SocketDev
diff --git a/‎README.md‎
Lines changed: 117 additions & 28 deletions b/‎README.md‎
Lines changed: 117 additions & 28 deletions
diff --git a/‎action.yml‎
Lines changed: 28 additions & 21 deletions b/‎action.yml‎
Lines changed: 28 additions & 21 deletions
diff --git a/‎dist/main.js‎
Lines changed: 3 additions & 3 deletions b/‎dist/main.js‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎src/main.js‎
Lines changed: 8 additions & 7 deletions b/‎src/main.js‎
Lines changed: 8 additions & 7 deletions
@@ -21,6 +21,8 @@ Socket is a security control, so the action that installs it should be pinned, t
 
 Downloads and installs [Socket Firewall: Free](https://github.com/SocketDev/sfw-free) edition in your GitHub Action job, making it available to use in subsequent steps.
 
+By default the action creates shims for all supported package managers. This means you do **not** need to prefix your commands with `sfw` — just run your package manager like normal and it will be automatically routed through Socket Firewall.
+
 #### Most secure: pin to a commit SHA
 
 ```yaml
@@ -37,14 +39,17 @@ jobs:
         with:
           mode: firewall-free
 
+      # these commands are automatically intercepted by sfw
+      # no need to prefix with "sfw" anymore!
+
       # javascript / typescript
-      - run: sfw npm install # or yarn, pnpm
+      - run: npm install # or pnpm, yarn
 
       # rust
-      - run: sfw cargo fetch
+      - run: cargo fetch
 
       # python
-      - run: sfw pip install -r requirements.txt
+      - run: pip install -r requirements.txt
 ```
 
 #### Slightly less secure: pin to an immutable version tag
@@ -64,13 +69,27 @@ jobs:
           mode: firewall-free
 
       # javascript / typescript
-      - run: sfw npm install # or yarn, pnpm
+      - run: npm install # or pnpm, yarn
 
       # rust
-      - run: sfw cargo fetch
+      - run: cargo fetch
 
       # python
-      - run: sfw pip install -r requirements.txt
+      - run: pip install -r requirements.txt
+```
+
+#### Disable shims (explicit sfw prefix)
+
+If you prefer to keep using the `sfw` prefix explicitly, you can turn off automatic shims:
+
+```yaml
+- uses: SocketDev/action@v1.3.1
+  with:
+    mode: firewall-free
+    shims: 'false'
+
+# now you need to explicitly prefix commands with sfw
+- run: sfw npm install
 ```
 
 #### Dependabot config
@@ -92,23 +111,26 @@ Add a cooldown period if you want an extra buffer before newly published action
 
 #### Inputs
 
-| Input              | Description                                                      | Required | Default              |
-| ------------------ | ---------------------------------------------------------------- | -------- | -------------------- |
-| `firewall-version` | Specify the firewall version number                              | No       | `latest`             |
-| `job-summary`      | Create a [job summary][job-summary] (`all`, `errors`, or `none`) | No       | `all`                |
-| `use-cache`        | Cache the Socket binaries (force download if `false`)            | No       | `true`               |
-| `github-token`     | GitHub API Token used for downloading binaries                   | No       | `${{ github.token}}` |
+| Input                 | Description                                                      | Required | Default              |
+| --------------------- | ---------------------------------------------------------------- | -------- | -------------------- |
+| `firewall-version`    | Specify the firewall version number                              | No       | `latest`             |
+| `github-token`        | GitHub API Token used for downloading binaries                   | No       | `${{ github.token}}` |
+| `job-summary`         | Create a [job summary][job-summary] (`all`, `errors`, or `none`) | No       | `all`                |
+| `shims`               | Create shims so package managers are routed through sfw          | No       | `true`               |
+| `use-cache`           | Cache the Socket binaries (force download if `false`)            | No       | `true`               |
 
 #### Outputs
 
 | Output                 | Description                                |
 | ---------------------- | ------------------------------------------ |
-| `firewall-path-report` | Path to the generated firewall report JSON |
 | `firewall-path-binary` | Path to the installed binary               |
+| `firewall-path-report` | Path to the generated firewall report JSON |
 
 ### Socket Firewall: Enterprise
 
-Downloads and installs [Socket Firewall: Enterprise](https://github.com/SocketDev/firewall-release) edition in your GitHub Action job, making it available to use in subsequent steps as a wrapper.
+Downloads and installs [Socket Firewall: Enterprise](https://github.com/SocketDev/firewall-release) edition in your GitHub Action job, making it available to use in subsequent steps.
+
+Like the free edition, the action creates shims by default so you can use your package manager commands normally without the `sfw` prefix.
 
 #### Most secure: pin to a commit SHA
 
@@ -127,14 +149,17 @@ jobs:
           mode: firewall-enterprise
           socket-token: ${{ secrets.SOCKET_API_KEY }}
 
+      # these commands are automatically intercepted by sfw
+      # no need to prefix with "sfw" anymore!
+
       # javascript / typescript
-      - run: sfw npm install # or yarn, pnpm
+      - run: npm install # or pnpm, yarn
 
       # rust
-      - run: sfw cargo fetch
+      - run: cargo fetch
 
       # python
-      - run: sfw pip install -r requirements.txt
+      - run: pip install -r requirements.txt
 ```
 
 #### Slightly less secure: pin to an immutable version tag
@@ -155,13 +180,13 @@ jobs:
           socket-token: ${{ secrets.SOCKET_API_KEY }}
 
       # javascript / typescript
-      - run: sfw npm install # or yarn, pnpm
+      - run: npm install # or pnpm, yarn
 
       # rust
-      - run: sfw cargo fetch
+      - run: cargo fetch
 
       # python
-      - run: sfw pip install -r requirements.txt
+      - run: pip install -r requirements.txt
 ```
 
 #### Dependabot config
@@ -183,19 +208,83 @@ Add a cooldown period if you want an extra buffer before newly published action
 
 #### Inputs
 
-| Input              | Description                                                      | Required | Default              |
-| ------------------ | ---------------------------------------------------------------- | -------- | -------------------- |
-| `firewall-version` | Specify the firewall version number                              | No       | `latest`             |
-| `job-summary`      | Create a [job summary][job-summary] (`all`, `errors`, or `none`) | No       | `all`                |
-| `use-cache`        | Cache the Socket binaries (force download if `false`)            | No       | `true`               |
-| `github-token`     | GitHub API Token used for downloading binaries                   | No       | `${{ github.token}}` |
-| `socket-token`     | Socket API Token                                                 | **YES**  | `-`                  |
+| Input                 | Description                                                      | Required | Default              |
+| --------------------- | ---------------------------------------------------------------- | -------- | -------------------- |
+| `firewall-version`    | Specify the firewall version number                              | No       | `latest`             |
+| `github-token`        | GitHub API Token used for downloading binaries                   | No       | `${{ github.token}}` |
+| `job-summary`         | Create a [job summary][job-summary] (`all`, `errors`, or `none`) | No       | `all`                |
+| `shims`               | Create shims so package managers are routed through sfw          | No       | `true`               |
+| `socket-token`        | Socket API Token                                                 | **YES**  | `-`                  |
+| `use-cache`           | Cache the Socket binaries (force download if `false`)            | No       | `true`               |
 
 #### Outputs
 
 | Output                 | Description                                |
 | ---------------------- | ------------------------------------------ |
-| `firewall-path-report` | Path to the generated firewall report JSON |
 | `firewall-path-binary` | Path to the installed binary               |
+| `firewall-path-report` | Path to the generated firewall report JSON |
+
+### Supported Ecosystems
+
+When `shims` is `true` (the default), the action creates shims so package manager commands are automatically routed through sfw. The supported ecosystems depend on the edition.
+
+#### Free + Enterprise
+
+Available in both [sfw-free][sfw-free-ecosystems] and [sfw-enterprise][sfw-enterprise-ecosystems]:
+
+| Ecosystem           | Package Manager |
+| ------------------- | --------------- |
+| JavaScript/Node     | `npm`           |
+| JavaScript/Node     | `pnpm`          |
+| JavaScript/Node     | `yarn`          |
+| Python              | `pip`           |
+| Python              | `pip3`          |
+| Python              | `uv`            |
+| Rust                | `cargo`         |
+
+#### Enterprise only
+
+Additional ecosystems available with [sfw-enterprise][sfw-enterprise-ecosystems]:
+
+| Ecosystem           | Package Manager | Note         |
+| ------------------- | --------------- | ------------ |
+| .NET                | `nuget`         |              |
+| Go                  | `go`            | Linux only   |
+| Ruby                | `bundler`       |              |
+| Ruby                | `gem`           |              |
+
+[sfw-free-ecosystems]: https://github.com/SocketDev/sfw-free?tab=readme-ov-file#supported-package-managers
+[sfw-enterprise-ecosystems]: https://github.com/SocketDev/firewall-release/wiki#support-matrix
+
+### Bypassing shims for publishing
+
+When shims are enabled the action exports `SFW_SHIM_DIR` as an environment variable pointing to the shim directory. If you need to bypass sfw for a specific step (e.g. `npm publish`), you can temporarily disable the shims by renaming them and restore them afterwards:
