Add CI workflow to check for unapproved Go dependency licenses #135
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
A task and GitHub Actions workflow are provided here for checking the license types of Go project dependencies. On every push and pull request that affects relevant files, the CI workflow will check: - If the dependency licenses cache is up to date - If any of the project's dependencies have an unapproved license type. Approval can be based on: - Universally allowed license type - Individual dependency
The `.licenses` folder contains a cache of license metadata for all the project's Go dependencies. This serves two purposes: - Allow the Licensed dependency license checker tool to only check licenses when a dependency is added or updated - Allow the maintainer to manually define license metadata when the licensee tool is unable to automatically detect it
The "Licensed" dependency license checker tool uses the licensee tool to automatically determine the license type based on metadata provided by the dependency author. This must be in a standardized format without any modifications. In cases where that wasn't done, it is necessary to determine the license type and update the dependency license metadata cache in the `.licenses` folder manually. The Licensed tool will check this data whenever the dependency version is updated to make sure the license hasn't changed.
per1234
added
type: enhancement
MatteoPologruto
approved these changes
Sep 6, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Please check if the PR fulfills these requirements
before creating one)
What kind of change does this PR introduce?
Infrastructure enhancement
What is the current behavior?
Contributors and maintainers are not provided with any tools to assist them in the complex and esoteric subject of open source licence compliance.
What is the new behavior?
A task and GitHub Actions workflow are provided here for checking the license types of Go project dependencies.
On every push and pull request that affects relevant files, the CI workflow will use Licensed to check:
Approval can be based on:
Other information
The workflow run is currently failing. This is an accurate result which is caused by incompatibility of the Apache 2.0 license of the Arduino Language Server with the license of dependencies used by the project, which underscores the need for the system added here.
Resolution of that non-compliance is out of scope for this PR.