Drain remaining code-scanning alerts: idna pin, OSV ignores, FFI SAFE… #36

	name: Dependency Integrity Check

	on:
	push:
	branches: [ "main", "master", "development", "dev" ]
	pull_request:
	branches: [ "main", "master", "development", "dev" ]
	schedule:
	- cron: "17 9 * * *"
	workflow_dispatch:

	permissions:
	contents: read

	concurrency:
	group: ${{ github.workflow }}-${{ github.ref }}
	cancel-in-progress: true

	defaults:
	run:
	shell: bash

	jobs:
	dependency-integrity-check:
	runs-on: ubuntu-latest
	timeout-minutes: 15
	steps:
	- name: Harden the runner (egress audit)
	uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
	with:
	egress-policy: audit

	- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
	with:
	persist-credentials: false

	- name: Set up Python
	uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
	with:
	python-version: "3.12"

	- name: Install uv
	uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7
	with:
	version: "0.11.14"
	enable-cache: true
	save-cache: ${{ github.event_name == 'push' && (github.ref_name == 'main' \|\| github.ref_name == 'master' \|\| github.ref_name == 'development' \|\| github.ref_name == 'dev') }}

	- name: Install integrity check tools
	run: \|
	sudo apt-get update
	sudo apt-get install -y ripgrep

	- name: Set up Rust
	run: rustup show

	- name: Run dependency integrity checks
	run: ./scripts/dependency-integrity-check.sh

Provide feedback