Add dependency release and compliance automations

files/dependency-check-gitea.yml

@@ -0,0 +1,114 @@
+name: Scheduled Dependency Check
+
+on:
+  schedule:
+    - cron: "29 3 * * 2"
+  workflow_dispatch:
+
+jobs:
+  dependency-check:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Detect project stack
+        id: detect
+        shell: bash
+        run: |
+          stacks=""
+
+          [ -f package.json ] && stacks="${stacks} node"
+          { [ -f pyproject.toml ] || [ -f requirements.txt ]; } && stacks="${stacks} python"
+          [ -f Cargo.toml ] && stacks="${stacks} rust"
+          [ -f go.mod ] && stacks="${stacks} go"
+          { [ -f Dockerfile ] || [ -f compose.yml ] || [ -f docker-compose.yml ]; } && stacks="${stacks} docker"
+
+          echo "stacks=${stacks:-generic}" >> "$GITHUB_OUTPUT"
+          echo "Detected stacks:${stacks:- generic}"
+
+      - name: Node dependency report
+        if: contains(steps.detect.outputs.stacks, 'node')
+        shell: bash
+        run: |
+          if [ -f package-lock.json ] || [ -f npm-shrinkwrap.json ]; then
+            npm ci
+          else
+            npm install --package-lock-only --ignore-scripts
+          fi
+
+          echo "Security audit:"
+          npm audit --omit=dev --audit-level=high
+
+          echo
+          echo "Outdated dependencies:"
+          npm outdated || true
+
+      - name: Python dependency report
+        if: contains(steps.detect.outputs.stacks, 'python')
+        shell: bash
+        run: |
+          python -m pip install --upgrade pip pip-audit
+
+          echo "Security audit:"
+          if [ -f requirements.txt ]; then
+            pip-audit -r requirements.txt
+          else
+            pip-audit
+          fi
+
+          echo
+          echo "Outdated packages:"
+          python -m pip list --outdated || true
+
+      - name: Rust dependency report
+        if: contains(steps.detect.outputs.stacks, 'rust')
+        shell: bash
+        run: |
+          cargo install cargo-audit cargo-outdated --locked
+
+          echo "Security audit:"
+          cargo audit
+
+          echo
+          echo "Outdated crates:"
+          cargo outdated || true
+
+      - name: Go dependency report
+        if: contains(steps.detect.outputs.stacks, 'go')
+        shell: bash
+        run: |
+          go install golang.org/x/vuln/cmd/govulncheck@latest
+
+          echo "Security audit:"
+          govulncheck ./...
+
+          echo
+          echo "Available dependency updates:"
+          go list -u -m all || true
+
+      - name: Docker base image report
+        if: contains(steps.detect.outputs.stacks, 'docker')
+        shell: bash
+        run: |
+          echo "Docker image references:"
+          grep -RInE --exclude-dir=.git --exclude-dir=node_modules --exclude-dir=dist --exclude-dir=build '^\s*FROM\s+' Dockerfile* . 2>/dev/null || true
+
+          echo
+          echo "Review Docker base images manually for pinned versions, official sources, and current security status."
+
+      - name: Dependency guidance
+        shell: bash
+        run: |
+          cat <<'EOF'
+          Dependency check completed.
+
+          This workflow reports vulnerabilities and available updates. It does
+          not modify dependency files, create pull requests, or publish packages.
+
+          Recommended manual follow-up:
+          - update dependencies in a focused branch,
+          - run the project test/build commands,
+          - review lockfile diffs carefully,
+          - document intentionally held versions.
+          EOF