1+ name : ' Dependency Review'
2+ on :
3+ workflow_call :
4+ workflow_dispatch :
5+
6+ permissions : { }
7+
8+ jobs :
9+ dependency-review :
10+ runs-on : ubuntu-latest
11+ permissions :
12+ contents : read
13+ steps :
14+ - name : ' Checkout Repository'
15+ uses : actions/checkout@v4
16+
17+ - name : ' Dependency Review'
18+ id : review
19+ uses : actions/dependency-review-action@v4
20+ with :
21+ allow-licenses : 0BSD, BSD-1-Clause, BSD-2-Clause, BSD-3-Clause, LGPL-2.0-or-later, LGPL-2.1-or-later, LGPL-3.0-only, LGPL-3.0-or-later, MIT, WTFPL, Apache-2.0
22+ # Note that we explicitly allow LGPL-2.x-or-later, since LGPL-2.x (only) is not compatible with LGPL-3.x
23+ - name : ' Disallow unlicensed/unknown license'
24+ shell : bash
25+ env :
26+ UNLICENSED : " ${{ steps.review.outputs.invalid-license-changes }}"
27+ run : |
28+ EXPECTED='{"unlicensed":[],"unresolved":[],"forbidden":[]}'
29+
30+ echo $EXPECTED
31+ echo $UNLICENSED
32+
33+ if [ $UNLICENSED = $EXPECTED ]; then
34+ echo "No unlicensed changes found."
35+ else
36+ BOLD_RED='\033[1;31m'
37+ RESET='\033[0m'
38+ echo -e "${BOLD_RED}Invalid license changes found:${RESET}\n$UNLICENSED"
39+ exit 1
40+ fi
41+
42+ # Rationale:
43+
44+ # # https://interoperable-europe.ec.europa.eu/licence/bsd-zero-clause-license
45+ # # 0BSD is a very permissive licence, like the BSD-2-Clause, but without the "attribution" requirement to include the authors' copyright notice, the license text and the disclaimer in either source or binary forms. The code may therefore be freely redistributed and relicensed without even mentioning its origin.
46+ # "0BSD",
47+ # # Very permissive.
48+ # "BSD-1-Clause",
49+ # # https://interoperable-europe.ec.europa.eu/licence/bsd-2-clause-simplified-license
50+ # # SD-2 permits almost unlimited freedom with the software so long as you include the BSD copyright notice in it (as is in licence text).
51+ # "BSD-2-Clause",
52+ # # https://interoperable-europe.ec.europa.eu/licence/bsd-3-clause-new-or-revised-license
53+ # # BSD-3 allows you almost unlimited freedom with the software so long as you include the BSD copyright and license notice in it...
54+ # "BSD-3-Clause",
55+ # # Mark: Explicit no BDS-4-Clause aka Old/Original BSD License
56+
57+ # ### LGPL ###
58+ # # The "or later" makes it so that they are compatible with 3.0.
59+ # # "LGPL-2.0-only", # Incompatible with LGPL 3.0.
60+ # "LGPL-2.0-or-later",
61+ # # "LGPL-2.1-only", # Incompatible with Apache 2.0 (We would have to "swap" both in that case).
62+ # "LGPL-2.1-or-later",
63+ # "LGPL-3.0-only",
64+ # "LGPL-3.0-or-later",
65+
66+ # ## MPL ###
67+ # # https://interoperable-europe.ec.europa.eu/licence/mozilla-public-license-20
68+ # # Version 2.0 is, by default, compatible with LGPL and GPL version 2 or later and with the EUPL...
69+ # # Although compatible files added with MPL-2.0 will need to retain their license, aka, no relicensing allowed.
70+ # # Therefore it is kept as not allowed as default, as special care might be needed to comply with this license.
71+ # "MPL-2.0",
72+
73+ # ## MIT ###
74+ # "MIT",
75+
76+ # ## WTFPL ###
77+ # "WTFPL",
78+
79+ # ## Apache ###
80+ # "Apache-2.0",
0 commit comments