Generate licenses.json via GitHub Actions after dependency updates (#38)

[mattfsourcecode]

Summary of Changes:

1. Adds a workflow to generate licenses.json

   • Implements a new GitHub Actions workflow using license-checker to automatically generate a licenses.json file whenever package.json or pnpm-lock.yaml changes. The licenses.json file contains license information for each dependency, along with details such as the repository URL, publisher, and other metadata provided by the package authors.

2. Configures PERSONAL_ACCESS_TOKEN for secure commits

   • Adds a repository secret named PERSONAL_ACCESS_TOKEN to authorize GitHub Actions (github-actions[bot]) to commit changes directly. This ensures license updates are committed securely and automatically.

3. Updates test-and-build workflow trigger

   • Previous:

     on:
       pull_request:
         branches:
           - master

   • Updated:

     on:
       push:
         branches:
           - "**"
       pull_request:
         branches:
           - "**"

   • This change ensures that the test-and-build workflow runs on both push and pull_request events across all branches ("**"). It guarantees the check will trigger after the license file is committed, making it the final validation step before merging.

4. Bumps dependency version

   • Updated the following dependency:

     - "@types/node": "^22.12.0",
     + "@types/node": "^22.13.0",

   • This version bump had not yet been handled by Dependabot.

---

⚠️ Note Regarding Dependabot:

• Potential concern: This PR doesn’t allow us to verify if github-actions[bot] can still automatically merge pull requests when github-actions[bot] is the last contributor. The current configuration might require the last commit to be made by Dependabot.

• Why it’s expected to work:

  • The automation uses github-actions[bot] with PERSONAL_ACCESS_TOKEN, which should meet the required permissions.
  • The test-and-build workflow now runs after commits from GitHub Actions, satisfying branch protection rules.

We will be able to confirm this functionality fully when the next Dependabot PR invokes an automatic merge.

---

Closes #38

[mattfsourcecode]

⚠️ Note Regarding Dependabot:

• Potential concern: This PR doesn’t allow us to verify if github-actions[bot] can still automatically merge pull requests when github-actions[bot] is the last contributor. The current configuration might require the last commit to be made by Dependabot.

• Why it’s expected to work:

  • The automation uses github-actions[bot] with PERSONAL_ACCESS_TOKEN, which should meet the required permissions.
  • The test-and-build workflow now runs after commits from GitHub Actions, satisfying branch protection rules.

We can fully confirm this functionality when the next Dependabot PR invokes an automatic merge.

Follow-up:

The license-checker package lists license information for subdependencies in the pnpm-lock.yaml when run locally. However, when run as part of the GitHub Action, it only lists license information for direct dependencies and devDependencies. This means changes made by Dependabot would likely have infrequent impacts on the license information. The check would be more valuable if subdependency licenses were also included.

New Issue Added: #46

[mattfsourcecode]

The check would be more valuable if subdependency licenses were also included.

Nonetheless, the added check automatically detects when developers add new dependencies and devDependencies, and updates the licenses.json file accordingly.