Merge origin/v1.x into facts branch; cut 1.1.114

Resolve conflicts:
- package.json / pnpm-lock.yaml: take @coana-tech/cli 15.3.20 from v1.x.
- CHANGELOG.md: fold the facts-by-default changes into a new 1.1.114
  section and keep v1.x's released 1.1.113 (Bazel + Coana 15.3.20) intact,
  dropping the duplicate 1.1.113 our branch had cut locally.
- Bump socket-cli to 1.1.114.

Author: jfblaa

.github/workflows/provenance.yml

@@ -26,11 +26,15 @@ jobs:
     runs-on: ubuntu-latest
 
     permissions:
-      contents: read
+      # `contents: write` needed to create the v<version> tag via gh api
+      # at the end of this job. Token is scoped to the dedicated tag step
+      # via GH_TOKEN env; never persisted in `.git/config` (checkout keeps
+      # persist-credentials: false so build/install steps can't reach it).
+      contents: write
       id-token: write # NPM trusted publishing via OIDC
 
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 (2026-05-20)
         with:
           persist-credentials: false
 
@@ -201,7 +205,9 @@ jobs:
         run: pnpm install --loglevel error
 
       - run: INLINED_SOCKET_CLI_PUBLISHED_BUILD=1 pnpm run build:dist
-      - run: npm publish --provenance --access public --tag "${NPM_DIST_TAG}"
+      - name: Publish socket
+        id: publish_socket
+        run: npm publish --provenance --access public --tag "${NPM_DIST_TAG}"
         continue-on-error: true
         env:
           NPM_DIST_TAG: ${{ inputs.dist-tag }}
@@ -225,3 +231,63 @@ jobs:
           NPM_DIST_TAG: ${{ inputs.dist-tag }}
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} # zizmor: ignore[secrets-outside-env]
           SOCKET_CLI_DEBUG: ${{ inputs.debug }}
+
+      # Create v<version> git tag at the published commit SHA after a
+      # successful socket-package publish, idempotently. GitHub Release
+      # Immutability ("Disallow assets and tags from being modified once a
+      # release is published") freezes tags once bound to a Release, so:
+      #   - existing tag at same SHA → no-op
+      #   - existing tag at different SHA → hard-fail (operator recovery
+      #     required)
+      # Gated on the first publish step (publish_socket — the `socket` npm
+      # package) actually succeeding; the cli / cli-with-sentry publishes
+      # use `continue-on-error: true` and don't gate the tag.
+      #
+      # Uses gh api (not `git push`) so the token only lives in this step's
+      # env, never written to `.git/config` by an earlier `actions/checkout`
+      # with persist-credentials: true (which would leak it to every later
+      # step including `pnpm install` postinstall scripts).
+      - name: Tag release (idempotent)
+        if: steps.publish_socket.outcome == 'success'
+        env:
+          GH_TOKEN: ${{ github.token }}
+          REPO: ${{ github.repository }}
+        run: |
+          PUBLISHED_SHA=$(git rev-parse HEAD)
+          PUBLISHED_VERSION=$(node -p "require('./package.json').version")
+          TAG="v$PUBLISHED_VERSION"
+
+          # Look up any existing tag ref. gh api exits non-zero on 404 (tag
+          # absent) and writes the error body to stdout, so branch on the
+          # exit code — never on whether stdout is empty. EXISTING_JSON is
+          # only valid JSON when the call succeeded.
+          if EXISTING_JSON=$(gh api "repos/$REPO/git/ref/tags/$TAG" 2>/dev/null); then
+            # The ref's object is either a commit (lightweight tag) or a tag
+            # object (annotated/signed tag, e.g. the hand-created `git tag -s`
+            # tags). For an annotated tag, object.sha is the tag-object SHA,
+            # not the commit — dereference it via git/tags to get the commit
+            # the tag actually points at before comparing.
+            REF_TYPE=$(echo "$EXISTING_JSON" | node -p "JSON.parse(require('fs').readFileSync(0,'utf8')).object.type")
+            REF_OBJECT_SHA=$(echo "$EXISTING_JSON" | node -p "JSON.parse(require('fs').readFileSync(0,'utf8')).object.sha")
+            if [ "$REF_TYPE" = "tag" ]; then
+              EXISTING_SHA=$(gh api "repos/$REPO/git/tags/$REF_OBJECT_SHA" --jq '.object.sha')
+            else
+              EXISTING_SHA="$REF_OBJECT_SHA"
+            fi
+            if [ "$EXISTING_SHA" = "$PUBLISHED_SHA" ]; then
+              echo "Tag $TAG already exists at $PUBLISHED_SHA — no-op."
+              exit 0
+            fi
+            echo "::error::Tag $TAG exists at $EXISTING_SHA but publish SHA is $PUBLISHED_SHA."
+            echo "::error::Release immutability is enabled; this requires manual recovery:"
+            echo "::error::  1. Delete any GitHub Release tied to $TAG"
+            echo "::error::  2. Delete the tag via the API"
+            echo "::error::  3. Re-run this workflow"
+            exit 1
+          fi
+
+          gh api "repos/$REPO/git/refs" \
+            -X POST \
+            -f "ref=refs/tags/$TAG" \
+            -f "sha=$PUBLISHED_SHA"
+          echo "Created tag $TAG at $PUBLISHED_SHA"

