ci: add dependency review and PR validation workflows

[BrendanWalsh]

What changes were proposed in this pull request?

Adds two new GitHub Actions workflows for fast PR feedback:

1. Dependency Review (dependency-review.yml)

• Runs on every PR to master
• Uses GitHub's dependency-review-action@v4 to flag:
  • New dependencies with known vulnerabilities (fails on high severity)
  • Dependencies with restricted licenses
• Posts a summary comment directly on the PR
• Zero maintenance — uses GitHub's advisory database

2. PR Validation (pr-validation.yml)

• Runs on every PR to master (skips doc-only changes)
• Provides fast automated feedback without waiting for ADO pipeline (/azp run takes 45+ min)
• Python Style Check (~15 seconds): black --check on all .py and .ipynb files
• Compile & Style Check (~5.5 min):
  • sbt scalastyle test:scalastyle — Scala style checks
  • sbt compile test:compile — full compilation of main + test code across all 6 modules
• Both jobs run in parallel for fastest feedback
• Caches sbt dependencies via setup-java for faster subsequent runs

How was this patch tested?

The PR itself exercises both workflows. Dependency Review runs on PRs, and PR Validation compiles the project and checks Python formatting.

Does this PR introduce any user-facing change?

No — improves CI feedback for contributors.

[github-actions]

Hey @BrendanWalsh 👋!
Thank you so much for contributing to our repository 🙌.
Someone from SynapseML Team will be reviewing this pull request soon.

We use semantic commit messages to streamline the release process.
Before your pull request can be merged, you should make sure your first commit and PR title start with a semantic prefix.
This helps us to create release messages and credit you for your hard work!

Examples of commit messages with semantic prefixes:

• fix: Fix LightGBM crashes with empty partitions
• feat: Make HTTP on Spark back-offs configurable
• docs: Update Spark Serving usage
• build: Add codecov support
• perf: improve LightGBM memory usage
• refactor: make python code generation rely on classes
• style: Remove nulls from CNTKModel
• test: Add test coverage for CNTKModel

To test your commit locally, please follow our guild on building from source.
Check out the developer guide for additional guidance on testing your change.

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Package	Version	Score	Details
actions/actions/checkout	4.*.*	🟢 6.5	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 5 7 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 5 Binary-Artifacts 🟢 10 no binaries found in the repo Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Packaging ⚠️ -1 packaging workflow not detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected Branch-Protection 🟢 6 branch protection is not maximal on development and all release branches Vulnerabilities 🟢 8 2 existing vulnerabilities detected SAST 🟢 8 SAST tool detected but not run on all commits
actions/actions/setup-java	4.*.*	🟢 6	Details Check Score Reason Maintained 🟢 8 10 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 8 Code-Review 🟢 10 all changesets reviewed Binary-Artifacts 🟢 10 no binaries found in the repo Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Vulnerabilities 🟢 7 3 existing vulnerabilities detected SAST 🟢 9 SAST tool is not run on all commits -- score normalized to 9
actions/actions/setup-python	5.*.*	🟢 5.1	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 5 6 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 5 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Binary-Artifacts 🟢 10 no binaries found in the repo License 🟢 10 license file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Fuzzing ⚠️ 0 project is not fuzzed Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected Vulnerabilities ⚠️ 1 9 existing vulnerabilities detected Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches SAST 🟢 9 SAST tool is not run on all commits -- score normalized to 9

Scanned Files

• .github/workflows/pr-validation.yml