Skip to content

pombredanne/license_approval

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

8 Commits

.github/workflows

.github/workflows

 
 

doc

doc

 
 

.gitignore

.gitignore

 
 

Dockerfile

Dockerfile

 
 

Gemfile

Gemfile

 
 

Gemfile.lock

Gemfile.lock

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

action.yml

action.yml

 
 

code-of-conduct.md

code-of-conduct.md

 
 

script.sh

script.sh

 
 

Repository files navigation

License Approval

A Github Action that helps you track and approve licenses your project uses.

How it works:

  • You add a new dependency to your project and send it out for review in a pull request
  • License Approval detects the new dependency and finds the license
    • For completeness License Approval checks transitive dependencies as well
  • If License Approval finds any license that isn't on the whitelist, it will block the pull request
  • Your team can review the license or consult with your legal team to determine if the license is acceptable
  • Finally you can add the license to the whitelist or blacklist as needed

This project relies heavily on pivotal/LicenseFinder. Be sure to review their docs as well.

Status

BETA. Working with Ruby/Bundle examples only at the moment.

Setup

First install license_finder locally:

$ gem install license_finder

Run the tool:

$ license_finder

You'll probably see a failure on the first run, with output like:

LicenseFinder::Bundler: is active

Dependencies that need approval:
bundler, 1.17.2, MIT
license_finder, 5.10.2, MIT
parslet, 1.8.2, MIT
rubyzip, 2.0.0, "Simplified BSD"
thor, 0.20.3, MIT
toml, 0.2.0, MIT
with_env, 1.1.0, MIT
xml-simple, 1.1.5, ruby

This indicates that the tool doesn't know if the MIT, Simplified BSD, and ruby licenses are acceptable for your project.

You can mark the MIT license as acceptable by running:

license_finder whitelist add MIT

Now any MIT licensed dependencies will automatically be approved.

If you don't want to fully approve a license you can approve packages individually as well:

license_finder approvals add xml-simple

Now take a look at the doc/dependency_decisions.yml that these commands created. You'll need to add this to source control, so git add it.

Once you've approved everything you need, you can turn on the workflow by adding a file under .github/workflows. See the example this repo uses: https://github.com/ralexander-phi/license_approval/blob/master/.github/workflows/main.yml

Tweak your workflow if needed, then start a pull request with the changes. If everything is working, you should see a new check in the pull request and it should be passing. If so, congratulations, you're done.

Now your team will be able to keep track of software licensing approvals right in your pull request workflow.

Feel free to open an issue if you run into any issues or have suggestions for improvements.

About

Track licenses and approvals

Resources

Readme

License

MIT license

Code of conduct

Code of conduct
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

1 tags

Packages

No packages published

Languages

  • Shell 66.3%
  • Ruby 21.2%
  • Dockerfile 12.5%