Add Dependency Review Action workflow

[vannu07]

This workflow scans dependency manifest files in pull requests for known vulnerabilities and blocks merging if vulnerable packages are detected.

Dependency Review Action Workflow

This PR adds a new GitHub Actions workflow (.github/workflows/dependency-review.yml) that scans dependency manifest files in pull requests targeting main and reports known-vulnerable packages. It sets repository permissions (contents: read, pull-requests: write) so the action can read repo contents and post a comment summary on PRs.

What changed

• New workflow file: .github/workflows/dependency-review.yml
• Job: dependency-review runs on ubuntu-latest, checks out the repo and runs the Dependency Review Action with comment-summary-in-pr: always.
• Actions are pinned to commit SHAs with trailing comments showing the human-friendly release tags (actions/checkout and actions/dependency-review-action).
• The file includes commented example options (fail-on-severity, deny-licenses, retry-on-snapshot-warnings) for stricter enforcement.

Why this was needed

• Adds automated supply-chain security scanning to prevent merging PRs that introduce known vulnerable dependencies and to surface risks early in code review.

Impact

• Improves security posture by surfacing vulnerable dependencies and enabling enforcement (can block merges when configured as required).
• Increases visibility: the action posts PR comments summarizing findings so reviewers and authors see issues immediately.
• Configurable enforcement: maintainers can enable severity thresholds, license denylists, and other options by uncommenting and adjusting the provided examples.

Notes / Recommendations (from review comments)

• YAML linting warnings noted: the top-level "on" key is quoted (currently "on":) and branches list contains no extra spaces — adjust if needed to satisfy project linter.
• Commented options are indented one level too deep; align their "#" with the other keys under with: for consistent linting.
• Actions are pinned to SHAs in the current file (recommended). If any floating refs remain elsewhere, pin them to commit SHAs and add trailing comments with the release tag for auditability.

Overall, this is a minimal, security-focused addition that strengthens dependency review on incoming changes without altering project code.

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds a new GitHub Actions workflow at .github/workflows/dependency-review.yml to run the Dependency Review Action on pull requests targeting main. The workflow checks out code, runs the action with comment-summary-in-pr: always, and sets repository permissions (contents: read, pull-requests: write) with commented example options for enforcement.

Changes

Cohort / File(s)	Summary
GitHub Actions Workflow Configuration .github/workflows/dependency-review.yml	Adds a workflow triggered on pull_request to main. Sets repo permissions (contents: read, pull-requests: write), checks out code, and runs dependency-review-action with comment-summary-in-pr: always. Includes commented example settings for fail-on-severity, deny-licenses, and retry-on-snapshot-warnings.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately and concisely describes the main change—adding a GitHub Actions workflow for dependency review. It directly reflects the primary purpose of the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch vannu07-patch-3

---

📜 Recent review details

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6ede5f2 and 386c97d.

📒 Files selected for processing (1)

• .github/workflows/dependency-review.yml

🔇 Additional comments (1)

.github/workflows/dependency-review.yml (1)

10-39: Looks good — workflow is well‑formed and secure.
Quoted on, normalized branches list, aligned comments, and pinned action SHAs are all in place. Nice job.

_{✏️ Tip: You can disable this entire section by setting review_details to false in your review settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

This PR introduces a GitHub Actions workflow that runs the Dependency Review Action on pull requests to the main branch, surfacing vulnerable dependencies and, when configured as a required check, preventing merges when issues are found.

