feat: add licence checker CI

.github/workflows/license-check.yml

@@ -0,0 +1,44 @@
+name: License Check
+on:
+  push:
+    branches: 
+      - main
+  pull_request:
+    branches:
+      - main
+
+jobs:
+  check-licenses:
+    permissions:
+      contents: read
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+
+      - uses: pnpm/action-setup@v4
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 24.8.0
+          cache: pnpm
+
+      - uses: oven-sh/setup-bun@v2
+
+      - name: Install dependencies
+        run: |
+          pnpm install --frozen-lockfile
+
+      - name: Check licenses
+        timeout-minutes: 5
+        run: |
+          set -euo pipefail
+
+          # 1) Generate JSON grouped by license
+          pnpm licenses list --json > /tmp/licenses.json
+
+          echo "All used licenses (groupBy=license):"
+          jq -r 'keys[]' /tmp/licenses.json | sort -u
+          echo
+
+          # 2) Find disallowed license expressions (supports AND/OR combos)
+          bun run scripts/check-licenses.bun.ts

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Selleo
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

licenses.config.yaml

@@ -0,0 +1,28 @@
+allowedLicenses:
+  - MIT
+  - MIT-0
+  - MIT/X11
+  - ISC
+  - Apache
+  - Apache-2.0
+  - Apache License 2.0
+  - BlueOak-1.0.0
+  - BSD
+  - BSD-2-Clause
+  - BSD-3-Clause
+  - 0BSD
+  - Python-2.0
+  - Zlib
+  - MPL-2.0
+  - Unlicense
+  - CC0-1.0
+allowedPackages:
+  - "@img/sharp-libvips-linux-x64@1.1.0" # LGPL-3.0-or-later - sublib of sharp - not modified - not embedded in software
+  - "@img/sharp-libvips-linuxmusl-x64@1.1.0" # LGPL-3.0-or-later - sublib of sharp - not modified itself - not embedded in software
+  - "@img/sharp-libvips-linux-x64@1.2.4" # LGPL-3.0-or-later - sublib of sharp - not modified - not embedded in software
+  - "@img/sharp-libvips-linuxmusl-x64@1.2.4" # LGPL-3.0-or-later - sublib of sharp - not modified itself - not embedded in software
+  - caniuse-lite@1.0.30001760 # CC-BY-4.0
+  - pause@0.0.1 # MIT
+  - spamc@0.0.5 # no license but dev deps only
+
+

