Skip to content
/ license-compliance-action Public

License compliance for Node applications made ultra easy. Provide it a string of licenses or fetch licenses dynamically from an online source.

github.com/marketplace/actions/license-compliance

License

MIT license
7 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

mikaelvesavuori/license-compliance-action

Use this GitHub action with your project
Add this Action to an existing workflow or create a new one
View on Marketplace
BranchesTags

Repository files navigation

license-compliance GitHub Action

License compliance for Node applications made ultra easy. Provide it a string of licenses or fetch licenses dynamically from an online source.

Uses license-compliance to check if open source packages you are using for production builds have allowed licenses.

Note that you will need to have a package.json file present for this action to run (else it will exit gracefully). The action will install all dependencies before checking, so that the licenses can be accessed.

Setup and usage

There really is not that much to setup! However, if you want your licenses living somewhere else, you will need to provide a service that accepts GET requests. The response must not be deeper than one level (if it is nested, use nested_field explained below).

A hot tip is to use a basic service like Mockachino to serve them, at least as a start. An object that matches the defaults would look like:

{
  "licenseString": "MIT;ISC;0BSD;BSD-2-Clause;BSD-3-Clause;Apache-2.0"
}

Optional input arguments

allow_licenses

A list of allowed licenses. It will default to the very open and generous set of MIT;ISC;0BSD;BSD-2-Clause;BSD-3-Clause;Apache-2.0.

nested_field

If pointing the allow_licenses input to an URL, use this to indicate whether the response will be in a single-level-nested object, such as under allowedLicenses.

exclude_pattern

An exclusion pattern, such as /^@the-project/;some-package.

Example of how to use this action in a workflow

Minimal use-case where you want to just get going with the defaults:

on: [push]

jobs:
  main:
    runs-on: ubuntu-latest
    steps:
      - name: License compliance check
        uses: mikaelvesavuori/license-compliance-action@v1

If you want a more dynamic setup with the allowed licenses residing somewhere else, then you can do:

on: [push]

jobs:
  main:
    runs-on: ubuntu-latest
    steps:
      - name: License compliance check
        uses: mikaelvesavuori/license-compliance-action@v1
        with:
          allow_licenses: "https://www.mockachino.com/{{YOUR_RANDOM_STRING}}/licenses"
          nested_field: "licenseString"

Testing and development

To test it locally while developing you will perhaps need to have some non-compliant packages to ensure the script breaks at the right time. Assuming you are not allowing AGPL you can install for example (random package here) npm install eplengine -S.

Then to start the test script run sh test.sh.

About

License compliance for Node applications made ultra easy. Provide it a string of licenses or fetch licenses dynamically from an online source.

github.com/marketplace/actions/license-compliance

Topics

nodejs node security-tools license-compliance compliance-automation license-checker automated-security-testing

Resources

Readme

License

MIT license

Code of conduct

Code of conduct

Security policy

Security policy
Activity

Stars

7 stars

Watchers

2 watching

Forks

1 fork
Report repository

Releases 4

Version 1.0.3 Latest
Feb 20, 2024
+ 3 releases

Languages