fix(ci): migrate dependency-review from deny-licenses to allow-licenses

[hyperpolymath]

The deny-licenses option on actions/dependency-review-action is deprecated for removal in the next major release
(actions/dependency-review-action#997). The warning surfaced as a bot comment on PR #15 ("Deprecation Warning: The deny-licenses option is deprecated...").

The deprecation rationale matters: when no SBOM is available, the action can't actually evaluate a denylist, so deny-licenses fails open silently. allow-licenses fails closed — anything not in the list (including GPL-3.0 / AGPL-3.0 we want to keep out) blocks the PR.

Scope: enumerated permissive + weak-copyleft licenses compatible with PMPL distribution. Strong copyleft (GPL-3.0, AGPL-3.0) deliberately absent. Adjust the list if a legitimate dep gets rejected — but do not slip GPL-3.0 / AGPL-3.0 back in.

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

[github-actions]

🔍 Hypatia Security Scan

Findings: 28 issues detected

Severity	Count
🔴 Critical	6
🟠 High	13
🟡 Medium	9

⚠️ Action Required: Critical security issues found!

View findings

[
  {
    "reason": "Stray AI.a2ml in root -- use 0-AI-MANIFEST.a2ml only",
    "type": "banned",
    "file": "AI.a2ml",
    "action": "delete",
    "rule_module": "root_hygiene",
    "severity": "high"
  },
  {
    "reason": "npm banned -- use Deno",
    "type": "banned",
    "file": "package-lock.json",
    "action": "delete",
    "rule_module": "root_hygiene",
    "severity": "high"
  },
  {
    "reason": "Superseded by 0-AI-MANIFEST.a2ml",
    "type": "banned",
    "file": "AI.djot",
    "action": "delete",
    "rule_module": "root_hygiene",
    "severity": "high"
  },
  {
    "reason": "No test directory or test files found",
    "type": "no_tests",
    "file": "/home/runner/work/coq-jr/coq-jr",
    "action": "flag",
    "rule_module": "honest_completion",
    "severity": "high",
    "deduction": 20
  },
  {
    "reason": "Issue in quality.yml",
    "type": "missing_workflow",
    "file": "quality.yml",
    "action": "create",
    "rule_module": "workflow_audit",
    "severity": "high"
  },
  {
    "reason": "Issue in security-policy.yml",
    "type": "missing_workflow",
    "file": "security-policy.yml",
    "action": "create",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Action hyperpolymath/standards/.github/workflows/governance-reusable.yml@main needs attention",
    "type": "unpinned_action",
    "file": "governance.yml",
    "action": "pin_sha",
    "rule_module": "workflow_audit",
    "severity": "high"
  },
  {
    "reason": "Workflow executes remote script directly (curl/wget piped to shell). Download, verify checksum/signature, then execute.",
    "type": "download_then_run",
    "file": "mirror.yml",
    "action": "verify_download_integrity",
    "rule_module": "workflow_audit",
    "severity": "high"
  },
  {
    "reason": "Js.Promise deprecated -- use Promise (2 occurrences)",
    "type": "deprecated_api",
    "file": "/home/runner/work/coq-jr/coq-jr/src/Deno.res",
    "action": "module_replace",
    "rule_module": "migration_rules",
    "severity": "medium"
  },
  {
    "reason": "Js.Nullable deprecated -- use Nullable (3 occurrences)",
    "type": "deprecated_api",
    "file": "/home/runner/work/coq-jr/coq-jr/src/Dom.res",
    "action": "module_replace",
    "rule_module": "migration_rules",
    "severity": "medium"
  }
]

Powered by Hypatia Neurosymbolic CI/CD Intelligence