feat: fetch and store repo license via licensee IN-1105

[gaspergrom]

Summary

• Adds license column (VARCHAR(255)) to public.repositories via a new migration
• Installs the licensee Ruby gem (v9.15.3, the last version compatible with Ruby 2.7 on Debian Bullseye) in the git integration Docker image, along with libgit2 build and runtime deps required by the rugged gem
• Implements LicenseService that runs licensee detect --json <repo_path> and extracts the SPDX identifier from the JSON output
• Wires the service into the repository worker's first-batch hook, alongside the existing software-value and vulnerability-scanner calls
• Persists the detected SPDX ID (e.g. MIT, Apache-2.0, BSD-3-Clause) to public.repositories.license via a new update_repository_license CRUD helper

Changes

• backend/src/database/migrations/V1778154987__addLicenseToRepositories.sql — add license column
• backend/src/database/migrations/U1778154987__addLicenseToRepositories.sql — undo migration
• scripts/services/docker/Dockerfile.git_integration — install licensee v9.15.3 + libgit2 deps
• services/apps/git_integration/src/crowdgit/services/license/license_service.py — new service
• services/apps/git_integration/src/crowdgit/services/license/__init__.py — module init
• services/apps/git_integration/src/crowdgit/services/__init__.py — export LicenseService
• services/apps/git_integration/src/crowdgit/worker/repository_worker.py — wire service
• services/apps/git_integration/src/crowdgit/database/crud.py — add update_repository_license

---

Note

Medium Risk
Adds a new license column and a new external dependency (licensee Ruby gem) executed during repository processing, which may impact worker runtime and database migrations if detection is slow or the tool behaves unexpectedly.

Overview
Adds a new public.repositories.license (VARCHAR(255)) column with forward/undo migrations and updates the data-access layer to select this field.

Extends the git-integration worker to run a new LicenseService on the first clone batch, using the licensee gem to detect an SPDX ID and persist it via a new update_repository_license DB helper.

Updates the git-integration Docker image to install Ruby + licensee (and required libgit2 build/runtime deps) so license detection can run in production.

^{Reviewed by Cursor Bugbot for commit ef58578. Bugbot is set up for automated code reviews on this repo. Configure here.}

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[Copilot]

Pull request overview

This PR adds repository license detection to the git integration pipeline and persists the detected SPDX identifier into the main public.repositories table, enabling downstream consumers to query repository license metadata.

Changes:

• Adds a license column to public.repositories (with rollback migration).
• Extends the git integration Docker image to install the licensee gem and its libgit2 build/runtime dependencies.
• Introduces LicenseService (invokes licensee detect --json) and wires it into the repository worker’s first-batch processing, persisting results via a new CRUD helper.

Reviewed changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
backend/src/database/migrations/V1778154987__addLicenseToRepositories.sql	Adds license column to public.repositories.
backend/src/database/migrations/U1778154987__addLicenseToRepositories.sql	Drops license column on rollback.
scripts/services/docker/Dockerfile.git_integration	Installs Ruby + licensee and required libgit2/toolchain deps in the git integration image.
services/apps/git_integration/src/crowdgit/services/license/license_service.py	New async service to execute licensee and parse SPDX from JSON output.
services/apps/git_integration/src/crowdgit/services/license/init.py	Exports LicenseService from the license service module.
services/apps/git_integration/src/crowdgit/services/init.py	Re-exports LicenseService at the services package level.
services/apps/git_integration/src/crowdgit/worker/repository_worker.py	Runs license detection on first clone batch and writes the result to DB.
services/apps/git_integration/src/crowdgit/database/crud.py	Adds update_repository_license helper to persist SPDX ID.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 10 out of 10 changed files in this pull request and generated 3 comments.

[Copilot]

Pull request overview

Copilot reviewed 11 out of 11 changed files in this pull request and generated 2 comments.

[Copilot]

Pull request overview

Copilot reviewed 10 out of 10 changed files in this pull request and generated 3 comments.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit ef58578. Configure here.}

[cursor]

Transient detection errors silently clear existing license data

Medium Severity

LicenseService.detect() returns None for both "no license exists" and all error conditions (timeout, binary not found, parse failure, etc.). The caller in repository_worker.py unconditionally passes this result to update_repository_license, which will overwrite a previously valid license (e.g. "MIT") with NULL when the tool fails transiently. The IS DISTINCT FROM guard won't help because 'MIT' IS DISTINCT FROM NULL evaluates to TRUE. A persistent issue like a missing licensee binary would gradually erase all stored license data.

Additional Locations (1)

• services/apps/git_integration/src/crowdgit/worker/repository_worker.py#L244-L246

 

^{Reviewed by Cursor Bugbot for commit ef58578. Configure here.}