ci: remove dependency review job to enhance compatibility with private repositories

Author: Som3a99

.github/workflows/security-scans.yml

@@ -12,26 +12,12 @@ permissions:
   contents: read
 
 jobs:
-  dependency-review:
-    name: Dependency Review
-    # Fix: Removed `github.event.repository.private == false` — that condition
-    # permanently skips this job on private repos.
-    #
-    # Dependency Review requires the Dependency Graph to be enabled in your
-    # repository settings (Settings → Code security → Dependency graph).
-    # It does NOT require GitHub Advanced Security on private repos —
-    # the Dependency Graph feature is available on all GitHub plans.
-    # Enable it at: https://github.com/Som3a99/company-management-system/settings/security_analysis
-    if: github.event_name == 'pull_request'
-    runs-on: ubuntu-latest
-    timeout-minutes: 10
-    steps:
-      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - name: Dependency Review
-        uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4.9.0
-        with:
-          fail-on-severity: moderate
+  # NOTE: actions/dependency-review-action has been intentionally removed.
+  # It hard-requires GitHub Advanced Security (GHAS) on private repositories —
+  # the Dependency Graph being enabled is necessary but not sufficient.
+  # GHAS is only available on GitHub Enterprise plans.
+  # Equivalent coverage is provided by dotnet-vulnerability-scan below,
+  # which uses `dotnet list --vulnerable` and needs no special GitHub features.
 
   dotnet-vulnerability-scan:
     name: .NET Vulnerability Audit