From 71d40e8a244b01a10d5c7eab9f176c879f3b66d4 Mon Sep 17 00:00:00 2001
From: Marguerite Martinez <margueritem@ynab.com>
Date: Thu, 25 Jun 2026 16:41:29 -0400
Subject: [PATCH] Add Socket Basics workflow and gitignore entries

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .github/workflows/socket-basics.yml | 15 +++++++++++++++
 .gitignore                          |  2 ++
 2 files changed, 17 insertions(+)
 create mode 100644 .github/workflows/socket-basics.yml

diff --git a/.github/workflows/socket-basics.yml b/.github/workflows/socket-basics.yml
new file mode 100644
index 0000000..a19fb45
--- /dev/null
+++ b/.github/workflows/socket-basics.yml
@@ -0,0 +1,15 @@
+name: Socket Basics Security Scan
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened]
+
+jobs:
+  socket-basics-security-scan:
+    # We intentionally run this shared action from @main, not from a pinned sha
+    # this is because we control the shared-actions repo, so there is not a significant risk of malicious changes being pushed.
+    # Plus, the shared action does use pinned dependencies, and so will be updated fairly often.  When we do that, we do not
+    # want to have to update the sha in every repo that uses this shared action, before such updates apply.
+    uses: ynab/shared-actions/.github/workflows/socket-basics.yml@main
+    secrets:
+      SOCKET_SECURITY_API_KEY: ${{ secrets.SOCKET_SECURITY_API_KEY }}
diff --git a/.gitignore b/.gitignore
index 65b06b9..fc75583 100644
--- a/.gitignore
+++ b/.gitignore
@@ -64,3 +64,5 @@ target/
 
 # Ipython Notebook
 .ipynb_checkpoints
+.socket-scans/
+.socket.facts.json