google · weiminyu · May 18, 2026 · May 18, 2026
diff --git a/.github/workflows/lockfile-comment.yml b/.github/workflows/lockfile-comment.yml
@@ -0,0 +1,46 @@
+# If dependencies change, add a comment to remind the author.
+name: Request Lockfile Review
+
+on:
+  workflow_run:
+    workflows: ["Lockfile Scan"]
+    types:
+      - completed
+
+jobs:
+  comment:
+    # Ensure the scanning workflow actually succeeded before doing anything
+    if: github.event.workflow_run.conclusion == 'success'
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
+    steps:
+      - name: Download artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: lockfile-scan-results
+          path: ./results
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          run-id: ${{ github.event.workflow_run.id }}
+
+      - name: Post unresolved review comment
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const fs = require('fs');
+
+            const anyChanged = fs.readFileSync('./results/any_changed.txt', 'utf8').trim();
+            if (anyChanged !== 'true') {
+              console.log('No lockfiles were changed. Skipping comment.');
+              return;
+            }
+
+            const prNumber = fs.readFileSync('./results/pr_number.txt', 'utf8').trim();
+
+            await github.rest.pulls.createReview({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              pull_number: parseInt(prNumber, 10),
+              event: 'COMMENT',
+              body: `### ⚠️ Attention Required: Lockfile Detected\nThis pull request contains modifications to one or more \`*.lockfile\` files. Please confirm that you have run update_dependency.sh to push new dependencies to the private repo.\n\n_The PR author must manually mark this conversation as resolved before merging._`
+            });
diff --git a/.github/workflows/lockfile-scan.yml b/.github/workflows/lockfile-scan.yml
@@ -0,0 +1,33 @@
+# Scan for Gradle dependency changes in PR
+name: Lockfile Scan
+
+on:
+  pull_request:
+    branches: ["master"]
+    types: [opened, synchronize, reopened]
+
+jobs:
+  scan:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Check for changed lockfiles
+        id: changed-files
+        uses: tj-actions/changed-files@v45
+        with:
+          files: |
+            **/*.lockfile
+
+      - name: Save scan results
+        run: |
+          mkdir -p ./results
+          echo "${{ steps.changed-files.outputs.any_changed }}" > ./results/any_changed.txt
+          echo "${{ github.event.pull_request.number }}" > ./results/pr_number.txt
+
+      - name: Upload artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: lockfile-scan-results
+          path: ./results/
diff --git a/.github/workflows/update-dependency-reminder.ymlname: b/.github/workflows/update-dependency-reminder.ymlname:
diff --git a/gradle.lockfile b/gradle.lockfile
@@ -1,6 +1,7 @@
 # This is a Gradle generated file for dependency locking.
 # Manual edits can break the build and are not advised.
 # This file is expected to be part of source control.
+#
 com.google.code.findbugs:jsr305:3.0.2=checkstyle
 com.google.errorprone:error_prone_annotations:2.36.0=checkstyle
 com.google.guava:failureaccess:1.0.3=checkstyle