chore: add dependency review

[sheyanjie-qq]

Description

add dependency review

Issue(s)

• Close/close/Fix/fix/Resolve/resolve: Issue Link

Checklist

Please check the items in the checklist if applicable.

• Is the user manual updated?
• Are the test cases passed and automated?
• Is there no significant decrease in test coverage?

[gemini-code-assist]

Summary of Changes

Hello @sheyanjie-qq, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request, titled 'chore: add dependency review', aims to introduce dependency review functionality. However, the current patch primarily focuses on repository hygiene by updating the '.gitignore' file. It specifically adds '.DS_Store' to the ignore list and corrects a newline termination for the 'version.txt' entry.

Highlights

• Git Ignore Update: Added '.DS_Store' to the '.gitignore' file to prevent macOS-specific metadata files from being committed to the repository.
• File Formatting: Ensured the 'version.txt' entry in '.gitignore' has a trailing newline character, improving file consistency.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• .gitignore
  • Added '.DS_Store' to the list of ignored files.
  • Ensured the 'version.txt' entry has a trailing newline character.

Ignored Files

• Ignored by pattern: .github/workflows/** (3)
  • .github/workflows/codeql.yml
  • .github/workflows/dependency-report.yml
  • .github/workflows/trivy-scan.yml

Activity

• The pull request was opened by 'sheyanjie-qq' with the title 'chore: add dependency review'.
• The description outlines the intent to add dependency review and includes a standard PR checklist.
• No further review comments or activity have been recorded for this pull request yet.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[github-advanced-security]

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

[gemini-code-assist]

Code Review

This pull request makes some useful housekeeping changes to the .gitignore file, adding .DS_Store to the ignore list and ensuring the file ends with a newline. I've made one suggestion to improve the organization of the .gitignore file and correct a minor formatting issue. Please note that the changes in this PR don't seem to relate to the title 'add dependency review'.

[Copilot]

Pull request overview

Adds GitHub Actions security/dependency review automation (dependency scanning, license/vulnerability scanning, and CodeQL) to improve supply-chain and code security visibility in CI.

Changes:

• Added Trivy workflow to scan dependencies for vulnerabilities and licenses, and upload SARIF to GitHub Security.
• Added OWASP Dependency-Check workflow that generates an HTML dependency report and uploads it as an artifact.
• Added CodeQL Advanced workflow for Actions + Java/Kotlin analysis.
• Updated .gitignore to ignore .DS_Store and normalized version.txt entry.

Reviewed changes

Copilot reviewed 3 out of 4 changed files in this pull request and generated 6 comments.

File	Description
.gitignore	Ignores macOS .DS_Store and cleans up ignore entry formatting.
.github/workflows/trivy-scan.yml	Adds Trivy vuln/license scanning and SARIF upload for code scanning.
.github/workflows/dependency-report.yml	Adds scheduled/PR dependency report generation via OWASP Dependency-Check.
.github/workflows/codeql.yml	Adds scheduled/PR CodeQL scanning workflow.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

This workflow grants pull-requests: write, but none of the steps appear to write to PRs (it only builds, runs dependency-check, and uploads an artifact). For least privilege, drop this permission (or scope it to only what’s required if you later add PR comments).

Suggested change

pull-requests: write

[Copilot]

These triggers target main/3.0, but this repo’s existing CI workflow runs on master (see .github/workflows/ci.yml). If the default branch is still master, this workflow won’t run on PRs/pushes as intended—please align the branch filters (or include master as well).

[Copilot]

This workflow is configured to run only for PRs targeting main/3.0, but the repository’s current CI workflow triggers on master (.github/workflows/ci.yml). If master is still the primary branch, dependency reports won’t run for most PRs—please update the branch filters accordingly.

[Copilot]

The CodeQL workflow is scoped to main/3.0, while the repo’s existing CI is scoped to master (.github/workflows/ci.yml). If master is the active default branch, CodeQL won’t run on pushes/PRs as expected—please align the branch list (or include master).

[Copilot]

The license scan sets exit-code: 1 (comment says “Fail CI”), but also has continue-on-error: true and there’s no follow-up gating step (unlike the vuln scan). As written, license findings won’t fail the workflow—either remove continue-on-error or add an explicit failure step that checks the license scan outcome.