NEW Check that all dependency licenses are permissive

README.md

@@ -4,3 +4,11 @@ Run Silverstripe CI matrix tests
 Only intended to be used within [gha-ci](https://github.com/silverstripe/gha-ci). The inputs all come from the matrix generated as a part of that workflow.
 
 GitHub job permissions required: `none`
+
+## JS license checking
+
+This action will check the licences of any installed NPM dependencies against a list of allowed SPDX identifiers of open source licences. These are contained in semi-colon delimited list in `allowed-spdx-delimited.txt`. If any insalaled non-dev dependencies are found that are not in the allowed list then the job will fail. See https://spdx.org/licenses/ for a list of SPDX identifiers.
+
+Note that the `Unlicense` is an SPDX identifier for an actual license and not a placeholder for a missing license.
+
+Composer dependences are checked seperately in `ci.yml` of `silverstripe/recipe-kitchen-sink`.

action.yml

@@ -281,6 +281,14 @@ runs:
           echo "Running yarn lint"
           yarn run lint
         fi
+        # Validate licenses of all NPM dependencies are allowed
+        echo "Checking licenses of all dependencies"
+        # The following NPM package report as UNKNOWN or UNLICENSED, though have been manually checked they have permissive licenses:
+        EXCLUDE_PACKAGES='[email protected];[email protected];@silverstripe/[email protected];[email protected];[email protected]'
+        npm install -g license-checker
+        SPDX_ALLOWED_DELIMITED=$(cat ${{ github.action_path }}/allowed-spdx-delimited.txt | tr -d '\n')
+        license-checker --production --unknown --out /dev/null --onlyAllow "$SPDX_ALLOWED_DELIMITED" --excludePackages "$EXCLUDE_PACKAGES"
+        # If we get to this point, everything was successful
         echo "Passed"
 
     - name: "Run PHP linting"

allowed-spdx-delimited.txt

@@ -0,0 +1 @@
+MIT;MIT-0;ISC;0BSD;BSD-2-Clause;BSD-3-Clause;Apache-2.0;Python-2.0;CC0-1.0;CC-BY-3.0;CC-BY-4.0;Public Domain;Unlicense