Skip to content

ci: add license check job#18

Merged
jamesbhobbs merged 3 commits into
mainfrom
add-dependency-license-checking-to-ci
Oct 2, 2025
Merged

ci: add license check job#18
jamesbhobbs merged 3 commits into
mainfrom
add-dependency-license-checking-to-ci

Conversation

@andyjakubowski

@andyjakubowski andyjakubowski commented Oct 2, 2025
edited by coderabbitai Bot
Loading

Copy link
Copy Markdown
Contributor

Fixes #17

This PR introduces automated license compliance checks using license-checker-rseidelsohn.

  • Adds a license-check script in package.json to enforce an allowlist of permissive licenses (MIT, Apache-2.0, BSD, ISC).
  • Excludes the root deepnote package from scanning to avoid false positives (UNLICENSED due to "private": true).
  • CI will now fail if any dependency with a disallowed license is introduced.

This ensures that all dependencies in the monorepo remain compatible with our Apache-2.0 licensing.

Summary by CodeRabbit

  • Chores
    • Introduced automated license compliance checks into CI to ensure dependencies use approved licenses.
    • Added a project script and development dependency to run the license audit locally and in CI.
    • Minor spelling-dictionary update for tooling names.
    • No user-facing functionality changes; improves governance and build reliability.

@andyjakubowski
ci: cdd license check job
051c4b4 
Signed-off-by: Andy Jakubowski <[email protected]>
@coderabbitai

coderabbitai Bot commented Oct 2, 2025
edited
Loading

Copy link
Copy Markdown
Contributor
📝 Walkthrough

Walkthrough

Adds a new GitHub Actions job "License Check" to .github/workflows/ci.yml that runs on ubuntu-latest with a 5-minute timeout. The job checks out code, sets up pnpm and Node.js via .nvmrc (with pnpm cache), installs dependencies with --frozen-lockfile, and runs the new npm script license-check. package.json gains a license-check script and a devDependency [email protected]. cspell.json adds the word "rseidelsohn".

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor Dev as Developer
  participant GH as GitHub Actions
  participant Workflow as CI Workflow
  participant LicenseJob as "License Check Job"
  participant Tool as "license-checker-rseidelsohn"

  Dev->>GH: Push / PR
  GH->>Workflow: Trigger CI
  Workflow->>LicenseJob: Start (ubuntu-latest, timeout 5m)
  rect rgba(200,235,255,0.25)
    note right of LicenseJob: Steps: checkout → setup pnpm → setup Node (.nvmrc, pnpm cache) → install deps (--frozen-lockfile)
    LicenseJob->>Tool: pnpm run license-check (JSON output)
    note right of Tool: Allow: MIT, Apache-2.0, BSD-2-Clause, BSD-3-Clause, ISC\nExclude: deepnote
    Tool-->>LicenseJob: Report/exit code
  end
  LicenseJob-->>Workflow: Job status
  Workflow-->>GH: CI result
Loading

Possibly related PRs

  • deepnote/deepnote-toolkit#158 — Also modifies CI workflow jobs; closely related changes to GitHub Actions configuration.
  • chore: setup spell-check and root pnpm config #2 — Adds repository check tooling and changes CI, package.json scripts, and cspell configuration; overlaps with this PR's scope.

Pre-merge checks

❌ Failed checks (1 warning)
Check name Status Explanation Resolution
Out of Scope Changes Check ⚠️ Warning The addition of "rseidelsohn" to cspell.json is unrelated to the license checking objectives in issue #17 and represents an out-of-scope change. Remove or justify the cspell.json update separately from this PR to focus the changes strictly on license checking.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check ✅ Passed The title "ci: add license check job" succinctly and accurately summarizes the primary change of introducing a license check in the CI workflow, making it clear to any reviewer.
Linked Issues Check ✅ Passed The changes implement the objectives of issue #17 by adding a license-check script, installing the license-checker devDependency, integrating the check as a CI job, and excluding the root package to prevent false positives, ensuring CI fails on disallowed licenses.
Docstring Coverage ✅ Passed No functions found in the changes. Docstring coverage check skipped.
📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 051c4b4 and 021c0df.

📒 Files selected for processing (2)
  • .github/workflows/ci.yml (1 hunks)
  • cspell.json (1 hunks)
🧰 Additional context used
🧠 Learnings (1)
📚 Learning: 2025-08-18T23:41:22.727Z 
Learnt from: CR
PR: deepnote/deepnote#0
File: CONVENTIONS.md:0-0
Timestamp: 2025-08-18T23:41:22.727Z
Learning: Use pnpm over npm; check package.json for scripts

Applied to files:

  • .github/workflows/ci.yml

Comment @coderabbitai help to get the list of available commands and usage tips.

@codecov

codecov Bot commented Oct 2, 2025
edited
Loading

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 100.00%. Comparing base (fa71a14) to head (021c0df).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff            @@
##              main       #18   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files            1         1           
  Lines            3         3           
  Branches         1         1           
=========================================
  Hits             3         3

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

jamesbhobbs
jamesbhobbs requested changes Oct 2, 2025
View reviewed changes
Comment thread .github/workflows/ci.yml Outdated
Comment thread package.json
coderabbitai[bot]
coderabbitai Bot requested changes Oct 2, 2025
View reviewed changes

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between fa71a14 and 051c4b4.

⛔ Files ignored due to path filters (1)
  • pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
📒 Files selected for processing (2)
  • .github/workflows/ci.yml (1 hunks)
  • package.json (2 hunks)
🧰 Additional context used
🧠 Learnings (2)
📚 Learning: 2025-08-18T23:41:22.727Z 
Learnt from: CR
PR: deepnote/deepnote#0
File: CONVENTIONS.md:0-0
Timestamp: 2025-08-18T23:41:22.727Z
Learning: Use provided build/lint/test commands (pnpm build, lint, typecheck, test) and Nx invocations

Applied to files:

  • package.json
📚 Learning: 2025-09-03T13:01:49.096Z 
Learnt from: CR
PR: deepnote/vscode-extension#0
File: .github/instructions/typescript.instructions.md:0-0
Timestamp: 2025-09-03T13:01:49.096Z
Learning: Use `npm run format` to check code style

Applied to files:

  • package.json
🪛 GitHub Actions: CI
package.json

[error] 18-18: CSpell: Unknown word 'rseidelsohn'.

[error] 46-46: CSpell: Unknown word 'rseidelsohn'.

Comment thread package.json
@andyjakubowski
Use npm script in CI job
021c0df 
Signed-off-by: Andy Jakubowski <[email protected]>
@jamesbhobbs jamesbhobbs merged commit 2244aee into main Oct 2, 2025
10 checks passed
@jamesbhobbs jamesbhobbs deleted the add-dependency-license-checking-to-ci branch October 2, 2025 10:24
This was referenced Oct 2, 2025
Merged
Merged
This was referenced Oct 14, 2025
Merged
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jamesbhobbs jamesbhobbs jamesbhobbs approved these changes

@coderabbitai coderabbitai[bot] coderabbitai[bot] approved these changes

@saltenasl saltenasl Awaiting requested review from saltenasl

@Artmann Artmann Awaiting requested review from Artmann

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add dependency license checking to CI

2 participants

@andyjakubowski @jamesbhobbs