Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Licensed To Help Verify Prod Licenses #326

Merged
merged 4 commits into from Sep 10, 2020
Merged

Add Licensed To Help Verify Prod Licenses #326

merged 4 commits into from Sep 10, 2020

Conversation

thboop
Copy link
Collaborator

@thboop thboop commented Aug 11, 2020

GitHub has a tool called licensed which helps us to verify that the node modules we are using are appropriately licensed for what we are using them for. It also helps to verify that the license a node module claims to be under matches the license it.

If you were previously checking in a license in the dist file, this can replace that flow.

This PR adds:

  • A workflow to check licenses on pull requests and pushes to the main branch
  • A licensed.yml file used to configure licensed
  • A number of files into the .licenses directory which contain our dependencies and their appropriate licenses

How does this impact me?

  • You may need to locally install licensed and run licensed cache to update the dependency cache if you install a new production dependency.
    • If licensed cache is unable to determine the dependency, you may need to modify the cache file yourself to put the correct license.
  • You should still verify the dependency, licensed in a tool to help, but is not a substitute for human review of dependencies
  • Currently, this PR only targets production dependencies, dev dependencies are not included.

@thboop thboop marked this pull request as ready for review Aug 26, 2020
@thboop thboop requested a review from ericsciple Aug 26, 2020
@thboop thboop merged commit 21dc310 into actions:main Sep 10, 2020
7 checks passed
@AnandChowdhary
Copy link

@AnandChowdhary AnandChowdhary commented Sep 24, 2020

@thboop, quick question: Why did you not use jonabc/setup-licensed and opt for installing Licensed manually in the workflow?

larose pushed a commit to larose/checkout that referenced this issue Oct 12, 2020
* Add Licensed file and workflow

* manual updates of dependencies

* Delete licenses.txt

* Ignore Generated Files in Git PR's
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

3 participants