ci: add dependency-review workflow

[GirlBossRush]

Summary

Adds .github/workflows/qa-dependency-review.yml, which runs actions/dependency-review-action@v5.0.0 on every PR targeting main.

Blocks PRs that introduce a new dependency (direct or transitive, any ecosystem GitHub supports — npm, Go modules, Python, GitHub Actions) with a known high or critical vulnerability.

How this fits the rest of the supply-chain hardening

• Dependabot surfaces vulns in already-merged deps (the existing flow).
• dependency-review catches them at the moment they would be introduced, before merge — Dependabot only sees the world after merge.
• It does not catch the maintainer-account-hijack-to-malicious-version case directly (no advisory exists yet for those). The defense for that is the existing .npmrc:1 ignore-scripts=true + Dependabot npm cooldown.

This action does not need access to the dependency graph beyond what the PR diff exposes, so the only permission it needs is pull-requests: write (to leave the summary comment on failure) plus contents: read.

Config

• fail-on-severity: high — block on high/critical only; lower-severity introductions surface in the check summary but don't gate merge
• comment-summary-in-pr: on-failure — when the action blocks a PR, post a diff-style summary as a comment so the reviewer sees context, not just a red check

Test plan

• Workflow appears on this PR's checks list as QA - Dependency review / dependency-review.
• Passes for this PR (no dependency changes in this diff).
• On a follow-up PR that bumps a vulnerable package version, the check fails and posts a summary comment.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 93.29%. Comparing base (f992754) to head (056b5cc).
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@           Coverage Diff           @@
##             main   #22464   +/-   ##
=======================================
  Coverage   93.28%   93.29%           
=======================================
  Files        1032     1032           
  Lines       60059    60059           
  Branches      400      400           
=======================================
+ Hits        56029    56031    +2     
+ Misses       4030     4028    -2     

Flag	Coverage Δ
conformance	36.61% <ø> (+<0.01%)	⬆️
e2e	41.86% <ø> (-0.02%)	⬇️
integration	33.05% <ø> (+<0.01%)	⬆️
rust	0.00% <ø> (ø)
unit	88.04% <ø> (-4.17%)	⬇️
unit-migrate	92.25% <ø> (+<0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[netlify]

✅ Deploy Preview for authentik-docs ready!

Name	Link
🔨 Latest commit	275f0e3
🔍 Latest deploy log	https://app.netlify.com/projects/authentik-docs/deploys/6a0c4b3ca6199600083695cb
😎 Deploy Preview	https://deploy-preview-22464--authentik-docs.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[rissson]

does that also include rust dependencies?