CI: check for dependency licenses

Since our project is licensed under the MIT License, we can't be using any dependencies in our project. This commit adds a step to the CI lint phase that will use pip-licenses to verify that all the installed packages are part of an ALLOWED_LICENSE variable. This variable is currently set to be every license we currently use. We opted to use an allowlist instead of a denylist to make sure that new licenses are reviewed by hand and added to that variable.

1 files changed, 17 insertions, 0 deletions

diff --git a/.github/workflows/lint-test.yml b/.github/workflows/lint-test.yml
index e99e6d181..53d9baa59 100644
--- a/.github/workflows/lint-test.yml
+++ b/.github/workflows/lint-test.yml
@@ -11,6 +11,16 @@ jobs:
   lint-test:
     runs-on: ubuntu-latest
     env:
+      # List of licenses that are compatible with the MIT License and
+      # can be used in our project
+      ALLOWED_LICENSE: Apache Software License;
+        BSD License;
+        GNU Library or Lesser General Public License (LGPL);
+        MIT License;
+        Mozilla Public License 2.0 (MPL 2.0);
+        Public Domain;
+        Python Software Foundation License
+
       # Dummy values for required bot environment variables
       BOT_API_KEY: foo
       BOT_SENTRY_DSN: blah
@@ -67,6 +77,13 @@ jobs:
           pip install poetry
           poetry install
 
+      # Check all the dependencies are compatible with the MIT license.
+      # If you added a new dependencies that is being rejected,
+      # please make sure it is compatible with the license for this project,
+      # and add it to the ALLOWED_LICENSE variable
+      - name: Check Dependencies License
+        run: pip-licenses --allow-only="$ALLOWED_LICENSE"
+
       # This step caches our pre-commit environment. To make sure we
       # do create a new environment when our pre-commit setup changes,
       # we create a cache key based on relevant factors.