From 30c8a07ba87c56465274ccce8bc3067809b3b80f Mon Sep 17 00:00:00 2001
From: Eric Brown <ericwb@users.noreply.github.com>
Date: Wed, 15 May 2024 11:55:18 -0700
Subject: [PATCH] Adds dependency review action to verify allowed licensed
 dependencies (#3306)

This change will add a new action to scan the dependency's licenses
for any that may not be allowed for this project.

The pip-licenses command was run to get a dump of all the licenses
associated with this repo and put into the allow-licenses list.
Normally, you might only want to use deny-licenses list, but for
packages like Redis, there is no defined SPDX identifier for it.

Note: this list will require future maintenance as dependencies get
added that are not already in the allow list.

https://spdx.org/licenses/
https://github.com/raimon49/pip-licenses

Related to issue #2901

Signed-off-by: Eric Brown <eric_wade_brown@yahoo.com>
---
 .github/workflows/dependency-review.yml | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)
 create mode 100644 .github/workflows/dependency-review.yml

diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
new file mode 100644
index 000000000..eb6eac00c
--- /dev/null
+++ b/.github/workflows/dependency-review.yml
@@ -0,0 +1,16 @@
+name: 'Dependency Review'
+on: [pull_request]
+
+permissions:
+  contents: read
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    steps:
+      - name: 'Checkout Repository'
+        uses: actions/checkout@v4
+      - name: 'Dependency Review'
+        uses: actions/dependency-review-action@v4
+        with:
+          allow-licenses: Apache-2.0, BSD-2-Clause, BSD-3-Clause, HPND, ISC, MIT, MPL-2.0, PSF-2.0, Unlicense