fix: harden dependency-review workflow from adversarial review

Fixes applied:
- fail-on-scopes covers development deps, not just runtime (default)
- path-filter to dependency manifests + workflow files (GitHub Actions
  ecosystem changes are also reviewed)
- concurrency cancel-in-progress + 10min timeout, matching version-gate

Auto-fixed by Claude watch-pipeline

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
Josh France 2026-07-13 15:18:13 -07:00
parent dae910e5d9
commit b503f96a22
1 changed files with 14 additions and 1 deletions

View File

@ -1,6 +1,17 @@
name: Dependency Review
on: pull_request
on:
pull_request:
paths:
- 'package.json'
- 'bun.lock'
- '**/package.json'
- '**/bun.lock'
- '.github/workflows/**'
concurrency:
group: dependency-review-${{ github.event.pull_request.number }}
cancel-in-progress: true
permissions:
contents: read
@ -8,6 +19,7 @@ permissions:
jobs:
dependency-review:
runs-on: ubicloud-standard-8
timeout-minutes: 10
permissions:
contents: read
pull-requests: write
@ -16,4 +28,5 @@ jobs:
- uses: actions/dependency-review-action@v4
with:
fail-on-severity: high
fail-on-scopes: runtime, development
comment-summary-in-pr: on-failure