From 04f48045a26ebf0bd5470956208a33f22597f006 Mon Sep 17 00:00:00 2001
From: Test User <john.david.dalton@gmail.com>
Date: Thu, 9 Apr 2026 13:46:39 -0400
Subject: [PATCH 1/2] chore(ci): bump socket-registry SHA to ed311907

---
 .github/workflows/ci.yml            | 4 ++--
 .github/workflows/provenance.yml    | 2 +-
 .github/workflows/weekly-update.yml | 8 ++++----
 3 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 50afffe..e8f83f1 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -27,7 +27,7 @@ permissions:
 jobs:
   ci:
     name: Run CI Pipeline
-    uses: SocketDev/socket-registry/.github/workflows/ci.yml@4edf2e3c3beff7d536e79ce43dfb61abba7cb537 # main
+    uses: SocketDev/socket-registry/.github/workflows/ci.yml@ed3119078118d558f095e9adf8800263166d65f9 # main
     with:
       test-setup-script: 'pnpm run build'
       lint-script: 'pnpm run lint --all'
@@ -46,7 +46,7 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 10
     steps:
-      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@4edf2e3c3beff7d536e79ce43dfb61abba7cb537 # main
+      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@ed3119078118d558f095e9adf8800263166d65f9 # main
 
       - name: Build project
         run: pnpm run build
diff --git a/.github/workflows/provenance.yml b/.github/workflows/provenance.yml
index 31e3015..5e64030 100644
--- a/.github/workflows/provenance.yml
+++ b/.github/workflows/provenance.yml
@@ -21,7 +21,7 @@ permissions:
 
 jobs:
   publish:
-    uses: SocketDev/socket-registry/.github/workflows/provenance.yml@4edf2e3c3beff7d536e79ce43dfb61abba7cb537 # main
+    uses: SocketDev/socket-registry/.github/workflows/provenance.yml@ed3119078118d558f095e9adf8800263166d65f9 # main
     with:
       debug: ${{ inputs.debug }}
       package-name: '@socketsecurity/lib'
diff --git a/.github/workflows/weekly-update.yml b/.github/workflows/weekly-update.yml
index cb563ba..ef8027b 100644
--- a/.github/workflows/weekly-update.yml
+++ b/.github/workflows/weekly-update.yml
@@ -24,7 +24,7 @@ jobs:
     outputs:
       has-updates: ${{ steps.check.outputs.has-updates }}
     steps:
-      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@4edf2e3c3beff7d536e79ce43dfb61abba7cb537 # main
+      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@ed3119078118d558f095e9adf8800263166d65f9 # main
 
       - name: Check for npm updates
         id: check
@@ -48,7 +48,7 @@ jobs:
       contents: write
       pull-requests: write
     steps:
-      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@4edf2e3c3beff7d536e79ce43dfb61abba7cb537 # main
+      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@ed3119078118d558f095e9adf8800263166d65f9 # main
 
       - name: Create update branch
         id: branch
@@ -60,7 +60,7 @@ jobs:
           git checkout -b "$BRANCH_NAME"
           echo "branch=$BRANCH_NAME" >> $GITHUB_OUTPUT
 
-      - uses: SocketDev/socket-registry/.github/actions/setup-git-signing@4edf2e3c3beff7d536e79ce43dfb61abba7cb537 # main
+      - uses: SocketDev/socket-registry/.github/actions/setup-git-signing@ed3119078118d558f095e9adf8800263166d65f9 # main
         with:
           gpg-private-key: ${{ secrets.BOT_GPG_PRIVATE_KEY }}
 
@@ -295,7 +295,7 @@ jobs:
             test-output.log
           retention-days: 7
 
-      - uses: SocketDev/socket-registry/.github/actions/cleanup-git-signing@4edf2e3c3beff7d536e79ce43dfb61abba7cb537 # main
+      - uses: SocketDev/socket-registry/.github/actions/cleanup-git-signing@ed3119078118d558f095e9adf8800263166d65f9 # main
         if: always()
 
   notify:

From f43c7a493dd0f493ac07a306c7fa7a733002b6e1 Mon Sep 17 00:00:00 2001
From: Test User <john.david.dalton@gmail.com>
Date: Thu, 9 Apr 2026 13:50:20 -0400
Subject: [PATCH 2/2] feat(ci): pipe publish-without-sfw and SOCKET_API_KEY to
 provenance workflow

---
 .github/workflows/provenance.yml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/.github/workflows/provenance.yml b/.github/workflows/provenance.yml
index 5e64030..fc63d42 100644
--- a/.github/workflows/provenance.yml
+++ b/.github/workflows/provenance.yml
@@ -14,6 +14,11 @@ on:
         options:
           - '0'
           - '1'
+      publish-without-sfw:
+        description: 'Publish directly to npm, bypassing Socket firewall shims'
+        required: false
+        default: false
+        type: boolean
 
 permissions:
   contents: write   # Push git tags and create GitHub releases
@@ -25,5 +30,8 @@ jobs:
     with:
       debug: ${{ inputs.debug }}
       package-name: '@socketsecurity/lib'
+      publish-without-sfw: ${{ inputs.publish-without-sfw }}
       setup-script: 'pnpm run build'
       use-trusted-publishing: true
+    secrets:
+      SOCKET_API_KEY: ${{ secrets.SOCKET_API_KEY }}