[PD1-242] Add automated license compliance check #12
Conversation
PD1-242 Report Open Source Licenses
License CheckerWe need an Open Source license report for our new investor. Each repo can write to one or more CSV license report file in a bucket owned by the audit account, cvecaudit-licenses. So s3://cvecaudit-licenses/cvec-backend.python.csv would have the license report for the Python dependencies of the cvec-backend repo. Some project, like I will need the CSV files to have a standard column structure. I will add a tool to cvec-management-account to accumulate all of the reports. The tool will iterate the list of unarchived repos, and load the CSV license report for each. This way, when we retire a repo, it is removed from the license report. It looks like there is no way to report on Docker images. We can, however, scrape licenses from our Ubuntu systems from Ubuntu UpgradeStandard support for Ubuntu 22.04 ends April 2027. Standard support for Ubuntu 24.04 ends April 2029. |
joshuanapoli
force-pushed
the
jn/licensecheck
branch
7 times, most recently
from
2c9dcb7 to
842c4de
Compare
Add automated license compliance checking using uvx licensecheck.
joshuanapoli
force-pushed
the
jn/licensecheck
branch
from
842c4de to
672ecbf
Compare
|
I will roll this out via cvec-maintenance-account, rather than individual PRs. |
The new workflow generates a JSON report, displays formatted license information for all dependencies, and fails the build if any packages have incompatible licenses.
Testing
See the builds on the two commits in this PR.
The first contains a license violation, we see a build failure.
After removing the license violation, the build passes.
The license report is visible in the build output.