From cfdcf6e99e278c2ade4c3251e705b497056c8a72 Mon Sep 17 00:00:00 2001
From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Date: Thu, 25 Jun 2026 14:05:36 +0000
Subject: [PATCH 1/5] Add Dependency Review GitHub Action

Adds the dependency-review-action workflow to scan PRs for dependency changes that introduce known vulnerabilities.

Co-Authored-By: Itamar Hartstein <haritamar@gmail.com>
---
 .github/workflows/dependency-review.yml | 15 +++++++++++++++
 1 file changed, 15 insertions(+)
 create mode 100644 .github/workflows/dependency-review.yml

diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
new file mode 100644
index 000000000..03840b28d
--- /dev/null
+++ b/.github/workflows/dependency-review.yml
@@ -0,0 +1,15 @@
+name: Dependency Review
+on: [pull_request]
+
+permissions: {}
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+      - name: Dependency Review
+        uses: actions/dependency-review-action@v4

From d84254943adf31f762d3d1d3bf957627fae94c60 Mon Sep 17 00:00:00 2001
From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Date: Thu, 25 Jun 2026 14:10:18 +0000
Subject: [PATCH 2/5] Set persist-credentials: false on checkout step

Co-Authored-By: Itamar Hartstein <haritamar@gmail.com>
---
 .github/workflows/dependency-review.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
index 03840b28d..a967d317f 100644
--- a/.github/workflows/dependency-review.yml
+++ b/.github/workflows/dependency-review.yml
@@ -11,5 +11,7 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Dependency Review
         uses: actions/dependency-review-action@v4

From 836608247604396019a374a9e204ef2650bbe625 Mon Sep 17 00:00:00 2001
From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Date: Thu, 25 Jun 2026 14:20:41 +0000
Subject: [PATCH 3/5] Add workflow_dispatch trigger to dependency review

Co-Authored-By: Itamar Hartstein <haritamar@gmail.com>
---
 .github/workflows/dependency-review.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
index a967d317f..7c57d1360 100644
--- a/.github/workflows/dependency-review.yml
+++ b/.github/workflows/dependency-review.yml
@@ -1,5 +1,5 @@
 name: Dependency Review
-on: [pull_request]
+on: [pull_request, workflow_dispatch]
 
 permissions: {}
 

From 09940752fbdd7ea377c437633434852cda10a2f2 Mon Sep 17 00:00:00 2001
From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Date: Thu, 25 Jun 2026 20:35:45 +0000
Subject: [PATCH 4/5] Add license enforcement via allow-licenses

Co-Authored-By: Itamar Hartstein <haritamar@gmail.com>
---
 .github/workflows/dependency-review.yml | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
index 7c57d1360..4d210b61a 100644
--- a/.github/workflows/dependency-review.yml
+++ b/.github/workflows/dependency-review.yml
@@ -15,3 +15,12 @@ jobs:
           persist-credentials: false
       - name: Dependency Review
         uses: actions/dependency-review-action@v4
+        with:
+          allow-licenses: >-
+            MIT, Apache-2.0, BSD-2-Clause, BSD-3-Clause, ISC,
+            PSF-2.0, Python-2.0, 0BSD, BlueOak-1.0.0,
+            CC0-1.0, CC-BY-3.0, CC-BY-4.0, Unlicense,
+            MPL-2.0,
+            LGPL-2.1-only, LGPL-2.1-or-later,
+            LGPL-3.0-only, LGPL-3.0-or-later,
+            Artistic-2.0

From be3c5dcca87e3bbba60f952b4332c4d1e995f2ca Mon Sep 17 00:00:00 2001
From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Date: Thu, 25 Jun 2026 20:39:32 +0000
Subject: [PATCH 5/5] Wire workflow_dispatch with base-ref/head-ref inputs

Co-Authored-By: Itamar Hartstein <haritamar@gmail.com>
---
 .github/workflows/dependency-review.yml | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
index 4d210b61a..56a103178 100644
--- a/.github/workflows/dependency-review.yml
+++ b/.github/workflows/dependency-review.yml
@@ -1,5 +1,15 @@
 name: Dependency Review
-on: [pull_request, workflow_dispatch]
+on:
+  pull_request:
+  workflow_dispatch:
+    inputs:
+      base-ref:
+        description: Base git ref for comparison (e.g. a tag or commit SHA)
+        required: true
+      head-ref:
+        description: Head git ref for comparison (defaults to HEAD)
+        required: false
+        default: HEAD
 
 permissions: {}
 
@@ -16,6 +26,8 @@ jobs:
       - name: Dependency Review
         uses: actions/dependency-review-action@v4
         with:
+          base-ref: ${{ inputs.base-ref || '' }}
+          head-ref: ${{ inputs.head-ref || '' }}
           allow-licenses: >-
             MIT, Apache-2.0, BSD-2-Clause, BSD-3-Clause, ISC,
             PSF-2.0, Python-2.0, 0BSD, BlueOak-1.0.0,