ethyca · daveqnet · Mar 25, 2026 · Mar 24, 2026 · Mar 24, 2026 · Mar 24, 2026
diff --git a/.github/workflows/dep_review.yml b/.github/workflows/dep_review.yml
@@ -0,0 +1,42 @@
+name: Dependency Review
+
+on:
+  pull_request:
+    paths:
+      - "uv.lock"
+      - "pyproject.toml"
+      - "clients/package-lock.json"
+      - "clients/**/package-lock.json"
+      - "clients/**/package.json"
+
+permissions:
+  contents: read
+  pull-requests: write
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  dependency-review:
+    name: Dependency Review
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      # NOTE: uv.lock is not in GitHub's official supported ecosystems list, but
+      # appears to work in practice. Coverage of transitive Python deps should
+      # be verified. See: https://github.com/dependabot/dependabot-core/issues/11913
+      - uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4.9.0
+        with:
+          # Always post so that a clean push overwrites any previous warning
+          comment-summary-in-pr: always
+          # fail-on-severity causes the step to fail on HIGH+, but
+          # continue-on-error ensures the workflow never blocks merging.
+          # The intent is visibility (PR comment) only, not enforcement.
+          fail-on-severity: high
+          show-openssf-scorecard: false
+          show-patched-versions: true
+          retry-on-snapshot-warnings: false
+          license-check: false
+        continue-on-error: true
diff --git a/changelog/7749-add-dependency-review-action.yaml b/changelog/7749-add-dependency-review-action.yaml
@@ -0,0 +1,4 @@
+type: Developer Experience
+description: Added Dependency Review GitHub Actions workflow to surface new dependency vulnerabilities in PR comments
+pr: 7749
+labels: []