CHANGELOG.md

@@ -4,20 +4,22 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 
-## [Unreleased]
-- **`socket manifest bazel [beta]`** — Generate Bazel JVM SBOM manifests by running `bazel query` against discovered Maven repos in a Bazel workspace. Closes the inline-Maven-declaration gap that lockfile-only parsing misses for repos like envoy, ray, tensorflow, tink-java, and or-tools. Auto-detects Bzlmod and legacy `WORKSPACE`.
-- **`socket scan create --auto-manifest`** now covers Bazel workspaces in addition to Gradle/Scala/Kotlin/Conda. Repos with `MODULE.bazel`, `WORKSPACE`, or `WORKSPACE.bazel` are detected automatically and their Maven dependencies extracted as part of the standard scan-create flow.
-- **Bazel PyPI extraction** — `socket manifest bazel --ecosystem pypi` now generates `requirements.txt` for Python Bazel workspaces. Discovers custom `rules_python` pip hub names with Bazel command output first, queries `py_library` / `py_binary` / `py_test` dependencies, resolves canonical pinned versions from `requirements_lock.txt`, and emits PEP 503-normalized `name==version` lines. Supports both Bzlmod (`pip.parse`) and legacy `WORKSPACE` (`pip_parse` / `pip_install`) configurations. PyPI remains explicit opt-in for `socket scan create --auto-manifest` until real-world no-lockfile recovery is validated.
+## [1.1.114](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.114) - 2026-06-04
 
 ### Changed
-- **Bazel diagnostics** — `socket manifest bazel --verbose` now emits bounded subprocess traces with argv, cwd, duration, exit status, output sizes, and failure stderr tails to make customer log-only triage safer and faster.
+- `socket manifest gradle`, `kotlin`, and `scala` now generate a Socket facts file (`.socket.facts.json`) by default; pass `--pom` to generate `pom.xml` manifests instead.
+- Replaced `--configs` with `--include-configs` and `--exclude-configs` on `socket manifest gradle/kotlin/scala` for finer control over which build configurations are resolved.
 
 ## [1.1.113](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.113) - 2026-06-03
 
+### Added
+- **`socket manifest bazel [beta]`** — Generate Bazel JVM SBOM manifests by running `bazel query` against discovered Maven repos in a Bazel workspace. Closes the inline-Maven-declaration gap that lockfile-only parsing misses for repos like envoy, ray, tensorflow, tink-java, and or-tools. Auto-detects Bzlmod and legacy `WORKSPACE`.
+- **`socket scan create --auto-manifest`** now covers Bazel workspaces in addition to Gradle/Scala/Kotlin/Conda. Repos with `MODULE.bazel`, `WORKSPACE`, or `WORKSPACE.bazel` are detected automatically and their Maven dependencies extracted as part of the standard scan-create flow.
+- **Bazel PyPI extraction** — `socket manifest bazel --ecosystem pypi` now generates `requirements.txt` for Python Bazel workspaces. Discovers custom `rules_python` pip hub names with Bazel command output first, queries `py_library` / `py_binary` / `py_test` dependencies, resolves canonical pinned versions from `requirements_lock.txt`, and emits PEP 503-normalized `name==version` lines. Supports both Bzlmod (`pip.parse`) and legacy `WORKSPACE` (`pip_parse` / `pip_install`) configurations. PyPI remains explicit opt-in for `socket scan create --auto-manifest` until real-world no-lockfile recovery is validated.
+
 ### Changed
-- `socket manifest gradle`, `kotlin`, and `scala` now generate a Socket facts file (`.socket.facts.json`) by default; pass `--pom` to generate `pom.xml` manifests instead.
-- Replaced `--configs` with `--include-configs` and `--exclude-configs` on `socket manifest gradle/kotlin/scala` for finer control over which build configurations are resolved.
-- Updated the Coana CLI to v `15.3.19`.
+- **Bazel diagnostics** — `socket manifest bazel --verbose` now emits bounded subprocess traces with argv, cwd, duration, exit status, output sizes, and failure stderr tails to make customer log-only triage safer and faster.
+- Updated the Coana CLI to v `15.3.20`.
 
 ## [1.1.112](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.112) - 2026-05-29
 

package.json

@@ -1,6 +1,6 @@
 {
   "name": "socket",
-  "version": "1.1.113",
+  "version": "1.1.114",
   "description": "CLI for Socket.dev",
   "homepage": "https://github.com/SocketDev/socket-cli",
   "license": "MIT AND OFL-1.1",
@@ -96,7 +96,7 @@
     "@babel/preset-typescript": "7.27.1",
     "@babel/runtime": "7.28.4",
     "@biomejs/biome": "2.2.4",
-    "@coana-tech/cli": "15.3.19",
+    "@coana-tech/cli": "15.3.20",
     "@cyclonedx/cdxgen": "12.1.2",
     "@dotenvx/dotenvx": "1.49.0",
     "@eslint/compat": "1.3.2",

pnpm-lock.yaml

@@ -10,7 +10,7 @@
     },
     "fix": {
       "quota": 101,
-      "permissions": ["full-scans:create", "packages:list"]
+      "permissions": ["full-scans:create", "packages:list", "fixes:list"]
     },
     "login": {
       "quota": 1,

requirements.json

@@ -160,7 +160,7 @@ describe('socket fix', async () => {
 
           API Token Requirements
             - Quota: 101 units
-            - Permissions: full-scans:create and packages:list
+            - Permissions: fixes:list, full-scans:create, and packages:list
 
           Options
             --all               Process all discovered vulnerabilities in local mode. Cannot be used with --id.