SocketDev · lelia · Jun 2, 2026 · Jun 1, 2026 · Jun 1, 2026 · Jun 1, 2026
@@ -0,0 +1,13 @@
+name: "Set up Hatch build tooling"
+description: >-
+  Install the pinned hatch / hatchling / virtualenv toolchain used to build
+  and publish the package. Assumes Python is already set up by the caller.
+
+runs:
+  using: "composite"
+  steps:
+    - shell: bash
+      run: |
+        python -m pip install --upgrade pip
+        pip install "virtualenv<20.36"
+        pip install hatchling==1.27.0 hatch==1.14.0
@@ -0,0 +1,41 @@
+name: "Set up Socket Firewall"
+description: >-
+  Set up the requested Python/uv toolchain and install Socket Firewall so
+  subsequent steps can run package-manager commands wrapped with `sfw`.
+  Defaults to free/anonymous mode (no API token -- safe on untrusted /
+  Dependabot / fork PRs). Pass mode: firewall-enterprise + socket-token for
+  full org-policy enforcement on trusted maintainer PRs.
+
+inputs:
+  python:
+    description: "Set up Python 3.12"
+    default: "false"
+  uv:
+    description: "Install uv (implies Python)"
+    default: "false"
+  mode:
+    description: "socketdev/action mode: firewall-free or firewall-enterprise"
+    default: "firewall-free"
+  socket-token:
+    description: "Socket API token (only used/required for firewall-enterprise)"
+    default: ""
+
+runs:
+  using: "composite"
+  steps:
+    - if: ${{ inputs.python == 'true' || inputs.uv == 'true' }}
+      uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+      with:
+        python-version: "3.12"
+
+    # Official Socket setup action. Wires up sfw routing correctly.
+    # socket-token is ignored in firewall-free mode and empty when absent.
+    - uses: socketdev/action@ba6de6cc0565af1f42295590380973573297e31f # v1.3.2
+      with:
+        mode: ${{ inputs.mode }}
+        socket-token: ${{ inputs.socket-token }}
+
+    - if: ${{ inputs.uv == 'true' }}
+      name: Install uv
+      shell: bash
+      run: python -m pip install --upgrade pip uv
@@ -0,0 +1,63 @@
+# Dependabot configuration for socket-sdk-python.
+#
+# Design notes:
+# - Python deps are grouped into a weekly PR (minor/patch), with a
+#   separate group for majors so breaking bumps stay reviewable.
+# - GitHub Actions are grouped similarly into one weekly PR, and Dependabot
+#   scans both the workflows and the local composite actions.
+# - 7-day cooldown enforced across all ecosystems.
+# - This repo ships no Dockerfile, so there is no docker ecosystem entry.
+
+version: 2
+updates:
+
+  # Python deps (uv-tracked via uv.lock)
+  - package-ecosystem: "uv"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 2
+    groups:
+      python-minor-patch:
+        patterns:
+          - "*"
+        update-types:
+          - "minor"
+          - "patch"
+      python-major:
+        patterns:
+          - "*"
+        update-types:
+          - "major"
+    labels:
+      - "dependencies"
+      - "python:uv"
+    commit-message:
+      prefix: "chore"
+      include: "scope"
+    cooldown:
+      default-days: 7
+
+  # GitHub Actions used in workflows and local composite actions.
+  - package-ecosystem: "github-actions"
+    directories:
+      - "/"
+      - "/.github/actions/*"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 2
+    groups:
+      github-actions-minor-patch:
+        patterns:
+          - "*"
+        update-types:
+          - "minor"
+          - "patch"
+    labels:
+      - "dependencies"
+      - "github-actions"
+    commit-message:
+      prefix: "ci"
+      include: "scope"
+    cooldown:
+      default-days: 7