refactor: update Socket Security workflow to manual dispatch with optional PR input and ensure proper Node.js task resource disposal.

miccy · miccy · commit 022493c57038 · 2026-02-03T04:53:13.000+01:00
diff --git a/.github/workflows/socket.yaml b/.github/workflows/socket.yaml
@@ -1,16 +1,17 @@
 # Socket Security GitHub Actions Workflow
-# This workflow runs Socket Security scans on every commit to any branch
-# It automatically detects git repository information and handles different event types
+# This workflow runs Socket Security scans manually
+# It is designed to be triggered via workflow_dispatch with an optional PR number
 
 name: socket-security-workflow
 run-name: Socket Security Github Action
 
 on:
   workflow_dispatch:
-  # pull_request:
-  #   types: [opened, synchronize, reopened]
-  # issue_comment:
-  #   types: [created]
+    inputs:
+      pr_number:
+        description: 'PR number to target'
+        required: false
+        type: string
 
 # Prevent concurrent runs for the same commit
 concurrency:
@@ -43,11 +44,12 @@ jobs:
           SOCKET_SECURITY_API_KEY: ${{ secrets.SOCKET_SECURITY_API_KEY }}
           GH_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
-          # Determine PR number based on event type
-          PR_NUMBER=0
-          if [ "${{ github.event_name }}" == "pull_request" ]; then
+          # Determine PR number based on event type or input
+          PR_NUMBER="${{ inputs.pr_number || 0 }}"
+          # Fallback logic if needed (though manual run usually implies input or 0)
+          if [ "$PR_NUMBER" == "0" ] && [ "${{ github.event_name }}" == "pull_request" ]; then
             PR_NUMBER=${{ github.event.pull_request.number }}
-          elif [ "${{ github.event_name }}" == "issue_comment" ]; then
+          elif [ "$PR_NUMBER" == "0" ] && [ "${{ github.event_name }}" == "issue_comment" ]; then
             PR_NUMBER=${{ github.event.issue.number }}
           fi
 
diff --git a/packages/nodejs/src/Task.ts b/packages/nodejs/src/Task.ts
@@ -4,12 +4,7 @@
  * @module
  */
 
-import {
-  callback,
-  createRunner,
-  createUnknownError,
-  type MainTask,
-} from "@evolu/common";
+import { callback, createRunner, createUnknownError, type MainTask } from '@evolu/common'
 
 /**
  * Runs a main task with proper Node.js signal handling.
@@ -49,8 +44,8 @@ export const runMain =
   <D>(deps: D) =>
   (main: MainTask<D>): void => {
     void (async () => {
-      await using run = createRunner(deps);
-      const console = run.deps.console.child("process");
+      await using run = createRunner(deps)
+      const console = run.deps.console.child('process')
 
       /**
        * "The correct use of 'uncaughtException' is to perform synchronous
@@ -63,38 +58,44 @@ export const runMain =
        * We log and initiate graceful shutdown.
        */
       const handleError = (error: unknown): void => {
-        console.error(createUnknownError(error));
+        console.error(createUnknownError(error))
         // https://nodejs.org/api/process.html#processexitcode
-        process.exitCode = 1;
-        void run[Symbol.asyncDispose]();
-      };
+        process.exitCode = 1
+        void run[Symbol.asyncDispose]()
+      }
 
-      process.on("uncaughtException", handleError);
-      process.on("unhandledRejection", handleError);
+      process.on('uncaughtException', handleError)
+      process.on('unhandledRejection', handleError)
 
-      const _ = await run(main);
+      const result = await run(main)
       // eslint-disable-next-line @typescript-eslint/no-unnecessary-condition
-      await using _stack = _.ok ? (_.value ?? undefined) : undefined;
+      const stack = result.ok ? (result.value ?? undefined) : undefined
 
-      await run(
-        callback(({ ok }) => {
-          // https://nodejs.org/api/process.html#signal-events
-          process.on("SIGINT", ok); // Ctrl-C (all platforms)
-          process.on("SIGTERM", ok); // OS/k8s/Docker termination (Unix)
-          process.on("SIGHUP", ok); // Console close (Windows), terminal disconnect (Unix)
+      try {
+        await run(
+          callback(({ ok }) => {
+            // https://nodejs.org/api/process.html#signal-events
+            process.on('SIGINT', ok) // Ctrl-C (all platforms)
+            process.on('SIGTERM', ok) // OS/k8s/Docker termination (Unix)
+            process.on('SIGHUP', ok) // Console close (Windows), terminal disconnect (Unix)
 
-          // TODO: Explain why it's important to use run.onAbort and not
-          // unregister sooner (cli shows gracefull shutdown was terminated.)
-          run.onAbort(() => {
-            process.off("SIGINT", ok);
-            process.off("SIGTERM", ok);
-            process.off("SIGHUP", ok);
-          });
-          return undefined;
-        }),
-      );
+            // TODO: Explain why it's important to use run.onAbort and not
+            // unregister sooner (cli shows gracefull shutdown was terminated.)
+            run.onAbort(() => {
+              process.off('SIGINT', ok)
+              process.off('SIGTERM', ok)
+              process.off('SIGHUP', ok)
+            })
+            return undefined
+          }),
+        )
+      } finally {
+        if (stack) {
+          await stack[Symbol.asyncDispose]()
+        }
+      }
 
-      process.off("uncaughtException", handleError);
-      process.off("unhandledRejection", handleError);
-    })();
-  };
+      process.off('uncaughtException', handleError)
+      process.off('unhandledRejection', handleError)
+    })()
+  }
