Problem

The dependency-pr-review agentic workflow has two path-filter issues:

1. Non-recursive npm path filters

The pull_request.paths filter uses non-recursive globs for npm dependency files:

paths:
  - 'package.json'
  - 'package-lock.json'

These globs only match files at the repository root. Changes to nested dependency files such as docs/docusaurus/package.json or docs/docusaurus/package-lock.json do not trigger the dependency review job on pull requests.

The Python paths in the same workflow already use recursive prefixes (**/pyproject.toml, **/uv.lock, **/requirements*.txt), so the npm entries are inconsistent.

2. Sparse-checkout cone mode incompatibility

The checkout.sparse-checkout section uses file-level glob patterns:

sparse-checkout: |
  **/requirements.txt
  **/pyproject.toml

The gh-aw compiler hardcodes sparse-checkout-cone-mode: true, which rejects ** file-level patterns at checkout time with:

fatal: specify directories rather than patterns

This causes the Dependabot PR Review / agent job to fail at the "Checkout repository" step.

Expected behavior

1. The dependency review workflow should trigger for dependency file changes anywhere in the repository, matching the existing Python path convention.
2. The sparse-checkout should use directory paths compatible with cone mode.

Fix (PR #1259)

1. Updated the two npm path filters to use **/ prefixes in on.pull_request.paths.
2. Replaced **/requirements.txt and **/pyproject.toml in checkout.sparse-checkout with .github/skills/ — a single directory entry that covers all Python dependency files and is future-proof for new skills.

Impact

Without this fix:

• PRs that modify only nested npm dependency files (e.g., docs/docusaurus/) skip the dependency review entirely — no license check, no vulnerability severity gate, and no PR comment summary.
• The agent job fails at checkout for any PR that triggers the workflow, blocking all dependency review.