feat: centralize User-Agent string across all API clients

- Add USER_AGENT constant to socketsecurity/__init__.py
- Replace hardcoded 'SocketPythonScript/0.0.1' and 'SocketPythonCLI/0.0.1' with centralized USER_AGENT
- Update all SCM clients (GitHub, GitLab) and CLI client to use USER_AGENT
- Update unit tests to reference centralized constant
- Pin GitHub Actions to commit SHAs for improved security and reproducibility
- Fix minor GitLab client bugs (return type, pipeline source support)

Author: dacoburn

.github/workflows/pr-preview.yml

@@ -11,10 +11,10 @@ jobs:
       contents: read
       pull-requests: write
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871
         with:
           fetch-depth: 0
-      - uses: actions/setup-python@v5
+      - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3
         with:
           python-version: '3.x'
 
@@ -43,14 +43,14 @@ jobs:
 
       - name: Publish to Test PyPI
         if: steps.version_check.outputs.exists != 'true'
-        uses: pypa/gh-action-pypi-publish@v1.12.4
+        uses: pypa/gh-action-pypi-publish@ab69e431e9c9f48a3310be0a56527c679f56e04d
         with:
           repository-url: https://test.pypi.org/legacy/
           verbose: true
 
       - name: Comment on PR
         if: steps.version_check.outputs.exists != 'true'
-        uses: actions/github-script@v7
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea
         env:
           VERSION: ${{ env.VERSION }}
         with:
@@ -120,21 +120,21 @@ jobs:
           exit 1
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349
 
       - name: Login to Docker Hub with Organization Token
         if: steps.verify_package.outputs.success == 'true'
-        uses: docker/login-action@v3
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
       - name: Build & Push Docker Preview
         if: steps.verify_package.outputs.success == 'true'
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75
         env:
           VERSION: ${{ env.VERSION }}
         with:

.github/workflows/release.yml

@@ -10,10 +10,10 @@ jobs:
       id-token: write
       contents: read
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871
         with:
           fetch-depth: 0
-      - uses: actions/setup-python@v5
+      - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3
         with:
           python-version: '3.x'
 
@@ -66,16 +66,16 @@ jobs:
 
       - name: Publish to PyPI
         if: steps.version_check.outputs.pypi_exists != 'true'
-        uses: pypa/gh-action-pypi-publish@v1.12.4
+        uses: pypa/gh-action-pypi-publish@ab69e431e9c9f48a3310be0a56527c679f56e04d
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349
 
       - name: Login to Docker Hub with Organization Token
-        uses: docker/login-action@v3
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
@@ -102,7 +102,7 @@ jobs:
         if: |
           steps.verify_package.outputs.success == 'true' &&
           steps.docker_check.outputs.docker_exists != 'true'
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75
         env:
           VERSION: ${{ env.VERSION }}
         with:

pyproject.toml

@@ -6,7 +6,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "socketsecurity"
-version = "2.2.12"
+version = "2.2.13"
 requires-python = ">= 3.10"
 license = {"file" = "LICENSE"}
 dependencies = [

socketsecurity/__init__.py

@@ -1,2 +1,3 @@
 __author__ = 'socket.dev'
-__version__ = '2.2.12'
+__version__ = '2.2.13'
+USER_AGENT = f'SocketPythonCLI/{__version__}'

socketsecurity/core/__init__.py

@@ -18,7 +18,7 @@
 from socketdev.repos import RepositoryInfo
 from socketdev.settings import SecurityPolicyRule
 import copy
-from socketsecurity import __version__
+from socketsecurity import __version__, USER_AGENT
 from socketsecurity.core.classes import (
     Alert,
     Diff,
@@ -39,6 +39,7 @@
     "Core",
     "log",
     "__version__",
+    "USER_AGENT",
 ]
 
 version = __version__

socketsecurity/core/cli_client.py

@@ -4,6 +4,7 @@
 
 import requests
 
+from socketsecurity import USER_AGENT
 from .exceptions import APIFailure
 from .socket_config import SocketConfig
 
@@ -31,7 +32,7 @@ def request(
 
         default_headers = {
             'Authorization': f"Basic {self._encoded_key}",
-            'User-Agent': 'SocketPythonCLI/0.0.1',
+            'User-Agent': USER_AGENT,
             "accept": "application/json"
         }
 

socketsecurity/core/scm/client.py

@@ -1,6 +1,7 @@
 from abc import abstractmethod
 from typing import Dict
 
+from socketsecurity import USER_AGENT
 from ..cli_client import CliClient
 
 
@@ -28,7 +29,7 @@ class GithubClient(ScmClient):
     def get_headers(self) -> Dict:
         return {
             'Authorization': f"Bearer {self.token}",
-            'User-Agent': 'SocketPythonScript/0.0.1',
+            'User-Agent': USER_AGENT,
             "accept": "application/json"
         }
 
