# LAB ONLY
# 用途: PR 依赖风险观察
# 目标范围: 自有研究仓库、自有测试项目
# 风险: 高危依赖会导致 PR 失败
# 不适用: 未经调优直接作为生产阻断策略
name: dependency-review

on:
  pull_request:

permissions:
  contents: read

jobs:
  dependency-review:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Review dependencies
        uses: actions/dependency-review-action@v4
        with:
          fail-on-severity: high
          comment-summary-in-pr: always