline Tier 2 fallback behavior.

Comment on lines +72 to +74
- name: Enable Corepack (yarn/pnpm per repo packageManager)
run: corepack enable

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems relevant. core doesn't have package.json.

Comment on lines +88 to +99
set +e
socket scan create --reach \
--org=stellar \
--no-interactive \
--reach-continue-on-no-source-files \
--reach-continue-on-analysis-errors \
--reach-continue-on-install-errors \
--reach-continue-on-missing-lock-files \
--reach-ecosystems=cargo,pypi \
. 2>&1 | tee /tmp/scan.log
rc=${PIPESTATUS[0]}
if [ $rc -eq 0 ] && grep -qE "Reachability falls back to Tier 2|fallback to the results from the pre-computed|Reachability falls back to precomputed" /tmp/scan.log; then
Comment on lines +52 to +55
# Force JS-based GitHub actions (actions/checkout, actions/setup-*, etc.) to
# use Node 24 instead of the soon-to-be-deprecated Node 20. Safe to remove
# after 2026-06-16 (when Node 24 becomes the default and this becomes a no-op).
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems about right since we are past the June 16th date.

Comment on lines +75 to +76
- name: Install Socket CLI
run: npm install -g socket

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a possibility so pinning makes sense.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 693c4b88ae

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

socket-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Fetch submodules before scanning Rust

In scheduled runs, actions/checkout does not fetch submodules unless submodules is set; this repo's production Rust build uses the Soroban gitlinks under src/rust/soroban/p21p27 (see src/Makefile.am), so a default checkout leaves those Cargo.toml/Cargo.lock files absent. Then socket scan create --reach . can only discover the top-level Rust manifests and the scan will miss the Soroban host crates that are actually linked into stellar-core, yielding false-negative reachability results.

Useful? React with 👍 / 👎.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since we would have socket scan enabled in rs-soroban-env repo, its probably fine if this scan skips Soroban host scan. Also, with multi host architecture, its not worth scanning older protocol version hosts.

@anupsdf anupsdf left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for adding this socket scan! Looks like this only adds reachability scanning for the Rust and Python dependency surfaces in stellar-core. Are there any options to add C++ reachability coverage since most of the code in stellar-core repo is in C++?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants