Skip to content

ci: add dependency review on pull requests#85

Merged
Reefact merged 1 commit into
mainfrom
claude/ci-dependency-review
Jul 10, 2026
Merged

ci: add dependency review on pull requests#85
Reefact merged 1 commit into
mainfrom
claude/ci-dependency-review

Conversation

@Reefact

@Reefact Reefact commented Jul 10, 2026

Copy link
Copy Markdown
Owner

Summary

Add a PR-time dependency gate: actions/dependency-review-action diffs the base vs head dependency graph and fails the PR if a change introduces a known-vulnerable package. It complements Dependabot, which only reacts after a vulnerable dependency is already on main.

Type of change

  • Bug fix
  • New feature
  • Breaking change
  • Refactoring
  • Analyzer / diagnostic change
  • Tests
  • Documentation
  • Build / CI / tooling

Changes

  • .github/workflows/dependency-review.yml (new): runs on every PR to main; contents: read only (no PR comment — the failed check is the signal); action SHA-pinned to v5.0.0. fail-on-severity: moderate. Because it inspects only the PR's own dependency changes, it gates the moment a problem would be introduced rather than blocking on unrelated CVEs published against existing dependencies (those stay warnings via the NuGet audit in Directory.Build.props).

Testing

  • dotnet build FirstClassErrors.sln
  • dotnet test FirstClassErrors.sln
  • Analyzer tests pass (FirstClassErrors.Analyzers.UnitTests)

Not applicable: CI-only change, no code touched. The workflow validates itself on this PR (it triggers on pull_request); YAML parses and the action is SHA-pinned per repo convention.

Documentation

  • No documentation change required

🤖 Generated with Claude Code

https://claude.ai/code/session_01AbXi2ZEaUFeFWodNxdY6Zk


Generated by Claude Code

Add a dependency-review workflow (actions/dependency-review-action, SHA-pinned
v5.0.0) that runs on every PR to main and fails it if a dependency change
introduces a known-vulnerable package. It is the PR-time complement to
Dependabot, which only reacts after a vulnerable dependency has landed on main.

Least privilege (contents: read, no PR comment). fail-on-severity is moderate;
because the action only inspects the PR's own dependency changes, it gates the
moment a problem would be introduced rather than blocking on unrelated CVEs
published against existing dependencies (those stay warnings via the NuGet
audit in Directory.Build.props).
@Reefact Reefact merged commit 1ed2b72 into main Jul 10, 2026
11 of 12 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants