ci(workflows): add monthly cargo outdated dependency scan

[ConYel]

Summary

• Base branch: master

• What changed and why:

  Adds a scheduled monthly scan for stale Rust dependencies via cargo outdated, as specified in Phase 3 of RFC RFC: Hardened CI pipeline — supply-chain scanning, provenance, and SBOM generation #7675 (Job 7). Opens a GitHub issue with dependencies label when any direct or transitive dependency has a newer version available.

  Runs on the 1st of every month at 09:00 UTC, plus workflow_dispatch for manual triggering.

• Scope boundary: New file — .github/workflows/monthly-outdated.yml

• Blast radius: New workflow only; no changes to existing CI, no Rust code, no config surface

• Linked issue(s): RFC: Hardened CI pipeline — supply-chain scanning, provenance, and SBOM generation #7675 (RFC — parent), Phase 3 Job 7 (outdated dependency alert)

• Labels: type: ci, risk: low, size: XS

Design

Why monthly, not daily?

Outdated dependencies are a maintenance concern, not a security emergency. A daily scan would desensitize the team to the output — noise that gets ignored. Monthly gives a regular, low-pressure pulse.

The advisory scan (daily-audit.yml) runs daily and catches security-relevant advisories. They serve different purposes:

Scan	Cadence	Surface	When to care
Advisory (cargo deny check advisories)	Daily	CVEs with known security impact	Immediately
Outdated (cargo outdated)	Monthly	Rust crates + toolchain versions	When triaging maintenance

Toolchain versions included

The issue body includes rustc --version and cargo --version alongside the outdated crate table. Useful context when deciding whether to bump the pinned toolchain separately from crate updates.

Why --exit-code 1?

cargo outdated defaults to exit 0 even with outdated deps. Passing --exit-code 1 makes it exit 1 if anything is outdated, which we use to trigger issue creation. Without this flag, we'd need to grep the output — brittle.

Dedup logic (same pattern as daily-audit)

If an "Outdated dependencies found" issue is already open, the workflow skips creation. This prevents a pile-up of monthly issues that nobody triaged. If you close the issue without fixing the deps, next month's scan opens a fresh one.

Issue body

The created issue contains the toolchain versions and cargo outdated output in a code block plus a link to the workflow run, making it easy to see what's stale without running the tool locally.

Files changed

File	Change
.github/workflows/monthly-outdated.yml	+116 lines: New workflow for monthly outdated dependency scan

What this completes in RFC #7675

Phase	Item	Status
1	cargo audit	✅ #8129
1	Lockfile integrity	✅ #8056
1	npm dependency review	✅ #8056
1	Semgrep (PR) + CodeQL (master)	✅ ci/codeql-static-analysis
2	SBOM generation (Rust + npm)	✅ ci/sbom-generation
2	Trivy container scanning	✅ ci/trivy-container-scanning
3	cargo outdated monthly	⬆️ This PR
3	Cosign signing + SLSA provenance	❌
4	deny.toml hardening	❌

Sliding steadily through the RFC. Two items left: Cosign/SLSA (Phase 3) and deny.toml policy (Phase 4).

Security & Privacy Impact

• New permissions, capabilities, or file system access scope? (Yes — issues: write added for automated issue creation)
• New external network calls? (Yes — cargo install cargo-outdated downloads from crates.io; cargo outdated queries crates.io for version info)
• Secrets / tokens / credentials handling changed? (No)
• PII, real identities, or personal data in diff, tests, fixtures, or docs? (No)

Compatibility

• Backward compatible? (Yes — new workflow, zero changes to existing CI)
• Config / env / CLI surface changed? (No)

Rollback

git revert removes the workflow file with no side effects.