feat: add license filtering with compliance check

[RuchitAgrawal]

Summary

Implements license filtering for Macaron. Adds a new check that detects a repository's license via the GitHub API and validates it against a user-configured SPDX allow-list.

Description of changes

• Configuration: added a license section to defaults.ini with options to enable the check, define allowed SPDX identifiers, and require a license to be present.
• API client: added get_license() to GhAPIClient using the GitHub REST API to fetch license data.
• License check: implemented mcn_license_1 which detects the repository license via the GitHub API, falls back to the cloned filesystem, and reports PASSED or FAILED based on the configured allow-list.
• Tests: added unit tests covering all detection and policy evaluation scenarios.

Related issues

Fixes #729

Checklist

• I have reviewed the contribution guide.
• My PR title and commits follow the Conventional Commits convention.
• My commits include the "Signed-off-by" line.
• I have signed my commits following the instructions provided by GitHub. Note that we run GitHub's commit verification tool to check the commit signatures. A green verified label should appear next to all of your commits on GitHub.
• I have updated the relevant documentation, if applicable.
• I have tested my changes and verified they work as expected.

[behnazh-w]

@RuchitAgrawal Thank you for contributing to our project.

To test this check end-to-end, please add the line to the one of the integration tests to make sure the new check passes. Here is one candidate:

• tests/integration/cases/pypi_arrow/policy.dl

Policy("has-hosted-build", component_id, "Require a hosted build and publishing service.") :-
    check_passed(component_id, "mcn_build_as_code_1"),
    check_passed(component_id, "mcn_license_1").

This should pass as arrow uses the Apache 2.0 license.

[RuchitAgrawal]

Thank you for the review and Feedback. I've gone through your comments and noted the required adjustments. I'll get those changes implemented and pushed by tonight.

[RuchitAgrawal]

Hi @behnazh-w, I have implemented the fixes based on your suggestions and feedback. Could you kindly review these changes? I’m happy to make further improvements if anything else is needed.

[behnazh-w]

@RuchitAgrawal thanks for the changes, they look good! A few more things:

• Looks like you have not signed your commits. Please make sure all of your commits are marked as verified.
• Add the --signoff option to you commits. See the PR's TODO items.
• Add your new check to the table in docs/source/index.rst. You can run make docs locally to make sure the Sphinx docs compile correctly, and you can check the docs artifact at docs/_build/html/index.html.

[RuchitAgrawal]

@behnazh-w, thank you for the guidance and feedback! I have added the check to the table and tested locally to ensure make docs compiles properly. I also made sure to verify and sign all my commits.
Please let me know what you think of the updates. It has been a great learning experience for me, and I would love to keep contributing to the organization.

[behnazh-w]

@behnazh-w, thank you for the guidance and feedback! I have added the check to the table and tested locally to ensure make docs compiles properly. I also made sure to verify and sign all my commits. Please let me know what you think of the updates. It has been a great learning experience for me, and I would love to keep contributing to the organization.

That looks good, thanks. I just added a comment about using an allow list vs deny list.

[RuchitAgrawal]

Thank you for the suggestion. I have updated the implementation to use deny list instead of allowed list for a better license check. I've also updated the tests and docs accordingly. Please let me know if this looks good!