Skip to content

Add/dependency check #81

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 7 commits into from
Nov 19, 2025
Merged

Add/dependency check #81

merged 7 commits into from
Nov 19, 2025

Conversation

@jeffpaul
Copy link
Member

@jeffpaul jeffpaul commented Nov 14, 2025
edited by github-actions bot
Loading

Ideally we merge #78 first and then I can rebase this PR from trunk to get the readme badge properly aligned.

What?

Relates to #28.

This pull request introduces automated dependency license checking to the project by adding configuration and workflow files for GitHub's Dependency Review Action. It ensures that only GPL-compatible licenses are allowed in dependencies, aligning with open source compliance requirements. Additionally, a status badge is added to the README.md to indicate the status of the dependency review workflow.

Dependency review automation:

  • Added .github/dependency-review-config.yml to enforce a strict allow-list of GPL-compatible licenses for all dependencies, based on the FSF's official list.
  • Introduced .github/workflows/dependency-review.yml workflow to automatically check new or updated dependencies in pull requests for license compliance using GitHub's Dependency Review Action.

Documentation:

  • Updated README.md to include a badge displaying the status of the new dependency review workflow.

Why?

How?

Note that the background on the specific licenses noted in the config file are described here (which generally pulled from prior work in the Gutenberg plugin)

Testing Instructions

Testing Instructions for Keyboard

Screenshots or screencast

Before After

Test using WordPress Playground

The changes in this pull request can be previewed and tested using this WordPress Playground instance:

Click here to test this pull request.

@jeffpaul jeffpaul added this to the 0.1.0 milestone Nov 14, 2025
@jeffpaul jeffpaul self-assigned this Nov 14, 2025
@github-actions
Copy link

github-actions bot commented Nov 14, 2025
edited
Loading

The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the props-bot label.

If you're merging code through a pull request on GitHub, copy and paste the following into the bottom of the merge commit message.

Co-authored-by: jeffpaul <jeffpaul@git.wordpress.org>
Co-authored-by: dkotter <dkotter@git.wordpress.org>

To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook.

@jeffpaul jeffpaul moved this to Needs review in WordPress AI Planning & Roadmap Nov 14, 2025
dkotter
dkotter reviewed Nov 14, 2025
View reviewed changes
.github/workflows/dependency-review.yml Outdated
Comment on lines 10 to 11
permissions:
contents: read
Copy link
Collaborator

@dkotter dkotter Nov 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Noted this on the other workflow PR but the approach we've taken so far is to disable all permissions at the workflow level and then add proper permissions at the job level. So I think just need to change this to permissions: {} and then move this block to the dependency-review job

Copy link
Member Author

@jeffpaul jeffpaul Nov 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should be resolved in b11ac24.

@jeffpaul
Refactor dependency review permissions in workflow
b11ac24 
Updated the dependency review workflow to disable default permissions and added specific permissions for the job.
@jeffpaul jeffpaul requested a review from dkotter November 19, 2025 03:25
dkotter
dkotter reviewed Nov 19, 2025
View reviewed changes
@jeffpaul @dkotter
Update .github/workflows/dependency-review.yml
e446add 
Co-authored-by: Darin Kotter <darin.kotter@gmail.com>
@jeffpaul jeffpaul merged commit 881761b into trunk Nov 19, 2025
14 of 19 checks passed
@jeffpaul jeffpaul deleted the add/dependency-check branch November 19, 2025 20:46
@github-project-automation github-project-automation bot moved this from Needs review to Done in WordPress AI Planning & Roadmap Nov 19, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dkotter dkotter dkotter approved these changes

@JasonTheAdams JasonTheAdams Awaiting requested review from JasonTheAdams

Assignees

@jeffpaul jeffpaul

Labels

None yet

Projects

WordPress AI Planning & Roadmap
Status: Done

Milestone

0.1.0

Development

Successfully merging this pull request may close these issues.

3 participants

@jeffpaul @dkotter