Licensed's core workflow is a multi-step process:
licensed cache
(docs) is run manually and/or in an automated workflow- Creates or updates files in a git repo containing metadata including licenses and other legal text for each dependency used by a project
licensed status
(docs) is run manually and/or in an automated workflow- Validate that every detected dependency has a metadata file written in the repository, and that each dependency's stored metadata passes a number of compliance checks
- Any detected errors/warnings are manually resolved
- Repeat the above steps until all dependencies have metadata files stored in the repository and
licensed status
is not reporting any errors.
Caching depedency metadata into the repository brings the metadata contents closer to the dependencies where they are used, making status validation faster and possible in offline scenarios. Keeping metadata alongside your code in git gives teams an easily auditable trail for dependency updates over time, and ties into common review practices to ensure that changes aren't quietly ignored.
Caching metadata should be done whenever project code changes, to ensure that metadata files are in sync with the current state of the project code.
Dependency metadata checks verify that every dependency
- has a metadata file available, or has been explicitly ignored by the project owners or OSS experts
- is using an approved OSS license, or has been reviewed and signed off by an OSS expert
- is up to date with the current state of a project
Checking dependencies for compliance violations should be performed whenever code changes in a repository. Moving compliance checks inline in the development workflow reduces friction later, and can even prevent costly situations later if a non-compliant dependency would need to be removed from a project.
Integrating github/licensed into your workflow can be tedious, and luckily there are a few automated tools available to make usage easier.
The bundler-licensed plugin runs licensed cache
automatically when using bundler
. See the linked repo for usage and details.
The licensed-ci GitHub Action runs licensed
as part of an opinionated CI workflow and can be configured to run on any GitHub Action event to automatically update the cached metadata files and check their status. See the linked action for usage and details.
The setup-licensed GitHub Action installs licensed
to the workflow environment. See the linked actions for usage and details.