+
+```yaml
+# disable shims before publishing
+- name: Disable sfw shims
+  run: |
+    if [ -n "$SFW_SHIM_DIR" ] && [ -d "$SFW_SHIM_DIR" ]; then
+      for SHIM in "$SFW_SHIM_DIR"/*; do
+        [ -f "$SHIM" ] && mv "$SHIM" "${SHIM}.disabled"
+      done
+    fi
+
+- run: npm publish
+
+# re-enable shims after publishing
+- name: Restore sfw shims
+  if: always()
+  run: |
+    if [ -n "$SFW_SHIM_DIR" ] && [ -d "$SFW_SHIM_DIR" ]; then
+      for SHIM in "$SFW_SHIM_DIR"/*.disabled; do
+        [ -f "$SHIM" ] && mv "$SHIM" "${SHIM%.disabled}"
+      done
+    fi
+```
+
+### Checksum Validation
+
+The action validates the SHA256 checksum of the downloaded firewall binary against the checksum file published alongside each release. This ensures the binary was not tampered with during download.
 
 [job-summary]: https://github.blog/news-insights/product-news/supercharging-github-actions-with-job-summaries
@@ -9,46 +9,53 @@ branding:
   color: purple
 
 inputs:
-  mode:
-    description: Operation mode firewall, patch, or cli
-    required: true
+  firewall-version:
+    description: Specify the firewall version number
+    default: latest
 
   github-token:
     description: GitHub API Token used for downloading binaries
     required: true
     default: ${{ github.server_url == 'https://github.com' && github.token || '' }}
 
-  socket-token:
-    description: The Socket API Token
-
-  use-cache:
-    description: Cache the Socket binaries
-    default: 'true'
-
   job-summary:
     description: Create a job summary
     default: all
 
-  firewall-version:
-    description: Specify the firewall version number
-    default: latest
-
-  patch-version:
-    description: Specify the socket-patch version number
-    default: latest
+  mode:
+    description: Operation mode firewall, patch, or cli
+    required: true
 
-  patch-ecosystems:
-    description: Comma-separated list of ecosystems to patch (npm, pypi, cargo)
+  patch-cwd:
+    description: Working directory for socket-patch apply
     default: ''
 
   patch-dry-run:
     description: Verify patches without modifying files
     default: 'false'
 
-  patch-cwd:
-    description: Working directory for socket-patch apply
+  patch-ecosystems:
+    description: Comma-separated list of ecosystems to patch (npm, pypi, cargo)
     default: ''
 
+  patch-version:
+    description: Specify the socket-patch version number
+    default: latest
+
+  shims:
+    description: Create shims so package manager commands are automatically routed through sfw
+    default: 'true'
+
+  socket-token:
+    description: The Socket API Token
+
+  socket_api_key:
+    description: Socket API key mapped to the SOCKET_API_KEY environment variable
+
+  use-cache:
+    description: Cache the Socket binaries
+    default: 'true'
+
 outputs:
   firewall-path-report:
     description: Path to the generated firewall report JSON
 
@@ -18,24 +18,25 @@ process.on('unhandledRejection', errorHandler)
 process.on('uncaughtException', errorHandler)
 
 const inputs = {
+  jobSummary: core.getInput('job-summary', { required: false }).toLowerCase(),
   mode: core.getInput('mode', { required: true }).toLowerCase(),
+  patchCwd: core.getInput('patch-cwd'),
+  patchDryRun: core.getBooleanInput('patch-dry-run'),
+  patchEcosystems: core.getInput('patch-ecosystems'),
+  shims: core.getBooleanInput('shims'),
   tokenGithub: core.getInput('github-token', { required: true }),
   tokenSocket: core.getInput('socket-token'),
-  versionFirewall: core.getInput('firewall-version'),
-  versionPatch: core.getInput('patch-version'),
-  patchEcosystems: core.getInput('patch-ecosystems'),
-  patchDryRun: core.getBooleanInput('patch-dry-run'),
-  patchCwd: core.getInput('patch-cwd'),
   useCache: core.getBooleanInput('use-cache'),
-  jobSummary: core.getInput('job-summary', { required: false }).toLowerCase()
+  versionFirewall: core.getInput('firewall-version'),
+  versionPatch: core.getInput('patch-version')
 }
 
 // backward compatibility
 if (inputs.jobSummary === 'true') inputs.jobSummary = 'all'
 if (inputs.jobSummary === 'false') inputs.jobSummary = 'none'
 
 if (inputs.tokenSocket) {
-  // setup socket token as a secret env
+  // setup socket token as a secret env so sfw can use it
   core.exportVariable('SOCKET_API_KEY', inputs.tokenSocket)
   core.exportVariable('SOCKET_API_TOKEN', inputs.tokenSocket)
   core.setSecret(inputs.tokenSocket)