diff --git a/.github/dependency-scan-config.yaml b/.github/dependency-scan-config.yaml new file mode 100644 index 0000000..de1711a --- /dev/null +++ b/.github/dependency-scan-config.yaml @@ -0,0 +1,95 @@ +fail-on-severity: low +show-openssf-scorecard: true +license-check: true +vulnerability-check: true +comment-summary-in-pr: always + +# List of explicitly allowed licenses for EUPL 1.2 Inbound Compatibility +# (Allows importing these libraries into a EUPL 1.2 project) +allow-licenses: + # ========================================== + # 1. Public domain / no-attribution + # ========================================== + - CC0-1.0 + - Unlicense + - WTFPL + - 0BSD + + # ========================================== + # 2. Standard permissive + # ========================================== + - MIT + - Apache-2.0 + - ISC + - BSD-2-Clause + - BSD-3-Clause + - Zlib + + # ========================================== + # 3. Weak copyleft + # ========================================== + - MPL-1.1 + - MPL-2.0 + - CDDL-1.0 + - EPL-1.0 + - EPL-2.0 + - CECILL-2.1 + + # ========================================== + # 4. Library Copyleft (LGPL) + # Explicitly Compatible via EUPL Appendix + # ========================================== + - LGPL-2.1-only + - LGPL-2.1-or-later + - LGPL-3.0-only + - LGPL-3.0-or-later + + # ========================================== + # 5. EUPL + # ========================================== + - EUPL-1.0 + - EUPL-1.1 + - EUPL-1.2 + + # ========================================== + # 6. Other / Niche permissive licenses + # ========================================== + + - AAL + - AFL-3.0 + - Apache-1.1 + - APL-1.0 + - APSL-2.0 + - Artistic-1.0-Perl + - Artistic-2.0 + - BSL-1.0 + - CATOSL-1.1 + - CPAL-1.0 + - CUA-OPL-1.0 + - ECL-2.0 + - EFL-2.0 + - Entessa + - EUDatagrid + - Fair + - LPPL-1.3c + - LPL-1.02 + - MirOS + - Motosoto + - Multics + - NASA-1.3 + - NCSA + - NTP + - Naumen + - Nokia + - PostgreSQL + - PSF-2.0 + - RPSL-1.0 + - RSCPL + - SimPL-2.0 + - Sleepycat + - SPL-1.0 + - VSL-1.0 + - W3C + - W3C-20150513 + - Xnet + - ZPL-2.0 diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 23b0289..26ad49f 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -18,6 +18,6 @@ permissions: jobs: analyze: - uses: HSLdevcom/jore4-tools/.github/workflows/shared-codeql.yml@shared-ghas-workflows-v1 + uses: HSLdevcom/jore4-tools/.github/workflows/shared-codeql.yml@shared-ghas-workflows-v2 with: languages: '["actions", "python"]' diff --git a/.github/workflows/dependency-scan.yml b/.github/workflows/dependency-scan.yml index 088c08a..042d818 100644 --- a/.github/workflows/dependency-scan.yml +++ b/.github/workflows/dependency-scan.yml @@ -5,7 +5,8 @@ on: permissions: contents: read + pull-requests: write jobs: dependency-scan: - uses: HSLdevcom/jore4-tools/.github/workflows/shared-dependency-scan.yml@shared-ghas-workflows-v1 + uses: HSLdevcom/jore4-tools/.github/workflows/shared-dependency-scan.yml@shared-ghas-workflows-v2 diff --git a/.github/workflows/shared-dependency-scan.yml b/.github/workflows/shared-dependency-scan.yml index 4b36cce..2dc62ba 100644 --- a/.github/workflows/shared-dependency-scan.yml +++ b/.github/workflows/shared-dependency-scan.yml @@ -5,6 +5,7 @@ on: permissions: contents: read + pull-requests: write # Needed to write comment to PR jobs: dependency-review: @@ -15,3 +16,5 @@ jobs: - name: Dependency Review uses: actions/dependency-review-action@v4 + with: + config-file: HSLdevcom/jore4-tools/.github/dependency-scan-config.yaml@shared-dependency-licenses-v1