Add Dependency Review GitHub Action

[haritamar]

Summary

Adds actions/dependency-review-action@v4 workflow to scan PRs for vulnerable or improperly-licensed dependency changes.

• Triggers on pull_request and workflow_dispatch (manual runs require base-ref input, e.g. a tag or commit SHA, to define the comparison range; head-ref defaults to HEAD)
• persist-credentials: false on checkout for security
• License enforcement via allow-licenses allowlist covering permissive (MIT, Apache-2.0, BSD, ISC, etc.) and weak copyleft (LGPL, MPL-2.0) — blocks strong copyleft (GPL, AGPL), proprietary, SSPL, BUSL, Elastic, and any other unlisted license

Link to Devin session: https://app.devin.ai/sessions/0f830b140bd8488797ab340ef05dc88f
Requested by: @haritamar

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment, CI, and merge conflict monitoring

[github-actions]

👋 @haritamar
Thank you for raising your pull request.
Please make sure to add tests and document all user-facing changes.
You can do this by editing the docs files in this pull request.

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds a GitHub Actions workflow that runs dependency review on pull requests and manual dispatches with restricted permissions.

Changes

Dependency review workflow

Layer / File(s)	Summary
Workflow configuration .github/workflows/dependency-review.yml	Defines the workflow triggers, top-level permissions, checkout step, and actions/dependency-review-action@v4 with an allow-licenses list.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

🐰 I hopped by the workflow gate,
With checks that guard the dependency state.
A checkout here,
A scan crystal-clear,
And licenses lined up just right toేట్.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the new Dependency Review GitHub Actions workflow added in this pull request.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch devin/1782396276-add-dependency-review

---

_{Comment @coderabbitai help to get the list of available commands.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/dependency-review.yml:
- Around line 12-13: The dependency-review workflow’s actions/checkout step is
leaving the GitHub token persisted in local git config by default. Update the
Checkout repository step to disable persisted credentials by setting
persist-credentials to false in the checkout action, keeping the change scoped
to the existing checkout job.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: ddfafe8a-c9f1-460e-bc31-e32de77a52f8

📥 Commits

Reviewing files that changed from the base of the PR and between ab917b2 and cfdcf6e.

📒 Files selected for processing (1)

• .github/workflows/dependency-review.yml