Skip to content

Add infrastructure to check for unapproved npm dependency licenses #420

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Oct 8, 2024
Merged

Add infrastructure to check for unapproved npm dependency licenses #420

merged 3 commits into from
Oct 8, 2024

Conversation

per1234
Copy link
Contributor

@per1234 per1234 commented Oct 8, 2024

A task and GitHub Actions workflow are provided here for checking the license types of npm-managed project dependencies.

On every push and pull request that affects relevant files, the CI workflow will check:

  • If the dependency licenses cache is up to date
  • If any of the project's dependencies have an unapproved license type.

Approval can be based on:

  • Universally allowed license type
  • Individual dependency
per1234 added 3 commits October 7, 2024 23:52
@per1234
Add infrastructure to check for unapproved npm dependency licenses
ee49ac2 
A task and GitHub Actions workflow are provided here for checking the license types of npm-managed project dependencies. On every push and pull request that affects relevant files, the CI workflow will check: - If the dependency licenses cache is up to date - If any of the project's dependencies have an unapproved license type. Approval can be based on: - Universally allowed license type - Individual dependency
@per1234
Make initial commit of dependency license metadata
9df2cf1 
The `.licenses` folder contains a cache of license metadata for all the project's Go dependencies. This serves two purposes: - Allow the Licensed dependency license checker tool to only check licenses when a dependency is added or updated - Allow the maintainer to manually define license metadata when the licensee tool is unable to automatically detect it
@per1234
Manually define dependency license type metadata that was not detected
025e2b9 
The "Licensed" dependency license checker tool uses the licensee tool to automatically determine the license type based on metadata provided by the dependency author. This must be in a standardized format without any modifications. In cases where that wasn't done, it is necessary to determine the license type and update the dependency license metadata cache in the `.licenses` folder manually. The Licensed tool will check this data whenever the dependency version is updated to make sure the license hasn't changed.
@per1234 per1234 added type: enhancement Proposed improvement topic: infrastructure Related to project infrastructure labels Oct 8, 2024
@per1234 per1234 self-assigned this Oct 8, 2024
@codecov-commenter
Copy link

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 59.18%. Comparing base (1b78422) to head (025e2b9).

Additional details and impacted files 
@@ Coverage Diff @@ ## main #420 +/- ## ======================================= Coverage 59.18% 59.18% ======================================= Files 1 1 Lines 98 98 Branches 16 16 ======================================= Hits 58 58 Misses 33 33 Partials 7 7

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.
@per1234 per1234 merged commit 4de5fc8 into arduino:main Oct 8, 2024
19 checks passed
@per1234 per1234 deleted the check-dependencies branch October 8, 2024 06:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

topic: infrastructure Related to project infrastructure type: enhancement Proposed improvement

2 participants

@per1234 @codecov-commenter