Add Dependency Review GitHub Action

[haritamar]

Summary

Adds actions/dependency-review-action@v4 workflow to scan PRs for vulnerable or improperly-licensed dependency changes.

• Triggers on pull_request and workflow_dispatch (manual runs require base-ref input, e.g. a tag or commit SHA, to define the comparison range; head-ref defaults to HEAD)
• fail-on-severity: high — only blocks PRs on HIGH/CRITICAL vulnerabilities (moderate/low reported but don't fail)
• persist-credentials: false on checkout for security
• License enforcement via allow-licenses allowlist covering permissive (MIT, Apache-2.0, BSD, ISC, etc.) and weak copyleft (LGPL, MPL-2.0) — blocks strong copyleft (GPL, AGPL), proprietary, SSPL, BUSL, Elastic, and any other unlisted license

Link to Devin session: https://app.devin.ai/sessions/0f830b140bd8488797ab340ef05dc88f
Requested by: @haritamar

Summary by CodeRabbit

• New Features
  • Added automated dependency review checks for pull requests.
  • Introduced configurable dependency/license policy settings to help keep dependency changes compliant.

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment, CI, and merge conflict monitoring

[github-actions]

👋 @haritamar
Thank you for raising your pull request.
Please make sure to add tests and document all user-facing changes.
You can do this by editing the docs files in the elementary repository.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds a dependency review config and GitHub Actions workflow for pull requests and manual runs, with restricted permissions and license-based review rules.

Changes

Dependency Review Workflow

Layer / File(s)	Summary
License review config .github/dependency-review-config.yml	Defines allowed license identifiers, a high failure threshold, and package-level exemptions for specific GPL-containing compound license expressions.
Pull request dependency review job .github/workflows/dependency-review.yml	Adds pull_request and workflow_dispatch triggers, empty top-level permissions, job-level contents: read, checkout with persist-credentials: false, and actions/dependency-review-action@v4 pointing at the config file.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

A bunny bounced through CI today,
With license rules to guide the way.
🐰 The review ran neat,
On pull requests and repeat—
Soft paws approved the build’s ballet.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly summarizes the main change: adding a dependency review GitHub Action workflow.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch devin/1782396275-add-dependency-review

---

_{Comment @coderabbitai help to get the list of available commands.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/dependency-review.yml:
- Around line 14-15: The Dependency Review workflow is using a mutable action
reference, so update the uses entry in the Dependency Review step to pin
actions/dependency-review-action from the workflow to a specific commit SHA
instead of `@v4`. Keep the step name unchanged, and replace the version tag with
the immutable SHA that corresponds to the intended release.
- Around line 12-13: The workflow still uses floating major tags for
actions/checkout and actions/dependency-review-action, so update both to
immutable commit SHAs in the dependency-review workflow. In the checkout step,
also set persist-credentials to false so the token is not left in git config
after checkout. Use the existing action names to locate the two steps and
replace only the action references and checkout options.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 37a4bdb1-b425-4d50-9f37-2b051e5f033e

📥 Commits

Reviewing files that changed from the base of the PR and between 244f9db and 59c5b55.

📒 Files selected for processing (1)

• .github/workflows/dependency-review.yml

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/dependency-review.yml:
- Line 2: The dependency review workflow currently allows workflow_dispatch
without any comparison refs, so manual runs have no base/head range to evaluate.
Update the dependency-review workflow by adding explicit base-ref and head-ref
inputs for workflow_dispatch and pass them through to
actions/dependency-review-action, using the existing workflow trigger and action
wiring to locate the manual-run configuration. If you do not want to support
manual runs, remove workflow_dispatch entirely.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: e96d6d25-de96-4cc8-8e7b-1b22586e3109

📥 Commits

Reviewing files that changed from the base of the PR and between d0dc8dc and a0cd70f.

📒 Files selected for processing (1)

• .github/workflows/dependency-review.yml