Skip to content

feat(ci): add license verification workflow #302

Description

@ncarenton

Description

Add a CI workflow to verify that all Python dependencies comply with an approved license allowlist.

Source of Inspiration

The OpenCTI main repository already has such a workflow:
https://github.com/OpenCTI-Platform/opencti/blob/master/.github/workflows/ci-license-check.yml

It uses license-checker-rseidelsohn (Node.js) with an allowlist of approved licenses. We need the Python equivalent for this repository.

Suggested Implementation

  • Tooling: pip-licenses with --allow-only flag (fails if any dependency uses an unlisted license)
  • Trigger: workflow_call (reusable workflow)
  • Scope: Verify all Python dependencies declared in requirements files

Suggested Allowlist

Same as OpenCTI plus Python-specific additions:

  • 0BSD, Apache-2.0, BlueOak-1.0.0, BSD-2-Clause, BSD-3-Clause
  • CC-BY-3.0, CC-BY-4.0, CC0-1.0, Hippocratic-2.1
  • ISC, LGPL-3.0, MIT, OFL-1.1
  • Python-2.0, PSF-2.0, MPL-2.0
  • Unlicense

Metadata

Metadata

Assignees

No one assigned

    Labels

    needs triageNeeds triage from the Filigran product team.tech foundationLinked to tech foundation.

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions