Add license deny list to dependency review#11
Conversation
Deny AGPL-3.0, SSPL-1.0, EUPL-1.1, EUPL-1.2, CPAL-1.0, and Watcom-1.0 licenses in new dependencies.
📝 WalkthroughWalkthroughThe GitHub Actions workflow for dependency review has been updated to enforce license restrictions by adding a Changes
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~2 minutes Possibly related PRs
Poem
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/dependency-review.yml:
- Around line 20-21: The workflow uses the deprecated deny-licenses input for
dependency-review-action@v4; update the job step that currently sets the
deny-licenses parameter to use the action's supported replacement (per the
action docs) — locate the step referencing dependency-review-action@v4 and
replace deny-licenses with the documented alternative input or policy
configuration (e.g., the new policy/allow/deny format or equivalent) and ensure
the same SPDX identifiers are migrated into that new field and validated against
the action's examples.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: d8632faf-b914-4923-9e10-a362e7603315
📒 Files selected for processing (1)
.github/workflows/dependency-review.yml
| with: | ||
| deny-licenses: AGPL-3.0-only, AGPL-3.0-or-later, SSPL-1.0, EUPL-1.1, EUPL-1.2, CPAL-1.0, Watcom-1.0 |
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
Are AGPL-3.0-only, AGPL-3.0-or-later, SSPL-1.0, EUPL-1.1, EUPL-1.2, CPAL-1.0, and Watcom-1.0 valid SPDX license identifiers?
💡 Result:
Yes—each of these is a valid SPDX License List short identifier:
AGPL-3.0-only(spdx.org)AGPL-3.0-or-later(spdx.org)SSPL-1.0(spdx.org)EUPL-1.1(spdx.org)EUPL-1.2(spdx.org)CPAL-1.0(spdx.org)Watcom-1.0(spdx.org)
Citations:
- 1: https://spdx.org/licenses/index.html
- 2: https://spdx.org/licenses/index.html
- 3: https://spdx.org/licenses/SSPL-1.0.html
- 4: https://spdx.org/licenses/EUPL-1.1.html
- 5: https://spdx.org/licenses/EUPL-1.2.html
- 6: https://spdx.org/licenses/CPAL-1.0.html
- 7: https://spdx.org/licenses/Watcom-1.0.html
🌐 Web query:
GitHub actions dependency-review-action v4 deny-licenses configuration syntax
💡 Result:
In actions/dependency-review-action@v4, deny-licenses takes SPDX license identifiers/expressions and is mutually exclusive with allow-licenses (setting both errors). deny-licenses is deprecated in v4 (may be removed in the next major version). [1] [2]
Inline (workflow with:)
deny-licenses is passed as a comma-separated string: [1]
- uses: actions/dependency-review-action@v4
with:
deny-licenses: LGPL-2.0, BSD-2-ClauseExternal config file (config-file:)
In dependency-review-config.yml, use a YAML list (same idea as allow-licenses shown in the README): [1]
# .github/dependency-review-config.yml
deny-licenses:
- LGPL-2.0
- BSD-2-ClauseConsider migrating away from the deprecated deny-licenses parameter.
All SPDX license identifiers are valid and the comma-separated format is correct for dependency-review-action@v4. However, deny-licenses is deprecated in v4 and may be removed in the next major version. Check the action's documentation for recommended alternatives or migration guidance before the deprecation period ends.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/dependency-review.yml around lines 20 - 21, The workflow
uses the deprecated deny-licenses input for dependency-review-action@v4; update
the job step that currently sets the deny-licenses parameter to use the action's
supported replacement (per the action docs) — locate the step referencing
dependency-review-action@v4 and replace deny-licenses with the documented
alternative input or policy configuration (e.g., the new policy/allow/deny
format or equivalent) and ensure the same SPDX identifiers are migrated into
that new field and validated against the action's examples.
Summary
deny-licensesto dependency-review-actionPRs introducing dependencies under these licenses will be blocked.
Summary by CodeRabbit