Run pip-licenses on the format-nongpl extra.

Author: Julian

.github/workflows/ci.yml

@@ -109,7 +109,11 @@ jobs:
           - name: "3.11"
             toxenv: docs-style
           - name: "3.11"
-            toxenv: audit
+            toxenv: format-audit
+          - name: "3.11"
+            toxenv: formatnongpl-audit
+          - name: "3.11"
+            toxenv: noextra-audit
           - name: "3.11"
             toxenv: readme
           - name: "3.11"

docs/validate.rst

@@ -196,19 +196,22 @@ The easiest way to ensure you have what is needed is to install ``jsonschema`` u
 
 For example:
 
-.. code-block:: sh
+.. code:: sh
 
     $ pip install jsonschema[format]
 
-Or if you want to install MIT-license compatible dependencies only:
+Or if you want to avoid GPL dependencies, a second extra is available:
 
-.. code-block:: sh
+.. code:: sh
 
     $ pip install jsonschema[format-nongpl]
 
-The non-GPL extra is intended to not install any direct dependencies that are GPL licensed (but that of course end-users should do their own verification).
 At the moment, it supports all the available checkers except for ``iri`` and ``iri-reference``.
 
+.. warning::
+
+    It is your own responsibility ultimately to ensure you are license-compliant, so you should be double checking your own dependencies if you rely on this extra.
+
 The more specific list of formats along with any additional dependencies they have is shown below.
 
 .. warning::

tox.ini

@@ -1,7 +1,7 @@
 [tox]
 envlist =
     py{37,38,39,310,311,py3}-{noextra,format,formatnongpl}-{build,tests}
-    audit
+    {noextra,format,formatnongpl}-audit
     readme
     secrets
     style
@@ -26,6 +26,11 @@ commands =
     format,perf,perfsuite: {envpython} -m pip install --disable-pip-version-check '{toxinidir}[format]'
     formatnongpl: {envpython} -m pip install --disable-pip-version-check '{toxinidir}[format-nongpl]'
 
+    audit: {envpython} -m pip_audit
+    audit-formatnongpl: {envpython} -m piplicenses {posargs} --ignore-packages pip-requirements-parser pip_audit pip-api --allow-only="Apache Software License;ISC License (ISCL);MIT License;BSD License;Mozilla Public License 2.0 (MPL 2.0)"
+
+    build: {envpython} -m build {toxinidir} --outdir {envtmpdir}/dist
+
     # Ignore the deprecation warning until pypa/setuptools#3276 is released
     tests,coverage,codecov: {envpython} -Werror -W"ignore:module 'sre_constants' is deprecated:DeprecationWarning" -m {env:MAYBE_COVERAGE:} twisted.trial {posargs:jsonschema}
     tests: {envpython} -m doctest {toxinidir}/README.rst
@@ -37,9 +42,10 @@ commands =
 
     perf: {envpython} {toxinidir}/jsonschema/benchmarks/issue232.py --inherit-environ JSON_SCHEMA_TEST_SUITE {posargs:--output {envtmpdir}/bench-issue232.json}
     perfsuite: {envpython} {toxinidir}/jsonschema/benchmarks/json_schema_test_suite.py --inherit-environ JSON_SCHEMA_TEST_SUITE {posargs:--output {envtmpdir}/bench-json_schema_test_suite.json}
-
-    build: {envpython} -m build {toxinidir} --outdir {envtmpdir}/dist
 deps =
+    audit: pip-audit
+    audit-formatnongpl: pip-licenses
+
     build: build
 
     perf,perfsuite: pyperf
@@ -63,12 +69,6 @@ commands =
     {envpython} -m twine check {envtmpdir}/dist/*
     {envbindir}/rst2html5.py --halt=warning {toxinidir}/CHANGELOG.rst /dev/null
 
-[testenv:audit]
-deps = pip-audit
-commands =
-    {envpython} -m pip install --disable-pip-version-check '{toxinidir}[format]'
-    {envpython} -m pip_audit
-
 [testenv:secrets]
 deps = detect-secrets
 commands = {envbindir}/detect-secrets scan {toxinidir}