Skip to content

Add licensed, configs for reuse and improve CI#100

Merged
dsammaruga merged 17 commits into
arduino:mainfrom
beanrepo:add-licensed
Apr 1, 2026
Merged

Add licensed, configs for reuse and improve CI#100
dsammaruga merged 17 commits into
arduino:mainfrom
beanrepo:add-licensed

Conversation

@beanrepo

@beanrepo beanrepo commented Mar 26, 2026

Copy link
Copy Markdown
Contributor

This PR replaces pip-licenses with licensed and restructures the license-checking flow so that local runs and CI use the same pinned tool versions, while keeping their responsibilities clearly separated.

What This PR Changes

  • Replaces dependency license auditing based on pip-licenses with licensed.
  • Keeps REUSE compliance for repository files managed through reuse.
  • Uses task license as the single entry point for the full workflow in both local runs and CI.

Main Design Choice

This branch separates two concerns that were previously mixed together:

  • Repository file licensing is handled through reuse.
  • Python dependency license auditing is handled through licensed.

This avoids development tooling dependencies being scanned as if they were project runtime dependencies.

License Task Logic

The license task in Taskfile.dist.yml now creates and uses two separate environments:

  • .reuse-venv
    Used only for reuse.
  • .venv
    Used only for runtime dependencies that are scanned by licensed.

This means licensed only sees the packages required by the project itself, instead of also picking up the dependency tree of reuse.

Reproducibility

Tool versions are now explicitly pinned in the task:

  • reuse is installed via pip inside .reuse-venv
  • licensed is required at the exact version defined in the task
  • locally, the task validates that the pinned licensed version is already available
  • in CI, the task installs that same pinned licensed version via gem

This removes version drift between local runs and CI while avoiding platform-specific installation logic in local development.

Local and CI Behavior

The same task license entry point is now used in both environments, with a simpler split of responsibilities.

Locally

  • licensed 5.0.6 is the documented local requirement for dependency license checks
  • the task checks whether that pinned version is already available in PATH
  • if it is not available, the task stops with a focused error asking the developer to install licensed 5.0.6 manually

In CI

  • Python and Ruby runtimes are still prepared by the GitHub Actions workflows
  • the workflows no longer install licensed directly
  • instead, they call task license, and in CI the task installs the pinned licensed version via gem before running the dependency audit

This keeps runtime provisioning in CI simple while ensuring that local and CI always converge on the same licensed version.

Metadata Persistence

The handling of .licenses has been updated to preserve meaningful manual review work.

  • the cache is not deleted completely on every run
  • dependency records are regenerated through licensed cache
  • stale records are now handled by licensed itself rather than by custom cleanup logic

This makes manual adjustments to dependency records persistent across runs, while still surfacing outdated cache entries during the check.

To make stale cache issues visible, .licensed.yml now uses:

  • stale_records_action: error

This causes stale dependency records to fail the check instead of being silently ignored.

REUSE Adjustments

The REUSE configuration in REUSE.toml has been refined so that:

  • binary assets and selected non-source files are covered through annotations
  • configuration and documentation files can remain compliant without inline header clutter
  • source files continue to be annotated by the task where appropriate

Third-party JS libraries under assets/libs are kept distinct through dedicated MIT overrides in REUSE.toml. This avoids collapsing vendored third-party ownership into the generic Arduino MPL annotations and keeps those library-specific cases explicit.

SPDX Header Normalization

This branch also normalizes SPDX headers where older or inconsistent variants were still present.

The goal is to keep the repository aligned with the formatting produced by reuse, so that:

  • repeated runs do not keep appending additional copyright lines
  • outdated header variants do not cause noisy diffs

CI Simplification

The workflows .github/workflows/license.yml and .github/workflows/update-bricks-file.yml have been simplified.

Their responsibility is now limited to:

  • preparing Python
  • preparing Ruby
  • calling task license

All actual license-checking logic lives in the task, which reduces duplication and keeps the maintenance surface smaller.

Follow-up Item

One issue is intentionally left for a separate change in app-bricks-py with this PR:

  • the arduino_app_bricks wheel declares its license, but does not yet include the corresponding license text in the distributed artifact

This branch currently includes a reviewed cached dependency record as a temporary workaround so that licensed can validate that dependency today. The wheel should still be fixed upstream so that this downstream workaround can be removed.

beanrepo added 14 commits March 27, 2026 15:18
- Add .licensed.yml with pip source and allowed licenses
- Update Taskfile to use licensed cache/status instead of pip-licenses
- Remove THIRD-PARTY-LICENSES.json (replaced by .licenses/ directory)
- Add Ruby setup and licensed installation to CI workflows
- Simplify Taskfile to always use venv (required by licensed pip source)
- Remove pip-licenses from requirements.txt
- Remove reuse from requirements.txt (dev-only tool)
- Install reuse separately with pinned version (5.0.2) in Taskfile
- Add REUSE_VERSION variable for consistent pinning
- Update .licensed.yml to ignore reuse in pip enumeration
Replace individual .license companion files with a centralized
REUSE.toml configuration. Add LICENSES/ directory with all required
license texts (MPL-2.0, MIT, CC0-1.0, OFL-1.1).

Simplify the Taskfile license task to use an include-pattern for
source files and add reuse lint validation step.
Comment thread .licensed.yml Outdated
dsammaruga and others added 2 commits March 31, 2026 18:59
Co-authored-by: Roberto Gazia <robgazia@gmail.com>

@robgee86 robgee86 left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks!

@dsammaruga dsammaruga merged commit 2ec62a4 into arduino:main Apr 1, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

3 participants