feat: Add dependency license scanning with licensed#191
Open
beanrepo wants to merge 36 commits intoarduino:mainfrom
Open
feat: Add dependency license scanning with licensed#191beanrepo wants to merge 36 commits intoarduino:mainfrom
beanrepo wants to merge 36 commits intoarduino:mainfrom
Conversation
Co-authored-by: Copilot <copilot@github.com>
Co-authored-by: Copilot <copilot@github.com>
Co-authored-by: Copilot <copilot@github.com>
Co-authored-by: Copilot <copilot@github.com>
Co-authored-by: Copilot <copilot@github.com>
Co-authored-by: Copilot <copilot@github.com>
Co-authored-by: Copilot <copilot@github.com>
Co-authored-by: Copilot <copilot@github.com>
Co-authored-by: Copilot <copilot@github.com>
Co-authored-by: Copilot <copilot@github.com>
Co-authored-by: Copilot <copilot@github.com>
Co-authored-by: Copilot <copilot@github.com>
Co-authored-by: Copilot <copilot@github.com>
Co-authored-by: Copilot <copilot@github.com>
Co-authored-by: Copilot <copilot@github.com>
Co-authored-by: Copilot <copilot@github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Integrate the licensed Ruby gem (
v5.0.6) to scan, cache, validate, and report third-party pip dependency licenses across the library and selected container environments.What's included
.licensed.ymladds a multi-applicensedconfiguration for 5 targets:arduino-app-brickspython-baseaihub-models-runnergesture-recognition-runnerpython-apps-base.licenses/adds cached dependency license records for the currently enumerated pip dependencies across the configured apps. Several records were manually normalized fromlicense: none/license: otherto reviewed SPDX identifiers when the license text could be reliably identified.Taskfile.dist.ymladds:license:headersto keep SPDX headers and top-level license files managed via REUSElicense:init-venvsto build the Python virtual environments used bylicensedlicense:cleanup-venvsto remove those environments manually when neededinstall:licensedto verify/install the Ruby gemlicense:depsto runlicensed cachefollowed bylicensed statuslicensetask chaininglicense:headers->license:depsREUSE.tomlexcludes.licenses/**from REUSE processing so SPDX strings embedded in cached license texts do not trigger unwanted license downloads..gitignoreignores.licensed-venv-*andcontainers/*/.licensed-venv/..github/workflows/check-dependency-licenses.ymladds a dedicated PR workflow that:task license:depslicensederrors directly in GitHub Actionslicensedvirtualenvslicensed statusreports actual dependency errors, instead of failing on every cache/version drift case.github/workflows/ci-checks.ymlkeepslicense:headersin the main CI flow, while dependency license validation now runs in its dedicated workflow.Notes
ai-edge-litert==1.3.0(gesture-recognition-runner) is arm64-only and is intentionally skipped on unsupported runners; it is surfaced in CI as a non-blocking warning.licensedvirtualenvs are kept as ignored local artifacts for reuse and can be removed manually withtask license:cleanup-venvs.licensedis installed automatically if needed; locally, the task asks for a manualgem install licensed -v 5.0.6when the gem is missing.