Validate and safely exercise dormant GitHub workflows

[bmurdock]

Two workflow files exist in the repository but have no recorded runs so far: Dependency Review and Release. That means they have not been validated in the actual repository context yet.

For a project that emphasizes security, release hygiene, and low operational surprise, unexercised workflows are a real gap. A workflow that only exists on paper is not protection.

Scope

• Add a safe way to exercise the Dependency Review and Release workflows before relying on them in production
• Confirm the workflows run successfully in this repository context
• Keep the release path safe so testing it does not accidentally publish to npm
• Document how maintainers should validate these workflows going forward

Acceptance Criteria

• Dependency Review can be triggered and completes successfully in a realistic repo event path
• Release has a non-publishing validation path such as workflow_dispatch, a dry-run mode, or a separate verification job
• At least one successful run exists for each currently dormant workflow
• Maintainer docs explain how to validate the workflows without creating release risk

[bmurdock]

Progress landed in 85aa29e and 49be2ee: both previously dormant workflows now have safe manual validation paths and have been exercised. Current blocker for full closure is repository configuration, not workflow syntax: the Dependency Review run now fails with Dependency review is not supported on this repository until Dependency Graph and GitHub Advanced Security are enabled in repo settings.

[bmurdock]

Update: dependency graph was enabled at the repository level, but manual rerun 23822302658 still fails because GitHub now explicitly requires GitHub Advanced Security for dependency review on this private repository. This issue is no longer a workflow-definition problem; it is blocked on enabling GHAS or changing the repo/security posture.

[bmurdock]

Update: issue #19 is now resolved. The Dependency Review workflow no longer uses the deprecated Node 20 action; it now reports repository capability status cleanly while this private repo remains in a state where full dependency review is unsupported. This issue remains the follow-up for restoring real dependency review when the repository posture changes.

[bmurdock]

Current status after recent workflow hardening: the workflow has a safe dry-run path and successful runs exist, and the workflow can now be exercised safely in placeholder mode. The remaining gap is platform-level rather than code-level: full dependency review on this private repository depends on repository visibility and/or GitHub security feature availability. Until the repo posture changes, full acceptance for this issue remains blocked.

[bmurdock]

Current status after recent workflow hardening: the Release workflow has a safe dry-run path and successful runs exist, and the Dependency Review workflow can now be exercised safely in placeholder mode.

The remaining gap is platform-level rather than code-level: full dependency review on this private repository depends on repository visibility and/or GitHub security feature availability.

Until the repo posture changes, full acceptance for this issue remains blocked.

[bmurdock]

The repository is now public, and the remaining blocker is resolved in practice. has a successful run on PR #40, and already has successful non-publishing validation runs. The dormant-workflow concern is now addressed.

[bmurdock]

The repository is now public, and the dormant-workflow concern is resolved in practice.

• Dependency Review has a successful pull_request run on PR Bump happy-dom from 18.0.1 to 20.8.9 #40.
• Release already has successful non-publishing validation runs.

This issue is complete.