@@ -52,7 +53,7 @@ def _get_gitlab_auth_headers(token: str) -> dict:
         import os
 
         base_headers = {
-            'User-Agent': 'SocketPythonScript/0.0.1',
+            'User-Agent': USER_AGENT,
             "accept": "application/json"
         }
 

socketsecurity/core/scm/github.py

@@ -5,6 +5,7 @@
 
 from git import Optional
 
+from socketsecurity import USER_AGENT
 from socketsecurity.core import log
 from socketsecurity.core.classes import Comment
 from socketsecurity.core.scm_comments import Comments
@@ -83,7 +84,7 @@ def from_env(cls, pr_number: Optional[str] = None) -> 'GithubConfig':
             event_action=event_action,
             headers={
                 'Authorization': f"Bearer {token}",
-                'User-Agent': 'SocketPythonScript/0.0.1',
+                'User-Agent': USER_AGENT,
                 "accept": "application/json"
             }
         )

socketsecurity/core/scm/gitlab.py

@@ -3,6 +3,7 @@
 from dataclasses import dataclass
 from typing import Optional
 
+from socketsecurity import USER_AGENT
 from socketsecurity.core import log
 from socketsecurity.core.classes import Comment
 from socketsecurity.core.scm_comments import Comments
@@ -79,7 +80,7 @@ def _get_auth_headers(token: str) -> dict:
         - Other tokens: Use PRIVATE-TOKEN as fallback
         """
         base_headers = {
-            'User-Agent': 'SocketPythonScript/0.0.1',
+            'User-Agent': USER_AGENT,
             "accept": "application/json"
         }
 
@@ -150,7 +151,7 @@ def _get_fallback_headers(self, original_headers: dict) -> dict:
         If using Bearer, fallback to PRIVATE-TOKEN and vice versa.
         """
         base_headers = {
-            'User-Agent': 'SocketPythonScript/0.0.1',
+            'User-Agent': USER_AGENT,
             "accept": "application/json"
         }
 
@@ -171,11 +172,11 @@ def _get_fallback_headers(self, original_headers: dict) -> dict:
             }
 
         # No fallback available
-        return None
+        return {}
 
     def check_event_type(self) -> str:
         pipeline_source = self.config.pipeline_source.lower()
-        if pipeline_source in ["web", 'merge_request_event', "push", "api"]:
+        if pipeline_source in ["web", 'merge_request_event', "push", "api", 'pipeline']:
             if not self.config.mr_iid:
                 return "main"
             return "diff"
@@ -234,8 +235,8 @@ def add_socket_comments(
             new_security_comment: bool = True,
             new_overview_comment: bool = True
     ) -> None:
-        existing_overview_comment = comments.get("overview")
-        existing_security_comment = comments.get("security")
+        existing_overview_comment = comments.get("overview", "")
+        existing_security_comment = comments.get("security", "")
         if new_overview_comment:
             log.debug("New Dependency Overview comment")
             if existing_overview_comment is not None:
@@ -256,7 +257,7 @@ def add_socket_comments(
                 self.post_comment(security_comment)
 
     def remove_comment_alerts(self, comments: dict):
-        security_alert = comments.get("security")
+        security_alert = comments.get("security", "")
         if security_alert is not None:
             security_alert: Comment
             new_body = Comments.process_security_comment(security_alert, comments)

tests/unit/test_gitlab_auth.py

@@ -3,6 +3,7 @@
 import pytest
 from unittest.mock import patch, MagicMock
 
+from socketsecurity import USER_AGENT
 from socketsecurity.core.scm.gitlab import GitlabConfig
 
 
@@ -58,7 +59,7 @@ def test_all_headers_include_base_headers(self):
 
         for token in test_tokens:
             headers = GitlabConfig._get_auth_headers(token)
-            assert headers['User-Agent'] == 'SocketPythonScript/0.0.1'
+            assert headers['User-Agent'] == USER_AGENT
             assert headers['accept'] == 'application/json'
 
     @patch.dict(os.environ, {'CI_JOB_TOKEN': 'ci-token-123'})