add socket tier 1 reachability analysis#5333
Conversation
There was a problem hiding this comment.
Pull request overview
Adds a new GitHub Actions workflow to run Socket (Coana) full-application reachability scanning for Stellar Core’s Tier 1 dependency reachability (Cargo + PyPI), on a weekly schedule and via manual dispatch.
Changes:
- Introduces
.github/workflows/socket-scan.ymlto runsocket scan create --reachwith an explicit--reach-ecosystems=cargo,pypiconfiguration. - Sets up Rust, Python, and Node toolchains needed for analysis, and emits a workflow warning when Tier 2 reachability fallbacks are detected.
- Documents expected job “green/yellow/red” meanings and known baseline Tier 2 fallback behavior.
| - name: Enable Corepack (yarn/pnpm per repo packageManager) | ||
| run: corepack enable | ||
|
|
There was a problem hiding this comment.
Seems relevant. core doesn't have package.json.
| set +e | ||
| socket scan create --reach \ | ||
| --org=stellar \ | ||
| --no-interactive \ | ||
| --reach-continue-on-no-source-files \ | ||
| --reach-continue-on-analysis-errors \ | ||
| --reach-continue-on-install-errors \ | ||
| --reach-continue-on-missing-lock-files \ | ||
| --reach-ecosystems=cargo,pypi \ | ||
| . 2>&1 | tee /tmp/scan.log | ||
| rc=${PIPESTATUS[0]} | ||
| if [ $rc -eq 0 ] && grep -qE "Reachability falls back to Tier 2|fallback to the results from the pre-computed|Reachability falls back to precomputed" /tmp/scan.log; then |
| # Force JS-based GitHub actions (actions/checkout, actions/setup-*, etc.) to | ||
| # use Node 24 instead of the soon-to-be-deprecated Node 20. Safe to remove | ||
| # after 2026-06-16 (when Node 24 becomes the default and this becomes a no-op). | ||
| FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true |
There was a problem hiding this comment.
Seems about right since we are past the June 16th date.
| - name: Install Socket CLI | ||
| run: npm install -g socket |
There was a problem hiding this comment.
This is a possibility so pinning makes sense.
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 693c4b88ae
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
| socket-scan: | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 |
There was a problem hiding this comment.
Fetch submodules before scanning Rust
In scheduled runs, actions/checkout does not fetch submodules unless submodules is set; this repo's production Rust build uses the Soroban gitlinks under src/rust/soroban/p21–p27 (see src/Makefile.am), so a default checkout leaves those Cargo.toml/Cargo.lock files absent. Then socket scan create --reach . can only discover the top-level Rust manifests and the scan will miss the Soroban host crates that are actually linked into stellar-core, yielding false-negative reachability results.
Useful? React with 👍 / 👎.
There was a problem hiding this comment.
Since we would have socket scan enabled in rs-soroban-env repo, its probably fine if this scan skips Soroban host scan. Also, with multi host architecture, its not worth scanning older protocol version hosts.
anupsdf
left a comment
There was a problem hiding this comment.
Thanks for adding this socket scan! Looks like this only adds reachability scanning for the Rust and Python dependency surfaces in stellar-core. Are there any options to add C++ reachability coverage since most of the code in stellar-core repo is in C++?
More info: https://stellarorg.atlassian.net/wiki/spaces/SCRT/pages/5689311233/Socket+Tier+1+Reachability+Analysis