scripts/check-licenses.bun.ts

@@ -0,0 +1,215 @@
+import fs from "fs";
+import path from "path";
+
+const CONFIG_PATH = process.env.LICENSES_CONFIG_PATH || "licenses.config.yaml";
+const LICENSES_JSON_PATH = process.env.LICENSES_JSON_PATH || "/tmp/licenses.json";
+
+function exitWithError(message: string, error?: unknown): never {
+  console.error(`::error::${message}`);
+  if (error) {
+    console.error(error instanceof Error ? error.message : error);
+  }
+  process.exit(1);
+}
+
+function normalizeStringArray(
+  value: unknown,
+  field: string,
+  { allowEmpty }: { allowEmpty: boolean },
+): string[] {
+  if (!Array.isArray(value)) {
+    exitWithError(`${field} must be an array in ${CONFIG_PATH}`);
+  }
+  const entries = value
+    .map((item) => (typeof item === "string" ? item.trim() : ""))
+    .filter(Boolean);
+
+  if (!allowEmpty && entries.length === 0) {
+    exitWithError(`${field} must contain at least one string in ${CONFIG_PATH}`);
+  }
+
+  if (entries.length !== value.length) {
+    exitWithError(`${field} must contain only strings in ${CONFIG_PATH}`);
+  }
+
+  return entries;
+}
+
+function loadConfig() {
+  const configPath = path.resolve(CONFIG_PATH);
+  let content: string;
+  try {
+    content = fs.readFileSync(configPath, "utf8");
+  } catch (error) {
+    exitWithError(`Unable to read config file at ${configPath}`, error);
+  }
+
+  let parsed: unknown;
+  try {
+    // @ts-ignore Bun.YAML exists - we use but only in CI
+    parsed = Bun.YAML.parse(content);
+  } catch (error) {
+    exitWithError("Failed to parse YAML config", error);
+  }
+
+  const config = Array.isArray(parsed) ? parsed[0] : parsed;
+  if (!config || typeof config !== "object") {
+    exitWithError("Config must be a YAML mapping/object at the top level");
+  }
+
+  const allowedLicenses = normalizeStringArray(config["allowedLicenses"], "allowedLicenses", {
+    allowEmpty: false,
+  });
+  const allowedPackages = normalizeStringArray(config["allowedPackages"] ?? [], "allowedPackages", {
+    allowEmpty: true,
+  });
+
+  return { allowedLicenses, allowedPackages };
+}
+
+type LicensePackage = { name: string; versions?: string[] };
+type LicenseMap = Record<string, LicensePackage[]>;
+
+function loadLicenses(): LicenseMap {
+  let content: string;
+  try {
+    content = fs.readFileSync(LICENSES_JSON_PATH, "utf8");
+  } catch (error) {
+    exitWithError(`Unable to read licenses file at ${LICENSES_JSON_PATH}`, error);
+  }
+
+  let parsed: unknown;
+  try {
+    parsed = JSON.parse(content);
+  } catch (error) {
+    exitWithError("Failed to parse licenses JSON generated by pnpm", error);
+  }
+
+  if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
+    exitWithError("Licenses JSON is invalid or empty");
+  }
+
+  return parsed as LicenseMap;
+}
+
+const { allowedLicenses, allowedPackages: allowedPackagesList } = loadConfig();
+const allowedLicenseSet = new Set(allowedLicenses);
+
+const allowedPackages = new Map<string, Set<string>>();
+for (const entry of allowedPackagesList) {
+  const at = entry.lastIndexOf("@");
+  if (at <= 0 || at === entry.length - 1) {
+    exitWithError(`Invalid allowedPackages entry "${entry}", expected "name@version"`);
+  }
+  const name = entry.slice(0, at);
+  const version = entry.slice(at + 1);
+  if (!allowedPackages.has(name)) {
+    allowedPackages.set(name, new Set());
+  }
+  allowedPackages.get(name)!.add(version);
+}
+
+const isPackageAllowed = (name: string, version: string) =>
+  allowedPackages.get(name)?.has(version) === true;
+
+const licenses = loadLicenses();
+
+// Simple SPDX-expression parser for AND/OR + parentheses
+function tokenize(expr: string) {
+  return expr
+    .split(/(\(|\)|\bAND\b|\bOR\b)/)
+    .map((part) => part.trim())
+    .filter(Boolean);
+}
+
+function parseExpression(tokens: string[]) {
+  let pos = 0;
+
+  function parseFactor(): any {
+    const token = tokens[pos++];
+    if (token === "(") {
+      const node = parseOr();
+      if (tokens[pos++] !== ")") throw new Error("Unexpected token, expected )");
+      return node;
+    }
+    if (!token) throw new Error("Unexpected end of expression");
+    return { type: "license", id: token };
+  }
+
+  function parseAnd(): any {
+    let left = parseFactor();
+    while (tokens[pos] === "AND") {
+      pos++;
+      left = { type: "and", left, right: parseFactor() };
+    }
+    return left;
+  }
+
+  function parseOr(): any {
+    let left = parseAnd();
+    while (tokens[pos] === "OR") {
+      pos++;
+      left = { type: "or", left, right: parseAnd() };
+    }
+    return left;
+  }
+
+  const tree = parseOr();
+  if (pos !== tokens.length) throw new Error("Unexpected trailing tokens");
+  return tree;
+}
+
+function evalTree(node: any): boolean {
+  switch (node.type) {
+    case "license":
+      return allowedLicenseSet.has(node.id);
+    case "and":
+      return evalTree(node.left) && evalTree(node.right);
+    case "or":
+      return evalTree(node.left) || evalTree(node.right);
+    default:
+      return false;
+  }
+}
+
+function isAllowed(expr: string) {
+  try {
+    const tokens = tokenize(expr);
+    if (tokens.length === 0) return false;
+    const tree = parseExpression(tokens);
+    return evalTree(tree);
+  } catch {
+    return false;
+  }
+}
+
+const disallowedExpressions = new Set<string>();
+const disallowedPackages: string[] = [];
+for (const [expr, packages] of Object.entries(licenses)) {
+  const exprAllowed = isAllowed(expr);
+  for (const pkg of packages) {
+    const versions = pkg.versions ?? ["*"];
+    const violatingVersions = versions.filter(
+      (version) => !(exprAllowed || isPackageAllowed(pkg.name, version)),
+    );
+    if (violatingVersions.length === 0) continue;
+    disallowedExpressions.add(expr);
+    violatingVersions.forEach((version) =>
+      disallowedPackages.push(` - ${pkg.name}@${version}: ${expr}`),
+    );
+  }
+}
+
+if (disallowedPackages.length) {
+  console.log("::error::Disallowed or unknown licenses detected:");
+  Array.from(disallowedExpressions)
+    .sort((a, b) => a.localeCompare(b))
+    .forEach((expr) => console.log(expr));
+  console.log();
+
+  console.log("Dependencies using disallowed licenses:");
+  disallowedPackages.sort((a, b) => a.localeCompare(b)).forEach((line) => console.log(line));
+  process.exit(1);
+}
+
+console.log("✅ All licenses are allowed.");