ci: replace reusable workflow with gh-actions composite actions

[kinyoklion]

Requirements

• I have added test coverage for new or changed functionality
• I have followed the repository's pull request submission guidelines
• I have validated my changes against all supported platform versions

N/A — CI-only change, no application code modified.

Related issues

A similar change was made in launchdarkly/hello-node-typescript to replace common-workflows reusable workflow usage.

Describe the solution you've provided

Replaces the reusable workflow reference (launchdarkly/gh-actions/.github/workflows/dependency-scan.yml@main) with direct usage of the two composite actions from launchdarkly/gh-actions/actions/dependency-scan/:

• generate-sbom — generates the SBOM for nodejs
• evaluate-policy — evaluates the SBOM against the license policy

This aligns with how other SDK repos (js-client-sdk, js-core, openfeature-node-server, etc.) already configure their dependency scan workflows.

Describe alternatives you've considered

None — this is a direct migration to the recommended action pattern.

Additional context

The previous reusable workflow path (gh-actions/.github/workflows/dependency-scan.yml) does not exist in the gh-actions repo, so the old workflow was non-functional.

Human review checklist

• Verify the two-job structure (generate-nodejs-sbom → evaluate-policy) matches the standard org pattern
• Confirm the dependency scan workflow runs successfully on this PR

Link to Devin session: https://app.devin.ai/sessions/2783d2578c67461aa0af3b814ea886b2
Requested by: @kinyoklion

---

Note

Low Risk
CI-only workflow change; main risk is breaking dependency scanning if the new jobs/artifact pattern are misconfigured.

Overview
Updates the Dependency Scan GitHub Actions workflow to stop calling the launchdarkly/gh-actions reusable workflow and instead run two explicit jobs.

The new flow generates a Node.js SBOM via actions/dependency-scan/generate-sbom@main, then gates on a follow-up evaluate-policy job that runs actions/dependency-scan/evaluate-policy@main against the produced bom-* artifacts.

^{Reviewed by Cursor Bugbot for commit e3b9b7c. Bugbot is set up for automated code reviews on this repo. Configure here.}

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[launchdarkly-upra]

claude-review — Issues Found

The claude-review security scan found issues on commit e3b9b7c. See the workflow run for details.