fix(ci): add missing dependency-review job to CI workflow (#53)

* fix(ci): add missing dependency-review job to CI workflow

The wc-dependency-review.yml reusable workflow was defined but never
invoked from ci.yml, causing dependency review to be silently skipped.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix(ci): remove unnecessary pull-requests permission from dependency-review

Remove comment-summary-in-pr feature and the pull-requests: write
permission it required. The dependency-review-action only needs
contents: read without the comment feature.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* style: Trim line

* style: Format

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Author: roottool

.github/workflows/ci.yml

@@ -70,6 +70,11 @@ jobs:
     secrets:
       CODECOV_TOKEN: "${{ secrets.CODECOV_TOKEN }}"
 
+  dependency-review:
+    needs: [setup]
+    if: ${{ needs.setup.outputs.dependencies == 'true' && github.event_name == 'pull_request' }}
+    uses: ./.github/workflows/wc-dependency-review.yml
+
   export-validation:
     needs: [setup, lint-format, type-check, test]
     if: always() && !contains(needs.*.result, 'failure') && !contains(needs.*.result, 'cancelled')
@@ -79,7 +84,15 @@ jobs:
     name: Status Check
     runs-on: ubuntu-slim
     timeout-minutes: 1
-    needs: [setup, lint-format, type-check, test, export-validation]
+    needs:
+      [
+        setup,
+        lint-format,
+        type-check,
+        test,
+        export-validation,
+        dependency-review,
+      ]
     if: always() && (contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled'))
     steps:
       - run: exit 1

.github/workflows/wc-dependency-review.yml

@@ -5,7 +5,6 @@ on: workflow_call
 
 permissions:
   contents: read
-  pull-requests: write
 
 defaults:
   run:
@@ -27,4 +26,3 @@ jobs:
         with:
           deny-licenses: GPL-2.0, GPL-3.0
           fail-on-severity: moderate
-          comment-summary-in-pr: always