ci: add lock-drift, import-smoke, and pip-audit; skip e2e on dependabot

python-tests.yml:
- `uv lock --locked` -- fails if uv.lock has drifted from pyproject.toml.
  Prevents the "forgot to commit the lockfile" class of mistake.
- Import smoke step that loads every top-level module touching the
  upgraded packages (cryptography, gitpython, requests, urllib3, ...).
  Catches API-removal breaks from minor/patch deprecations that the
  unit suite alone wouldn't surface.
- `uvx pip-audit --strict` against the synced env -- light CVE check
  on the resolved transitive tree. Runs in seconds via uv's caching.

e2e-test.yml:
- Skip e2e on Dependabot PRs. They don't have access to the Socket API
  secret so e2e would always fail on them, polluting the PR check UI.
  Supply-chain risk for dep bumps is covered by dependabot-review.yml's
  Socket Firewall smoke jobs, which need no secrets.

Signed-off-by: lelia <2418071+lelia@users.noreply.github.com>

Author: lelia

.github/workflows/e2e-test.yml

@@ -11,7 +11,14 @@ permissions:
 
 jobs:
   e2e:
-    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
+    # Skip e2e on:
+    #  - PRs from forks (no secrets)
+    #  - Dependabot PRs (no secrets, and dependency-bump risk is already
+    #    covered by dependabot-review.yml's Socket Firewall smoke jobs)
+    if: >-
+      (github.event_name != 'pull_request' ||
+        github.event.pull_request.head.repo.full_name == github.repository) &&
+      github.event.pull_request.user.login != 'dependabot[bot]'
     runs-on: ubuntu-latest
     strategy:
       fail-fast: false

.github/workflows/python-tests.yml

@@ -48,8 +48,24 @@ jobs:
           python -m pip install --upgrade pip
           pip install uv
           uv sync --extra test
+      - name: 🔒 verify uv.lock is in sync with pyproject.toml
+        run: uv lock --locked
       - name: 🧪 run tests
         run: uv run pytest -q tests/unit/ tests/core/
+      - name: 💨 import smoke (catches API-removal breaks from upgraded deps)
+        run: |
+          uv run python -c "
+          from socketsecurity.socketcli import cli, build_socket_sdk, _emit_infrastructure_error
+          from socketsecurity.core import Core
+          from socketsecurity.core.exceptions import (
+              APIFailure, RequestTimeoutExceeded, APIResourceNotFound,
+          )
+          from socketsecurity.core.git_interface import Git
+          from socketsecurity.config import CliConfig
+          print('import smoke OK')
+          "
+      - name: 🛡️ pip-audit (known CVEs in the synced env)
+        run: uvx pip-audit --strict --disable-pip --progress-spinner off
 
   unsupported-python-install:
     runs-on: ubuntu-latest