From 7c584484a9785b77561ee14648bac61eda69e78b Mon Sep 17 00:00:00 2001
From: "Jonathan D.A. Jewell" <6759885+hyperpolymath@users.noreply.github.com>
Date: Thu, 14 May 2026 12:59:46 +0100
Subject: [PATCH] fix(ci): migrate dependency-review from deny-licenses to
 allow-licenses
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The `deny-licenses` option on actions/dependency-review-action is
deprecated for removal in the next major release
(actions/dependency-review-action#997). The warning surfaced as a bot
comment on PR #15 ("Deprecation Warning: The deny-licenses option is
deprecated...").

The deprecation rationale matters: when no SBOM is available, the
action can't actually evaluate a denylist, so `deny-licenses` fails
open silently. `allow-licenses` fails closed — anything not in the
list (including GPL-3.0 / AGPL-3.0 we want to keep out) blocks the PR.

Scope: enumerated permissive + weak-copyleft licenses compatible with
PMPL distribution. Strong copyleft (GPL-3.0, AGPL-3.0) deliberately
absent. Adjust the list if a legitimate dep gets rejected — but do not
slip GPL-3.0 / AGPL-3.0 back in.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 .github/workflows/security-checks.yml | 29 ++++++++++++++++++++++++++-
 1 file changed, 28 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/security-checks.yml b/.github/workflows/security-checks.yml
index 85c294e..a3fc870 100644
--- a/.github/workflows/security-checks.yml
+++ b/.github/workflows/security-checks.yml
@@ -43,7 +43,34 @@ jobs:
         uses: actions/dependency-review-action@a1d282b36b6f3519aa1f3fc636f609c47dddb294 # v4.5.0
         with:
           fail-on-severity: high
-          deny-licenses: GPL-3.0, AGPL-3.0
+          # Replaces the previous `deny-licenses: GPL-3.0, AGPL-3.0`. The
+          # `deny-licenses` option is deprecated for removal in the next
+          # major release (actions/dependency-review-action#997): when no
+          # SBOM is available it can't actually evaluate a denylist, so it
+          # fails-open silently. `allow-licenses` fails-closed: anything
+          # not on this list (including the strong-copyleft GPL-3.0 /
+          # AGPL-3.0 we want to keep out) blocks the PR.
+          #
+          # Scope: permissive + weak-copyleft licenses compatible with this
+          # repo's PMPL distribution. Adjust if a legitimate dep gets
+          # blocked — do NOT slip GPL-3.0 / AGPL-3.0 back in.
+          allow-licenses: >-
+            Apache-2.0,
+            BSD-2-Clause,
+            BSD-3-Clause,
+            BSD-3-Clause-Clear,
+            CC0-1.0,
+            ISC,
+            LGPL-2.1-only,
+            LGPL-2.1-or-later,
+            LGPL-3.0-only,
+            LGPL-3.0-or-later,
+            MIT,
+            MPL-2.0,
+            PSF-2.0,
+            Python-2.0,
+            Unlicense,
+            Zlib
           comment-summary-in-pr: always
 
   validate-actions: