This action finds and checks all licenses used by dependencies of a software project and can be configured to fail with an error message on invalid licenses.
Dependencies are detected using the respective languages' package manager.
- Python3 via pip
- CPP via Conan
- Rust via Cargo
- JavaScript via NPM
Shall a notice file be generated? Default false
The name of the notice file. Default "NOTICE-GENERATED"
Shall the action fail if a license violation is detected? Default false
Required Path to the config file for the license checker.
This option enables the capability to generate the input file for Eclipse Dash License Tool based on NOTICE-3RD-PARTY-CONTENT file in ClearlyDefined format based on ClearDefined Schema.
Required The path relative to repository where the whitelist for allowed licenses is located.
Required A list of directories to scan.
Required The path, relative to the repository root, of the directory to scan.
The path to the file to overwrite license decisions. Defaults to dependency_decisions_overwrites.yml.
In case the dir is a python project, this can be used to adjust the Python version. Supported values are either 2 or 3. Defaults to 3.
In case the dir is a Python project this allows to pass a list of requirement file paths (relative to the dir) which to consider for resolving dependencies. Defaults to requirements.txt.
In case the dir is a cpp/conan project this allows to pass a list of profile file paths (relative to the dir) which are considered for resolving dependencies. Defaults to the default conan profile.
jobs:
check-licenses:
runs-on: ubuntu-latest
name: Check Software Licenses
steps:
- name: Clone License Checker Repo
uses: actions/checkout@v4
with:
repository: eclipse-velocitas/license-check
ref: v1
path: .github/actions/license-check
- name: Run License Checker
uses: ./.github/actions/license-check
with:
config-file-path: ./.licensecheck.ymlwhitelist-file-path: ./whitelisted-licenses.txt
scan-dirs:
- path: ./src
python-version: 2
python-pip-included-requirement-files:
- my-requirements.txt
- dev-requirements.txt
- path: ./my-cpp-proj
cpp-conan-included-profile-files:
- ./profiles/prof1
- ./profiles/prof2The currently used version (v7.0.1) of the Pivotal License Finder has limited support for the Conan Package Manager:
- No direct support of conanfile.py; as a workaround you can add an empty conanfile.txt aside of your conanfile.py.
- It expects a file called "LICENSE*" in some subfolder of the package. If this is not present the scan will fail.
- It internally uses "conan install" to determine the dependencies, which tries to download those from Conan-Center. If no pre-built package is available it will try to build the source code locally, which will fail as the actually needed build environment cannot be well-known by this License Checker. As a workaround, the using repository should do this step before calling the License Checker.
Dependencies and their licenses are only detected if they are added using the respective language's package manager.
Manually added dependencies like locally stored libraries are NOT detected!
Pivotal/licenseFinder-> checking requirements.txt files, released under MIT license: linkWorkflow/license-checker-> checking used actions licenses
For guidance on setting up a development environment and how to make a contribution to the Velocitas License Check, see the contributing guidelines.