Skip to content

Add license deny list to dependency review#11

Merged
wizzomafizzo merged 1 commit into
mainfrom
add-license-policy
Apr 10, 2026
Merged

Add license deny list to dependency review#11
wizzomafizzo merged 1 commit into
mainfrom
add-license-policy

Conversation

@wizzomafizzo

@wizzomafizzo wizzomafizzo commented Apr 10, 2026

Copy link
Copy Markdown
Member

Summary

  • Add deny-licenses to dependency-review-action
  • Denied: AGPL-3.0, SSPL-1.0, EUPL-1.1, EUPL-1.2, CPAL-1.0, Watcom-1.0

PRs introducing dependencies under these licenses will be blocked.

Summary by CodeRabbit

  • Chores
    • Enhanced dependency review process with stricter license compliance checks to reject dependencies with specific license types.

Deny AGPL-3.0, SSPL-1.0, EUPL-1.1, EUPL-1.2, CPAL-1.0, and
Watcom-1.0 licenses in new dependencies.
@coderabbitai

coderabbitai Bot commented Apr 10, 2026

Copy link
Copy Markdown
📝 Walkthrough

Walkthrough

The GitHub Actions workflow for dependency review has been updated to enforce license restrictions by adding a deny-licenses configuration parameter to the actions/dependency-review-action step, specifying seven license identifiers to be blocked during dependency checks.

Changes

Cohort / File(s) Summary
GitHub Workflow Configuration
.github/workflows/dependency-review.yml
Added deny-licenses parameter with a list of seven restricted licenses (AGPL-3.0-only, AGPL-3.0-or-later, SSPL-1.0, EUPL-1.1, EUPL-1.2, CPAL-1.0, Watcom-1.0) to the dependency review action step.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

Poem

🐰 License gates now stand so tall,
Seven licenses denied to all,
AGPL, SSPL take a bow,
Our dependencies are safer now! ✨

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title 'Add license deny list to dependency review' directly and clearly summarizes the main change: adding a deny-licenses configuration to the dependency-review workflow.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch add-license-policy

Comment @coderabbitai help to get the list of available commands and usage tips.

@codecov

codecov Bot commented Apr 10, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/dependency-review.yml:
- Around line 20-21: The workflow uses the deprecated deny-licenses input for
dependency-review-action@v4; update the job step that currently sets the
deny-licenses parameter to use the action's supported replacement (per the
action docs) — locate the step referencing dependency-review-action@v4 and
replace deny-licenses with the documented alternative input or policy
configuration (e.g., the new policy/allow/deny format or equivalent) and ensure
the same SPDX identifiers are migrated into that new field and validated against
the action's examples.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: d8632faf-b914-4923-9e10-a362e7603315

📥 Commits

Reviewing files that changed from the base of the PR and between 9c20784 and 39f5603.

📒 Files selected for processing (1)
  • .github/workflows/dependency-review.yml

Comment on lines +20 to +21
with:
deny-licenses: AGPL-3.0-only, AGPL-3.0-or-later, SSPL-1.0, EUPL-1.1, EUPL-1.2, CPAL-1.0, Watcom-1.0

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

Are AGPL-3.0-only, AGPL-3.0-or-later, SSPL-1.0, EUPL-1.1, EUPL-1.2, CPAL-1.0, and Watcom-1.0 valid SPDX license identifiers?

💡 Result:

Yes—each of these is a valid SPDX License List short identifier:

Citations:


🌐 Web query:

GitHub actions dependency-review-action v4 deny-licenses configuration syntax

💡 Result:

In actions/dependency-review-action@v4, deny-licenses takes SPDX license identifiers/expressions and is mutually exclusive with allow-licenses (setting both errors). deny-licenses is deprecated in v4 (may be removed in the next major version). [1] [2]

Inline (workflow with:)

deny-licenses is passed as a comma-separated string: [1]

- uses: actions/dependency-review-action@v4
  with:
    deny-licenses: LGPL-2.0, BSD-2-Clause

External config file (config-file:)

In dependency-review-config.yml, use a YAML list (same idea as allow-licenses shown in the README): [1]

# .github/dependency-review-config.yml
deny-licenses:
  - LGPL-2.0
  - BSD-2-Clause

Consider migrating away from the deprecated deny-licenses parameter.

All SPDX license identifiers are valid and the comma-separated format is correct for dependency-review-action@v4. However, deny-licenses is deprecated in v4 and may be removed in the next major version. Check the action's documentation for recommended alternatives or migration guidance before the deprecation period ends.

🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/dependency-review.yml around lines 20 - 21, The workflow
uses the deprecated deny-licenses input for dependency-review-action@v4; update
the job step that currently sets the deny-licenses parameter to use the action's
supported replacement (per the action docs) — locate the step referencing
dependency-review-action@v4 and replace deny-licenses with the documented
alternative input or policy configuration (e.g., the new policy/allow/deny
format or equivalent) and ensure the same SPDX identifiers are migrated into
that new field and validated against the action's examples.

@wizzomafizzo wizzomafizzo merged commit a730494 into main Apr 10, 2026
13 checks passed
@wizzomafizzo wizzomafizzo deleted the add-license-policy branch April 10, 2026 08:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant