From 3ba9b19ed409c26c3c34a22a4b9a017f56ba9a0f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Oskar=20Sch=C3=B6ldstr=C3=B6m?= <m@oxy.fi>
Date: Wed, 13 May 2026 20:13:22 -0300
Subject: [PATCH 1/2] Add Socket Firewall (free) to shared setup + test
 workflow

Installs the `sfw` binary in the setup composite and uses it to pre-install
npm packages in the shared test workflow. Free edition; no token required.
Blocks known-malicious npm packages at install time rather than only flagging
them after the fact.

`sfw npm ci` runs before `composer install:development`, so the subsequent
`npm install` invoked by the project's composer build script becomes a no-op
against the populated node_modules. Residual gap: any net-new package added
by that composer-driven npm install would bypass sfw. Per-project composer
scripts can close it by switching to `sfw npm install`.
---
 .github/workflows/test.yml | 10 ++++++++++
 setup/action.yml           |  8 ++++++++
 2 files changed, 18 insertions(+)

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 8f68bae..94b9a6e 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -44,6 +44,16 @@ jobs:
           packagist_github_token: ${{ secrets.PACKAGIST_GITHUB_TOKEN }}
           yoast_license_token: ${{ secrets.YOAST_LICENSE_TOKEN }}
 
+      - name: Install npm packages through Socket Firewall
+        # Pre-install via `sfw` so Socket can block known-malicious packages
+        # before they hit disk. The subsequent `npm install` invoked by the
+        # composer build script becomes a no-op against this populated cache,
+        # except for any net-new packages it pulls — those are the residual
+        # gap. Per-project composer scripts can close the gap by switching
+        # their own `npm install` to `sfw npm install`.
+        if: hashFiles('package-lock.json') != ''
+        run: sfw npm ci --ignore-scripts
+
       - name: Install development packages
         run: composer install:development
 
diff --git a/setup/action.yml b/setup/action.yml
index 0ec6b0d..e6a3279 100644
--- a/setup/action.yml
+++ b/setup/action.yml
@@ -21,6 +21,14 @@ runs:
         cache: 'npm'
         cache-dependency-path: '**/package-lock.json'
 
+    - name: Install Socket Firewall
+      # Free edition — no token required. Installs the `sfw` binary on PATH;
+      # call sites then prefix package-manager commands with it
+      # (e.g. `sfw npm ci`) to block known-malicious packages at install time.
+      uses: SocketDev/action@ba6de6cc0565af1f42295590380973573297e31f # v1.3.2
+      with:
+        mode: firewall-free
+
     - name: Authenticate with Fontawesome NPM repository
       shell: bash
       env:

From 85941f15034f9c08a553934b14efa8a8db3651eb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Oskar=20Sch=C3=B6ldstr=C3=B6m?= <m@oxy.fi>
Date: Thu, 14 May 2026 00:05:17 -0300
Subject: [PATCH 2/2] Move SocketDev/action to workflow level
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

PATH additions made by Node actions inside composite actions don't
reliably propagate to subsequent workflow steps — the first CI run
on this branch failed with 'sfw: command not found' after the binary
was installed inside the setup composite. Install at the workflow
level instead so sfw is available in the next step.
---
 .github/workflows/test.yml | 9 +++++++++
 setup/action.yml           | 8 --------
 2 files changed, 9 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 94b9a6e..f02585e 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -44,6 +44,15 @@ jobs:
           packagist_github_token: ${{ secrets.PACKAGIST_GITHUB_TOKEN }}
           yoast_license_token: ${{ secrets.YOAST_LICENSE_TOKEN }}
 
+      - name: Install Socket Firewall
+        # Free edition — no token required. Installs `sfw` on PATH for this job.
+        # Placed here rather than in the setup composite because PATH additions
+        # made by Node actions inside composite actions do not reliably
+        # propagate to subsequent workflow-level steps.
+        uses: SocketDev/action@ba6de6cc0565af1f42295590380973573297e31f # v1.3.2
+        with:
+          mode: firewall-free
+
       - name: Install npm packages through Socket Firewall
         # Pre-install via `sfw` so Socket can block known-malicious packages
         # before they hit disk. The subsequent `npm install` invoked by the
diff --git a/setup/action.yml b/setup/action.yml
index e6a3279..0ec6b0d 100644
--- a/setup/action.yml
+++ b/setup/action.yml
@@ -21,14 +21,6 @@ runs:
         cache: 'npm'
         cache-dependency-path: '**/package-lock.json'
 
-    - name: Install Socket Firewall
-      # Free edition — no token required. Installs the `sfw` binary on PATH;
-      # call sites then prefix package-manager commands with it
-      # (e.g. `sfw npm ci`) to block known-malicious packages at install time.
-      uses: SocketDev/action@ba6de6cc0565af1f42295590380973573297e31f # v1.3.2
-      with:
-        mode: firewall-free
-
     - name: Authenticate with Fontawesome NPM repository
       shell: bash
       env: