[skip changelog] Add CI workflow to check for unapproved Go dependency licenses #1525
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
A task and GitHub Actions workflow are provided here for checking the license types of Go project dependencies. On every push and pull request that affects relevant files, the CI workflow will check: - If the dependency licenses cache is up to date - If any of the project's dependencies have an unapproved license type. Approval can be based on: - Universally allowed license type - Individual dependency
The folder contains a cache of license metadata for all the project's Go dependencies. This serves two purposes: - Allow the Licensed dependency license checker tool to only check licenses when a dependency is added or updated - Allow the maintainer to manually define license metadata when the licensee tool is unable to automatically detect it
The "Licensed" dependency license checker tool uses the licensee tool to automatically determine the license type based on metadata provided by the dependency author. This must be in a standardized format without any modifications. In cases where that wasn't done, it is necessary to determine the license type and update the dependency license metadata cache in the `.licenses` folder manually. The Licensed tool will check this data whenever the dependency version is updated to make sure the license hasn't changed.
per1234
added
type: enhancement
silvanocerza
approved these changes
Oct 20, 2021
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Please check if the PR fulfills these requirements
before creating one)
our contributing guidelines
UPGRADING.mdhas been updated with a migration guide (for breaking changes)Infrastructure enhancement
Responsibility for the complex and tedious task of dependency license review is placed entirely on the humans who manage the project.
A task and GitHub Actions workflow are provided here for checking the license types of Go project dependencies.
On every push and pull request that affects relevant files, the CI workflow will use Licensed to check:
Approval can be based on:
Allowed license type
Individual dependency
Does this PR introduce a breaking change, and is
titled accordingly?
No breaking change