[ci] Dependency Review workflow fails because Dependency Graph is not enabled on this repository
Symptom
Every PR targeting main runs Dependency Review, which fails consistently with:
##[error]Dependency review is not supported on this repository. Please ensure that
Dependency graph is enabled, see https://github.com/judeper/FSI-CopilotGov-Solutions/settings/security_analysis
Dependency Review only runs on pull_request events, so historical failures on PRs #192–#217 in the 2026-05-04 accuracy review cycle are visible in the Actions tab.
Cause
actions/dependency-review-action@v4 requires the Dependency graph GitHub Advanced Security feature to be enabled at the repo level. For this private (or org-restricted) repository, the feature is currently OFF.
Fix — pick one
Option A — enable Dependency graph (recommended)
- Repo admin opens Settings → Security → Code security and analysis.
- Toggle Dependency graph to Enabled.
- Optionally enable Dependabot alerts and Dependabot security updates.
- Re-run the latest failed
Dependency Review workflow to confirm green.
This is free for public repositories. For private repos in this organization, confirm GHAS licensing covers it; if not, fall back to Option B.
Option B — remove the workflow
If Dependency graph cannot be enabled (licensing or org policy), delete .github/workflows/dependency-review.yml. The repository ships only Python and PowerShell tooling with no third-party runtime npm/Maven/etc. dependency surface, so actions/dependency-review-action provides limited value.
Option C — guard the job behind a feature flag
jobs:
dependency-review:
if: vars.DEPENDENCY_GRAPH_ENABLED == 'true'
...…then leave the variable unset until the feature is enabled.
Acceptance criteria
References
[ci]
Dependency Reviewworkflow fails because Dependency Graph is not enabled on this repositorySymptom
Every PR targeting
mainrunsDependency Review, which fails consistently with:Dependency Reviewonly runs onpull_requestevents, so historical failures on PRs #192–#217 in the 2026-05-04 accuracy review cycle are visible in the Actions tab.Cause
actions/dependency-review-action@v4requires the Dependency graph GitHub Advanced Security feature to be enabled at the repo level. For this private (or org-restricted) repository, the feature is currently OFF.Fix — pick one
Option A — enable Dependency graph (recommended)
Dependency Reviewworkflow to confirm green.This is free for public repositories. For private repos in this organization, confirm GHAS licensing covers it; if not, fall back to Option B.
Option B — remove the workflow
If Dependency graph cannot be enabled (licensing or org policy), delete
.github/workflows/dependency-review.yml. The repository ships only Python and PowerShell tooling with no third-party runtime npm/Maven/etc. dependency surface, soactions/dependency-review-actionprovides limited value.Option C — guard the job behind a feature flag
…then leave the variable unset until the feature is enabled.
Acceptance criteria
Dependency Reviewfailing for "not supported" reasons.References
ccf0cf5("critique-response — tier metadata, coverage honesty, security & CI hardening")