agent-ecosystem/.github/workflows/dependency-review.yml
777genius d0b0a18e3b chore(ci): tighten dependency update gates
- Disable routine Dependabot PR creation while keeping grouped security update handling for npm and GitHub Actions.

- Add dependency-review workflow for dependency manifest and lockfile pull requests.

- Checked current upstream action majors before committing: actions/checkout v6 and dependency-review-action v5.
2026-05-24 15:57:04 +03:00

28 lines
581 B
YAML

name: Dependency Review
on:
pull_request:
paths:
- "**/package.json"
- "**/package-lock.json"
- "**/pnpm-lock.yaml"
- "pnpm-workspace.yaml"
permissions:
contents: read
jobs:
dependency-review:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v6
- name: Dependency Review
uses: actions/dependency-review-action@v5
with:
fail-on-severity: high
fail-on-scopes: runtime, development, unknown
license-check: false
show-patched-versions: true