Changes:

• Add a Dependency review workflow that runs on pull_request to main, checks out the repository, runs actions/dependency-review-action@v4, and posts a summary comment to the PR using comment-summary-in-pr: always.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

Actionable comments posted: 3

🤖 Fix all issues with AI agents

In @.github/workflows/dependency-review.yml:
- Around line 10-13: The YAML linter complains about an unquoted truthy key and
spacing in the branches list: quote the on key (i.e., use "on": ...) and remove
the extra spaces inside the branches array so it reads branches: ["main"] to
satisfy YAMLlint; update the workflow header where the top-level on key and the
branches list are defined.
- Around line 35-38: The commented YAML options are indented one level too far;
align the commented keys "fail-on-severity" and "deny-licenses" to the same
indentation as "comment-summary-in-pr" under the with: block (i.e., move the
comment markers so the "#" sits at the same column as "comment-summary-in-pr"),
ensuring comments are at the same block level as the "comment-summary-in-pr"
entry to satisfy yamllint.
- Around line 31-33: Replace the floating action references (e.g., uses:
actions/dependency-review-action@v4 and uses: actions/checkout@v4) with their
pinned commit SHAs from the official upstream releases; update the two uses
entries to reference the specific commit SHA for the corresponding release and
add a trailing comment with the release tag (for example: # v4.1.7) so auditors
can see the human-friendly tag while the workflow uses the immutable SHA.

📜 Review details

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 79b14a8 and 6ede5f2.

📒 Files selected for processing (1)

• .github/workflows/dependency-review.yml

🧰 Additional context used

🪛 YAMLlint (1.38.0)

.github/workflows/dependency-review.yml

[warning] 11-11: truthy value should be one of [false, true]

(truthy)

---

[error] 13-13: too many spaces inside brackets

(brackets)

---

[error] 13-13: too many spaces inside brackets

(brackets)

---

[warning] 37-37: comment not indented like content

(comments-indentation)

_{✏️ Tip: You can disable this entire section by setting review_details to false in your review settings.}

[vannu07]

@copilot In @.github/workflows/dependency-review.yml:

• Around line 10-13: The YAML linter complains about an unquoted truthy key and
  spacing in the branches list: quote the on key (i.e., use "on": ...) and remove
  the extra spaces inside the branches array so it reads branches: ["main"] to
  satisfy YAMLlint; update the workflow header where the top-level on key and the
  branches list are defined.
• Around line 35-38: The commented YAML options are indented one level too far;
  align the commented keys "fail-on-severity" and "deny-licenses" to the same
  indentation as "comment-summary-in-pr" under the with: block (i.e., move the
  comment markers so the "#" sits at the same column as "comment-summary-in-pr"),
  ensuring comments are at the same block level as the "comment-summary-in-pr"
  entry to satisfy yamllint.
• Around line 31-33: Replace the floating action references (e.g., uses:
  actions/dependency-review-action@v4 and uses: actions/checkout@v4) with their
  pinned commit SHAs from the official upstream releases; update the two uses
  entries to reference the specific commit SHA for the corresponding release and
  add a trailing comment with the release tag (for example: # v4.1.7) so auditors
  can see the human-friendly tag while the workflow uses the immutable SHA.

[Copilot]

@vannu07 I've opened a new pull request, #15, to work on those changes. Once the pull request is ready, I'll request review from you.

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Package	Version	Score	Details
actions/actions/checkout	34e114876b0b11c390a56381ad16ebd13914f8d5	🟢 6.6	Details Check Score Reason Maintained 🟢 7 9 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 7 Binary-Artifacts 🟢 10 no binaries found in the repo Code-Review 🟢 10 all changesets reviewed Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed Packaging ⚠️ -1 packaging workflow not detected Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Vulnerabilities 🟢 8 2 existing vulnerabilities detected SAST 🟢 8 SAST tool detected but not run on all commits
actions/actions/dependency-review-action	3c4e3dcb1aa7874d2c16be7d79418e9b7efd6261	🟢 7.8	Details Check Score Reason Security-Policy 🟢 9 security policy file detected Binary-Artifacts 🟢 10 no binaries found in the repo Maintained 🟢 10 30 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Token-Permissions 🟢 9 detected GitHub workflow tokens with excessive permissions Code-Review 🟢 10 all changesets reviewed Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies ⚠️ 1 dependency not pinned by hash detected -- score normalized to 1 License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 6 branch protection is not maximal on development and all release branches Vulnerabilities 🟢 8 2 existing vulnerabilities detected SAST 🟢 10 SAST tool is run on all commits

Scanned Files

• .github/workflows/dependency-review.yml