Add dependency release and compliance automations

files/AGENTS.md

@@ -22,7 +22,9 @@ PROJECT_NAME: PROJECT_DESCRIPTION
 - If README blueprint files are changed, regenerate or update `README.md` in the same change and verify the generated output renders reasonably.
 - For releasable projects, add or preserve `.gitea/workflows/security-scan.yml` using `files/security-scan-gitea.yml` unless the repository already has equivalent scheduled security automation.
 - For active projects, add or preserve `.gitea/workflows/repo-cleanup.yml` using `files/repo-cleanup-gitea.yml` unless the repository already has equivalent cleanup checks.
+- Add or preserve `.gitea/workflows/dependency-check.yml`, `.gitea/workflows/release-dry-run.yml`, and `.gitea/workflows/template-compliance.yml` when the repository is active, releasable, or intended as a Codex-maintained project.
 - Repository cleanup automation must be non-destructive. Do not delete branches, packages, releases, or tracked files without explicit user approval.
+- Dependency, compliance, and release dry-run automation must report findings only. Do not auto-update dependencies, auto-open PRs, create tags, publish packages, or create releases without explicit user approval.
 
 ## Commands
 
@@ -59,6 +61,7 @@ ARTIFACT_NAME
 - Fill `docs/security-review.md` with actual checked commands and results when performing release-readiness work.
 - Review scheduled security workflow failures before changing code. Treat matches as leads: they may be true positives, documentation examples, or test fixtures.
 - Review repository cleanup workflow failures as maintenance leads. Document intentional exceptions instead of blindly deleting files.
+- Review dependency and template compliance workflow failures as maintenance leads. Preserve project-specific conventions when they are documented.
 - Treat generated credentials and config files as sensitive.
 - Keep external network calls documented.
 - Prefer local processing for user data.