ci: use Github action-based dependency license checking

clydin · clydin · commit 5a63eff0dc3f · 2024-06-04T14:03:28.000-04:00
Dependency know leverages the Github dependency review action instead of the previous custom solution. The action uses the Github dependency API to analyze dependencies. This not only should provide more accurate results but also lower the maintenance costs for the license checking. The initial allowed licenses list is based on the previous checker list with licenses that are no longer used removed. Action Documentation: https://github.com/actions/dependency-review-action
diff --git a/.github/dependency-review-config.yml b/.github/dependency-review-config.yml
@@ -0,0 +1,12 @@
+vulnerability_check: false
+allow_licenses:
+  - '0BSD'
+  - 'Apache-2.0'
+  - 'BlueOak-1.0.0'
+  - 'BSD-2-Clause'
+  - 'BSD-3-Clause'
+  - 'CC-BY-4.0'
+  - 'ISC'
+  - 'MIT'
+  - 'Python-2.0'
+  - 'Unlicense'
diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml
@@ -50,6 +50,10 @@ jobs:
         run: yarn ts-circular-deps check
       - name: Run Validation
         run: yarn -s admin validate
+      - name: Check Package Licenses
+        uses: actions/dependency-review-action@0c155c5e8556a497adf53f2c18edabf945ed8e70 # v4.3.2
+        with:
+          config-file: './.github/dependency-review-config.yml'
       - name: Check tooling setup
         run: yarn -s check-tooling-setup
       - name: Check commit message
diff --git a/package.json b/package.json
@@ -95,7 +95,6 @@
     "@types/jasmine": "~5.1.0",
     "@types/karma": "^6.3.0",
     "@types/less": "^3.0.3",
-    "@types/license-checker": "^25.0.6",
     "@types/loader-utils": "^2.0.0",
     "@types/lodash": "^4.17.0",
     "@types/node": "^18.13.0",
@@ -106,7 +105,6 @@
     "@types/resolve": "^1.17.1",
     "@types/semver": "^7.3.12",
     "@types/shelljs": "^0.8.11",
-    "@types/spdx-satisfies": "^0.1.2",
     "@types/tar": "^6.1.2",
     "@types/watchpack": "^2.4.4",
     "@types/yargs": "^17.0.20",
@@ -157,7 +155,6 @@
     "karma-source-map-support": "1.4.0",
     "less": "4.2.0",
     "less-loader": "12.2.0",
-    "license-checker": "^25.0.0",
     "license-webpack-plugin": "4.0.2",
     "lmdb": "3.0.11",
     "loader-utils": "3.2.2",
@@ -193,7 +190,6 @@
     "source-map": "0.7.4",
     "source-map-loader": "5.0.0",
     "source-map-support": "0.5.21",
-    "spdx-satisfies": "^5.0.0",
     "symbol-observable": "4.0.0",
     "tar": "^6.1.6",
     "terser": "5.31.0",
diff --git a/scripts/validate-licenses.mts b/scripts/validate-licenses.mts
diff --git a/scripts/validate.mts b/scripts/validate.mts
@@ -8,7 +8,6 @@
 
 import { execSync } from 'child_process';
 import templates from './templates.mjs';
-import validateLicenses from './validate-licenses.mjs';
 import validateUserAnalytics from './validate-user-analytics.mjs';
 
 export default async function (options: { verbose: boolean }) {
@@ -34,10 +33,6 @@ export default async function (options: { verbose: boolean }) {
     error = true;
   }
 
-  console.info('');
-  console.info('Running license validation...');
-  error = (await validateLicenses({})) != 0 || error;
-
   console.info('');
   console.info('Running User Analytics validation...');
   error = (await validateUserAnalytics({})) != 0 || error;
diff --git a/yarn.lock b/yarn.lock
