Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add dependency review workflow #34

Merged
merged 2 commits into from
Nov 23, 2023
Merged

Add dependency review workflow #34

merged 2 commits into from
Nov 23, 2023

Conversation

m-ringler
Copy link
Contributor

@m-ringler m-ringler commented Nov 22, 2023

Description

This PR sets up dependency review action to avoid introducing vulnerabilities and incompatible licenses.
See actions/dependency-review-action: A GitHub Action for detecting vulnerable dependencies and invalid licenses in your PRs.

Type of change

  • New feature (non-breaking change which adds functionality)

How Has This Been Tested?

This PR.

Checklist:

  • I followed the Contributing Guidelines.
  • I did a self-review.
  • I commented my code, particularly in hard-to-understand areas.

@m-ringler m-ringler added cla Contributor License Agreement sent to Admin CI/CD dependencies Pull requests that update a dependency file labels Nov 22, 2023
Copy link

codecov bot commented Nov 22, 2023

Codecov Report

Merging #34 (2e1a4aa) into main (41bac9f) will not change coverage.
The diff coverage is n/a.

Additional details and impacted files
@@           Coverage Diff           @@
##             main      #34   +/-   ##
=======================================
  Coverage   77.64%   77.64%           
=======================================
  Files          58       58           
  Lines        1897     1897           
  Branches      121      121           
=======================================
  Hits         1473     1473           
  Misses        401      401           
  Partials       23       23           
Components Coverage Δ
czicompress 66.75% <ø> (ø)
czishrink 80.39% <ø> (ø)

@m-ringler m-ringler marked this pull request as ready for review November 22, 2023 12:51
@DaveyJonesBitPail
Copy link
Contributor

I think it may be reasonable to have different sets of permissible/compatible licenses for different parts of the codebase.

Additionally, Wix uses a MS-RL which is more stringently copy-left if we were to use portions of their code (just generating an installer with the toolset is fine and not a concern) then we would be breaking this current set.

@m-ringler m-ringler requested a review from a team November 22, 2023 14:25
@m-ringler m-ringler self-assigned this Nov 22, 2023
@m-ringler
Copy link
Contributor Author

m-ringler commented Nov 22, 2023

I think it may be reasonable to have different sets of permissible/compatible licenses for different parts of the codebase.

Not sure about that. I think our code should be

  • licensable under MIT for czicompress
  • licensable under GPL for czishrink
  • usable in proprietary/closed-source code/products by ZEISS (with attribution) in its entirety as required by the CLA

The common denominator of that would be to allow dependencies with permissive, non-copy-left open source licenses compatible with the GPL.

Additionally, Wix uses a MS-RL which is more stringently copy-left if we were to use portions of their code (just generating an installer with the toolset is fine and not a concern) then we would be breaking this current set.

I‘d say: let’s discuss changes to the admissible licenses when and where they become necessary. Whether we want to allow MS-RL code in the repository or not feels a bit off-topic to me, here. This PR is about the mechanism of dependency license checking, not about which licenses we want to allow.

Copy link
Contributor

@DaveyJonesBitPail DaveyJonesBitPail left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We may want to relax the fail-on-severity but I'm happy with keeping it at the default "low" until it becomes a problem

@m-ringler m-ringler merged commit f5e48cf into main Nov 23, 2023
19 checks passed
@m-ringler m-ringler deleted the feature/dependency-review branch November 23, 2023 12:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
CI/CD cla Contributor License Agreement sent to Admin dependencies Pull requests that update a dependency file
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants