fix(ci): resolve dependency review license detection issues

avrabe · avrabe · commit 4cd08b0019ee · 2025-06-22T06:10:41.000+02:00
Add allow-list for dependencies with undetected licenses:
- chrono@0.4.41: Actually MIT/Apache-2.0 licensed
- dagger-sdk@0.11.10: Actually Apache-2.0 licensed

The dependency-review-action has trouble detecting licenses for these
crates automatically. Since we've manually verified they use allowed
licenses, we explicitly allow them to prevent CI failures.
diff --git a/.github/workflows/security-audit.yml b/.github/workflows/security-audit.yml
@@ -135,4 +135,9 @@ jobs:
       - uses: actions/dependency-review-action@v4
         with:
           fail-on-severity: high
-          allow-licenses: MIT, Apache-2.0, BSD-3-Clause, ISC, MPL-2.0, Unlicense
+          allow-licenses: MIT, Apache-2.0, BSD-3-Clause, ISC, MPL-2.0, Unlicense
+          # Allow dependencies with undetected licenses that we've manually verified
+          # chrono is MIT/Apache-2.0, dagger-sdk is Apache-2.0
+          allow-dependencies-licenses: |
+            pkg:cargo/chrono@0.4.41
+            pkg:cargo/dagger-sdk@0.11.10
