From fbd79160037b1ebfdc9fcd30a8c4c7643b1c68bf Mon Sep 17 00:00:00 2001
From: Marguerite Martinez <margueritem@ynab.com>
Date: Thu, 25 Jun 2026 16:42:05 -0400
Subject: [PATCH] Add Socket Basics workflow and gitignore entries

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .github/workflows/socket-basics.yml | 15 +++++++++++++++
 .gitignore                          |  2 ++
 2 files changed, 17 insertions(+)
 create mode 100644 .github/workflows/socket-basics.yml

diff --git a/.github/workflows/socket-basics.yml b/.github/workflows/socket-basics.yml
new file mode 100644
index 000000000..a19fb451d
--- /dev/null
+++ b/.github/workflows/socket-basics.yml
@@ -0,0 +1,15 @@
+name: Socket Basics Security Scan
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened]
+
+jobs:
+  socket-basics-security-scan:
+    # We intentionally run this shared action from @main, not from a pinned sha
+    # this is because we control the shared-actions repo, so there is not a significant risk of malicious changes being pushed.
+    # Plus, the shared action does use pinned dependencies, and so will be updated fairly often.  When we do that, we do not
+    # want to have to update the sha in every repo that uses this shared action, before such updates apply.
+    uses: ynab/shared-actions/.github/workflows/socket-basics.yml@main
+    secrets:
+      SOCKET_SECURITY_API_KEY: ${{ secrets.SOCKET_SECURITY_API_KEY }}
diff --git a/.gitignore b/.gitignore
index cf98ac6d4..3e01502d3 100644
--- a/.gitignore
+++ b/.gitignore
@@ -13,3 +13,5 @@
 .rspec_status
 *.gem
 coverage
+.socket-scans/
+.socket.facts.json