feat: add support for PR artifacts in --use-version flag #6252

	name: Dependency Review

	on:
	pull_request:
	types: [opened, synchronize, reopened]

	permissions:
	contents: read
	pull-requests: write

	jobs:
	dependency-review:
	name: Review Dependency Licenses
	runs-on:
	- runs-on=${{github.run_id}}
	- runner=terraform
	- tag=atmos
	- extras=s3-cache
	- private=false
	steps:
	- name: Checkout code
	uses: actions/checkout@v4

	- name: Set up Go
	uses: actions/setup-go@v5
	with:
	go-version-file: go.mod

	- name: Dependency Review
	uses: actions/dependency-review-action@v4
	with:
	# Disable OpenSSF scorecard to reduce summary size (prevents 1024k limit errors)
	show-openssf-scorecard: false
	# Allow only permissive licenses
	# NOTE: GitHub's dependency graph detects Go modules from go.mod automatically
	# License checking works at the manifest level for go.mod dependencies
	allow-licenses: MIT, MIT-0, Apache-2.0, BSD-2-Clause, BSD-2-Clause-Views, BSD-3-Clause, ISC, MPL-2.0, 0BSD, Unlicense, CC0-1.0, CC-BY-3.0, CC-BY-4.0, CC-BY-SA-3.0, Python-2.0, OFL-1.1, LicenseRef-scancode-generic-cla, LicenseRef-scancode-unknown-license-reference, LicenseRef-scancode-unicode, LicenseRef-scancode-google-patent-license-golang

	# Fail on moderate or higher severity vulnerabilities
	fail-on-severity: moderate

	# Comment on PR with details
	comment-summary-in-pr: always

	- name: Generate NOTICE file
	run: ./scripts/generate-notice.sh

	- name: Check if NOTICE is up to date
	run: \|
	if ! git diff --exit-code NOTICE; then
	echo "::error::NOTICE file is out of date. Run './scripts/generate-notice.sh' locally and commit the changes."
	exit 1
	fi

Provide feedback