Add licensed, configs for reuse and improve CI#100
Merged
Conversation
- Add .licensed.yml with pip source and allowed licenses - Update Taskfile to use licensed cache/status instead of pip-licenses - Remove THIRD-PARTY-LICENSES.json (replaced by .licenses/ directory) - Add Ruby setup and licensed installation to CI workflows - Simplify Taskfile to always use venv (required by licensed pip source) - Remove pip-licenses from requirements.txt
- Remove reuse from requirements.txt (dev-only tool) - Install reuse separately with pinned version (5.0.2) in Taskfile - Add REUSE_VERSION variable for consistent pinning - Update .licensed.yml to ignore reuse in pip enumeration
Replace individual .license companion files with a centralized REUSE.toml configuration. Add LICENSES/ directory with all required license texts (MPL-2.0, MIT, CC0-1.0, OFL-1.1). Simplify the Taskfile license task to use an include-pattern for source files and add reuse lint validation step.
robgee86
requested changes
Mar 31, 2026
Co-authored-by: Roberto Gazia <robgazia@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR replaces
pip-licenseswithlicensedand restructures the license-checking flow so that local runs and CI use the same pinned tool versions, while keeping their responsibilities clearly separated.What This PR Changes
pip-licenseswithlicensed.reuse.task licenseas the single entry point for the full workflow in both local runs and CI.Main Design Choice
This branch separates two concerns that were previously mixed together:
reuse.licensed.This avoids development tooling dependencies being scanned as if they were project runtime dependencies.
License Task Logic
The
licensetask in Taskfile.dist.yml now creates and uses two separate environments:.reuse-venvUsed only for
reuse..venvUsed only for runtime dependencies that are scanned by
licensed.This means
licensedonly sees the packages required by the project itself, instead of also picking up the dependency tree ofreuse.Reproducibility
Tool versions are now explicitly pinned in the task:
reuseis installed viapipinside.reuse-venvlicensedis required at the exact version defined in the tasklicensedversion is already availablelicensedversion viagemThis removes version drift between local runs and CI while avoiding platform-specific installation logic in local development.
Local and CI Behavior
The same
task licenseentry point is now used in both environments, with a simpler split of responsibilities.Locally
licensed5.0.6is the documented local requirement for dependency license checksPATHlicensed5.0.6manuallyIn CI
licenseddirectlytask license, and in CI the task installs the pinnedlicensedversion viagembefore running the dependency auditThis keeps runtime provisioning in CI simple while ensuring that local and CI always converge on the same
licensedversion.Metadata Persistence
The handling of
.licenseshas been updated to preserve meaningful manual review work.licensed cachelicenseditself rather than by custom cleanup logicThis makes manual adjustments to dependency records persistent across runs, while still surfacing outdated cache entries during the check.
To make stale cache issues visible, .licensed.yml now uses:
stale_records_action: errorThis causes stale dependency records to fail the check instead of being silently ignored.
REUSE Adjustments
The REUSE configuration in REUSE.toml has been refined so that:
Third-party JS libraries under
assets/libsare kept distinct through dedicated MIT overrides in REUSE.toml. This avoids collapsing vendored third-party ownership into the generic Arduino MPL annotations and keeps those library-specific cases explicit.SPDX Header Normalization
This branch also normalizes SPDX headers where older or inconsistent variants were still present.
The goal is to keep the repository aligned with the formatting produced by
reuse, so that:CI Simplification
The workflows
.github/workflows/license.ymland.github/workflows/update-bricks-file.ymlhave been simplified.Their responsibility is now limited to:
task licenseAll actual license-checking logic lives in the task, which reduces duplication and keeps the maintenance surface smaller.
Follow-up Item
One issue is intentionally left for a separate change in
app-bricks-pywith this PR:arduino_app_brickswheel declares its license, but does not yet include the corresponding license text in the distributed artifactThis branch currently includes a reviewed cached dependency record as a temporary workaround so that
licensedcan validate that dependency today. The wheel should still be fixed upstream so that this downstream workaround can be removed.