From 4d65c91d7e8c260fcb83f648cd691d989686f4bf Mon Sep 17 00:00:00 2001
From: LeadGoEngineer <leadgoengineer@quantcli.local>
Date: Tue, 19 May 2026 07:49:01 -0400
Subject: [PATCH] chore(security): extend license allowlist with BSL-1.0,
 CC0-1.0, 0BSD
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Mirrors quantcli/common#22 (QUA-46) — keep the per-repo workflow copy
in lockstep with the source of truth in `quantcli/common`. No
functional change to this repo's existing deps; the allowlist is a
strict superset of the previous list.

The three new SPDX ids are all permissive (Boost, public-domain
dedication, Zero-Clause BSD). See `quantcli/common`'s SECURITY.md for
the documented policy, including the explicit `BSL-1.0` (Boost) vs
`BUSL-*` (Business Source) distinction added in the same PR.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
---
 .github/workflows/security.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
index 08c1e21..018d6a5 100644
--- a/.github/workflows/security.yml
+++ b/.github/workflows/security.yml
@@ -94,8 +94,9 @@ jobs:
       contents: read
     env:
       # Policy: every direct + transitive Go dep must resolve to one of these SPDX ids.
+      # Keep this list sorted by SPDX id; SECURITY.md "License allowlist" must match exactly.
       # See SECURITY.md "Supply-chain policy" for the rationale.
-      ALLOWED_LICENSES: "Apache-2.0,MIT,BSD-2-Clause,BSD-3-Clause,MPL-2.0,ISC,Unlicense"
+      ALLOWED_LICENSES: "0BSD,Apache-2.0,BSD-2-Clause,BSD-3-Clause,BSL-1.0,CC0-1.0,ISC,MIT,MPL-2.0,Unlicense"
     steps:
       - name: Checkout
         uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1