refactor(deps): address nv-anants review feedback

Implemented review comments from PR #3547:

1. **Clarified gitignore patterns** - Added detailed comments explaining why timestamped CSVs are ignored while latest/release versions are tracked

2. **Merged unversioned dependencies into main CSV** - Removed separate unversioned_dependencies.csv file. All dependencies (versioned and unversioned) now in single CSV with console warnings for unversioned ones

3. **Moved config file** - Relocated extract_dependency_versions_config.yaml to .github/dependency-extraction/config.yaml for better organization outside workflows folder

4. **Merged nightly/release workflows** - Combined dependency-extraction-nightly.yml and dependency-extraction-release.yml into single unified dependency-extraction.yml with conditional logic based on trigger type

5. **Enhanced composite action** - Expanded dependency-extraction-setup action to include checkout, reports directory creation, and configurable fetch-depth

Changes:
- Updated all references to new config path
- Removed --report-unversioned flag from script and workflows
- Added unversioned dependency summary in write_csv() console output
- Unified workflow supports both nightly (schedule/manual) and release (push to release/* or manual) modes
- Composite action now handles more common setup steps

Documentation updated:
- README.md now references unified workflow
- PR description updated with comprehensive review details

Signed-off-by: Dan Gil <[email protected]>

.github/actions/dependency-extraction-setup/action.yml

@@ -20,10 +20,19 @@ inputs:
     description: 'Python version to use'
     required: false
     default: '3.12'
+  fetch-depth:
+    description: 'Depth for git checkout (0 for full history, 1 for shallow)'
+    required: false
+    default: '0'
 
 runs:
   using: "composite"
   steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+      with:
+        fetch-depth: ${{ inputs.fetch-depth }}
+
     - name: Set up Python
       uses: actions/setup-python@v5
       with:
@@ -33,3 +42,7 @@ runs:
       shell: bash
       run: pip install pyyaml
 
+    - name: Create reports directory
+      shell: bash
+      run: mkdir -p .github/reports
+

.github/reports/README.md

@@ -72,7 +72,7 @@ Critical dependencies are flagged in the CSV to highlight components that requir
 - Production stability
 - Compliance requirements
 
-The list of critical dependencies is **explicitly maintained** in `../workflows/extract_dependency_versions_config.yaml` under the `critical_dependencies` section. Only dependencies listed in this configuration file are marked as critical. Examples include:
+The list of critical dependencies is **explicitly maintained** in `../dependency-extraction/config.yaml` under the `critical_dependencies` section. Only dependencies listed in this configuration file are marked as critical. Examples include:
 - CUDA (compute platform)
 - PyTorch (ML framework)
 - TensorRT-LLM (inference framework)
@@ -128,6 +128,5 @@ python3 .github/workflows/extract_dependency_versions.py --help
 ## Links
 
 - 🤖 [Extraction Script](../workflows/extract_dependency_versions.py)
-- ⚙️ [Configuration](../workflows/extract_dependency_versions_config.yaml)
-- 📋 [Nightly Workflow](../workflows/dependency-extraction-nightly.yml)
-- 📸 [Release Workflow](../workflows/dependency-extraction-release.yml)
+- ⚙️ [Configuration](../dependency-extraction/config.yaml)
+- 🔄 [Unified Workflow](../workflows/dependency-extraction.yml) (handles both nightly and release)