feat(api): implement team-scoped internal multi-tenancy + ci patchset… #39

	name: Security - Dependency Review

	on:
	pull_request:
	branches: [ "*" ]
	paths-ignore:
	- 'docs/**'
	- 'website/**'
	- 'README.md'

	permissions:
	contents: read

	jobs:
	dependency-review:
	name: Dependency Review
	runs-on: ubuntu-24.04
	permissions:
	contents: read
	pull-requests: read
	steps:
	- name: Checkout
	uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4

	- name: Check dependency review support
	id: dependency-review-support
	env:
	GH_TOKEN: ${{ github.token }}
	BASE_SHA: ${{ github.event.pull_request.base.sha }}
	HEAD_SHA: ${{ github.event.pull_request.head.sha }}
	run: \|
	status="$(curl -sS -o /tmp/dependency-review-support.json -w "%{http_code}" \
	-H "Accept: application/vnd.github+json" \
	-H "Authorization: Bearer ${GH_TOKEN}" \
	-H "X-GitHub-Api-Version: 2022-11-28" \
	"${GITHUB_API_URL}/repos/${GITHUB_REPOSITORY}/dependency-graph/compare/${BASE_SHA}...${HEAD_SHA}")"
	if [ "$status" = "200" ]; then
	echo "supported=true" >> "$GITHUB_OUTPUT"
	exit 0
	fi

	echo "supported=false" >> "$GITHUB_OUTPUT"
	echo "::warning::Dependency Review API is unavailable for this repository (HTTP ${status}). Enable the dependency graph in repository security settings to enforce dependency review."

	- name: Review dependency changes
	if: steps.dependency-review-support.outputs.supported == 'true'
	uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4.9.0
	with:
	fail-on-severity: high
	deny-licenses: AGPL-1.0-only, AGPL-1.0-or-later, AGPL-3.0-only, AGPL-3.0-or-later, SSPL-1.0

Provide feedback