ci(LicenseFinder): Prevent license violations

Run Pivotal's License Finder as a pre-commit hook. License Finder currently supports Yarn along with numerous other package managers. License policies are configured via `doc/dependency_decisions.yml`. Install the Yarn licenses plugin, which License Finder relies on to list the licenses of dependencies. The License Finder pre-commit hook depends on Ruby, so add Ruby as an asdf tool.
ScribeMD · Mar 31, 2023 · a9a71f6 · a9a71f6
1 parent 4ea278a
commit a9a71f6
Show file tree

Hide file tree

Showing 5 changed files with 83 additions and 0 deletions.
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -79,6 +79,12 @@ repos:
     hooks:
       - id: check-useless-excludes
 
+  ## Polyglot
+  - repo: https://github.com/pivotal/LicenseFinder
+    rev: v7.1.0
+    hooks:
+      - id: license-finder
+
   ## Python
   - repo: https://github.com/Lucas-C/pre-commit-hooks-safety
     rev: v1.3.1

diff --git a/.tool-versions b/.tool-versions
@@ -2,3 +2,4 @@ nodejs 18.15.0 # Keep in sync with package.json.
 yarn 1.22.19
 python 3.11.2 # Keep in sync with .pre-commit-config.yaml and pyproject.toml.
 poetry 1.4.1
+ruby 3.2.1
diff --git a/.yarn/plugins/@yarnpkg/plugin-licenses.cjs b/.yarn/plugins/@yarnpkg/plugin-licenses.cjs
diff --git a/.yarnrc.yml b/.yarnrc.yml
@@ -5,6 +5,8 @@ plugins:
     spec: "@yarnpkg/plugin-interactive-tools"
   - path: .yarn/plugins/@yarnpkg/plugin-stage.cjs
     spec: "@yarnpkg/plugin-stage"
+  - path: .yarn/plugins/@yarnpkg/plugin-licenses.cjs
+    spec: "https://raw.githubusercontent.com/mhassan1/yarn-plugin-licenses/v0.11.0/bundles/@yarnpkg/plugin-licenses.js"
 
 supportedArchitectures:
   os:

diff --git a/doc/dependency_decisions.yml b/doc/dependency_decisions.yml
@@ -0,0 +1,41 @@
+---
+- - :permit
+  - Apache 2.0
+  - :who: Kurt von Laven
+    :why: permissive free software license
+- - :permit
+  - CC-BY-4.0
+  - :who: Kurt von Laven
+    :why: permissive free license
+- - :permit
+  - BSD Zero Clause License
+  - :who: Kurt von Laven
+    :why: public domain equivalent software license
+- - :permit
+  - New BSD
+  - :who: Kurt von Laven
+    :why: permissive free software license
+- - :permit
+  - Simplified BSD
+  - :who: Kurt von Laven
+    :why: permissive free software license
+- - :permit
+  - ISC
+  - :who: Kurt von Laven
+    :why: permissive free software license
+- - :permit
+  - MIT
+  - :who: Kurt von Laven
+    :why: permissive free software license
+- - :permit
+  - Python-2.0
+  - :who: Kurt von Laven
+    :why: permissive free software license
+- - :permit
+  - Unlicense
+  - :who: Kurt von Laven
+    :why: public domain equivalent software license
+- - :approve
+  - docker-cache
+  - :who: Kurt von Laven
+    :why: top-level package