License Approval

A Github Action that helps you track and approve licenses your project uses.

How it works:

• You add a new dependency to your project and send it out for review in a pull request
• License Approval detects the new dependency and finds the license
  • For completeness License Approval checks transitive dependencies as well
• If License Approval finds any license that isn't on the whitelist, it will block the pull request
• Your team can review the license or consult with your legal team to determine if the license is acceptable
• Finally you can add the license to the whitelist or blacklist as needed

This project relies heavily on pivotal/LicenseFinder. Be sure to review their docs as well.

Status

BETA. Working with Ruby/Bundle examples only at the moment.

Setup

First install license_finder locally:

$ gem install license_finder

Run the tool:

$ license_finder

You'll probably see a failure on the first run, with output like:

LicenseFinder::Bundler: is active

Dependencies that need approval:
bundler, 1.17.2, MIT
license_finder, 5.10.2, MIT
parslet, 1.8.2, MIT
rubyzip, 2.0.0, "Simplified BSD"
thor, 0.20.3, MIT
toml, 0.2.0, MIT
with_env, 1.1.0, MIT
xml-simple, 1.1.5, ruby

This indicates that the tool doesn't know if the MIT, Simplified BSD, and ruby licenses are acceptable for your project.

You can mark the MIT license as acceptable by running:

license_finder whitelist add MIT

Now any MIT licensed dependencies will automatically be approved.

If you don't want to fully approve a license you can approve packages individually as well:

license_finder approvals add xml-simple

Now take a look at the doc/dependency_decisions.yml that these commands created. You'll need to add this to source control, so git add it.

Once you've approved everything you need, you can turn on the workflow by adding a file under .github/workflows. See the example this repo uses: https://github.com/ralexander-phi/license_approval/blob/master/.github/workflows/main.yml

Tweak your workflow if needed, then start a pull request with the changes. If everything is working, you should see a new check in the pull request and it should be passing. If so, congratulations, you're done.

Now your team will be able to keep track of software licensing approvals right in your pull request workflow.

Feel free to open an issue if you run into any issues or have suggestions for improvements.