elastic · elena-shostak · May 2, 2025 · Apr 25, 2025 · Apr 25, 2025 · Apr 28, 2025
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -1975,8 +1975,8 @@ x-pack/platform/plugins/private/cloud_integrations/cloud_full_story/server/confi
 /.github/codeql @elastic/kibana-security
 /.github/workflows/codeql.yml @elastic/kibana-security
 /.github/workflows/codeql-stats.yml @elastic/kibana-security
+/.github/workflows/enforce-dependency-review.yml @elastic/kibana-security
 /.github/workflows/evaluate-dependency-health.yml @elastic/kibana-security
-/.github/workflows/auto-approve-renovate-updates.yml @elastic/kibana-security
 /src/dev/eslint/security_eslint_rule_tests.ts @elastic/kibana-security
 /src/core/server/integration_tests/config/check_dynamic_config.test.ts @elastic/kibana-security
 /src/platform/plugins/shared/telemetry/server/config/telemetry_labels.ts @elastic/kibana-security
@@ -2757,9 +2757,6 @@ src/platform/testfunctional/page_objects/solution_navigation.ts @elastic/appex-s
 /x-pack/test_serverless/functional/page_objects/svl_sec_landing_page.ts @elastic/appex-sharedux
 /x-pack/test_serverless/functional/test_suites/security/ftr/navigation.ts @elastic/appex-sharedux
 
-# Root package.json file
-/package.json @elastic/kibana-security @kibanamachine
-
 # OpenAPI spec files
 oas_docs/.spectral.yaml                       @elastic/platform-docs
 oas_docs/kibana.info.serverless.yaml          @elastic/platform-docs

@@ -0,0 +1,39 @@
+name: Enforce Dependency Review
+
+on:
+  pull_request_target:
+    types: [opened, reopened, synchronize]
+    paths:
+      - 'package.json'
+    branches:
+      - 'main'
+
+jobs:
+  analyze:
+    name: Analyze new dependencies
+    runs-on: ubuntu-latest
+    if: |
+      github.repository == 'elastic/kibana' &&
+      github.actor != 'elastic-renovate-prod[bot]'
+    steps:
+    - name: Checkout kibana-operations
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      with:
+        repository: 'elastic/kibana-operations'
+        ref: main
+        path: ./kibana-operations
+        token: ${{secrets.KIBANAMACHINE_TOKEN}}
+
+    - name: Run dependency security review
+      working-directory: ./kibana-operations/triage
+      env:
+        GITHUB_TOKEN: ${{secrets.KIBANAMACHINE_TOKEN}}
+        PR_NUMBER: ${{ github.event.pull_request.number }}
+        REPO_OWNER: ${{ github.repository_owner }}
+        REPO_NAME: ${{ github.event.repository.name }}
+        HEAD_SHA: ${{ github.event.pull_request.head.sha }}
+        BASE_SHA: ${{ github.event.pull_request.base.sha }}
+        EVENT_NAME: ${{ github.event_name }}
+      run: |
+        npm ci --omit=dev
+        node enforce-dependency-review.js