Skip to content

Add CI workflow to check for unapproved Go dependency licenses #14

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Oct 19, 2021
Merged

Add CI workflow to check for unapproved Go dependency licenses #14

merged 3 commits into from
Oct 19, 2021

Conversation

per1234
Copy link
Contributor

@per1234 per1234 commented Oct 13, 2021

A task and GitHub Actions workflow are provided here for checking the license types of Go project dependencies.

On every push and pull request that affects relevant files, the CI workflow will use Licensed to check:

  • If the dependency licenses cache is up to date
  • If any of the project's dependencies have an unapproved license type.

Approval can be based on:

@per1234
Add CI workflow to check for unapproved Go dependency licenses
bc969e0 
A task and GitHub Actions workflow are provided here for checking the license types of Go project dependencies.

On every push and pull request that affects relevant files, the CI workflow will check:

- If the dependency licenses cache is up to date
- If any of the project's dependencies have an unapproved license type.

Approval can be based on:

- Universally allowed license type
- Individual dependency
@per1234
Make initial commit of dependency license metadata
8dba87a 
The `.licenses` folder contains a cache of license metadata for all the project's Go dependencies. This serves two purposes:

- Allow the Licensed dependency license checker tool to only check licenses when a dependency is added or updated
- Allow the maintainer to manually define license metadata when the licensee tool is unable to automatically detect it
@per1234
Manually define dependency license metadata that was not detected
8a9269e 
The "Licensed" dependency license checker tool uses the licensee tool to automatically determine the license type based
on metadata provided by the dependency author. This must be in a standardized format without any modifications. In cases
where that wasn't done, it is necessary to determine the license type and update the dependency license metadata cache in
the `.licenses` folder manually.

The Licensed tool will check this data whenever the dependency version is updated to make sure the license hasn't changed.
@per1234 per1234 added the type: enhancement Proposed improvement label Oct 13, 2021
@per1234 per1234 merged commit 94aacc9 into arduino:main Oct 19, 2021
@per1234 per1234 deleted the check-dependencies branch October 19, 2021 08:22
@per1234 per1234 self-assigned this Nov 23, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@umbynos umbynos umbynos approved these changes

@cmaglie cmaglie Awaiting requested review from cmaglie

@silvanocerza silvanocerza Awaiting requested review from silvanocerza

@rsora rsora Awaiting requested review from rsora

Assignees

@per1234 per1234

Labels
type: enhancement Proposed improvement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@per1234 @umbynos