Skip to content

[ISSUE #4720] Modernize CI license check and Enable Dependabot #23

[ISSUE #4720] Modernize CI license check and Enable Dependabot

[ISSUE #4720] Modernize CI license check and Enable Dependabot #23

Workflow file for this run

#
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
name: 'License Check'
on: [ pull_request ]
permissions:
contents: read
jobs:
dependency-review:
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v4
- name: 'Check license header'
uses: apache/skywalking-eyes@main
- name: 'Dependency Review'
uses: actions/dependency-review-action@v4
with:
# Post Submit dependency graph
retry-on-snapshot-warnings: true
retry-on-snapshot-warnings-timeout: 600
vulnerability-check: false
license-check: true
# Incompatible licenses addressed here: https://www.apache.org/legal/resolved.html
# Special notice for GPL licenses: https://www.apache.org/licenses/GPL-compatibility.html
# Find SPDX identifiers here: https://spdx.org/licenses/
deny-licenses: >
MS-LPL, BUSL-1.1,
CC-BY-NC-1.0, CC-BY-NC-2.0, CC-BY-NC-2.5, CC-BY-NC-3.0, CC-BY-NC-4.0,
GPL-1.0, GPL-2.0, GPL-3.0, AGPL-3.0, LGPL-2.0, LGPL-2.1, LGPL-3.0,
GPL-1.0-only, GPL-2.0-only, GPL-3.0-only, AGPL-3.0-only, LGPL-2.0-only, LGPL-2.1-only, LGPL-3.0-only,
QPL-1.0, Sleepycat, SSPL-1.0, CPOL-1.02,
BSD-4-Clause, BSD-4-Clause-UC, NPL-1.0, NPL-1.1, JSON
# Artifacts with multiple licenses, where at least one license is compatible with Apache 2.0, are allowed.
# TODO This attribute can be removed after https://github.com/actions/dependency-review-action/issues/670 is resolved.
allow-dependencies-licenses: >
pkg:maven/com.rabbitmq/amqp-client,
pkg:maven/javax.xml.stream/stax-api