-
Notifications
You must be signed in to change notification settings - Fork 4
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add dependency review workflow #34
Conversation
Codecov Report
Additional details and impacted files@@ Coverage Diff @@
## main #34 +/- ##
=======================================
Coverage 77.64% 77.64%
=======================================
Files 58 58
Lines 1897 1897
Branches 121 121
=======================================
Hits 1473 1473
Misses 401 401
Partials 23 23
|
I think it may be reasonable to have different sets of permissible/compatible licenses for different parts of the codebase. Additionally, Wix uses a MS-RL which is more stringently copy-left if we were to use portions of their code (just generating an installer with the toolset is fine and not a concern) then we would be breaking this current set. |
Not sure about that. I think our code should be
The common denominator of that would be to allow dependencies with permissive, non-copy-left open source licenses compatible with the GPL.
I‘d say: let’s discuss changes to the admissible licenses when and where they become necessary. Whether we want to allow MS-RL code in the repository or not feels a bit off-topic to me, here. This PR is about the mechanism of dependency license checking, not about which licenses we want to allow. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We may want to relax the fail-on-severity but I'm happy with keeping it at the default "low" until it becomes a problem
Description
This PR sets up dependency review action to avoid introducing vulnerabilities and incompatible licenses.
See actions/dependency-review-action: A GitHub Action for detecting vulnerable dependencies and invalid licenses in your PRs.
Type of change
How Has This Been Tested?
This PR.
Checklist: