From 59c5b55424e639ab6bb1e97e08892ea293ee5792 Mon Sep 17 00:00:00 2001 From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> Date: Thu, 25 Jun 2026 14:05:31 +0000 Subject: [PATCH 01/13] Add Dependency Review GitHub Action Adds the dependency-review-action workflow to scan PRs for dependency changes that introduce known vulnerabilities. Co-Authored-By: Itamar Hartstein --- .github/workflows/dependency-review.yml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 .github/workflows/dependency-review.yml diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 000000000..03840b28d --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,15 @@ +name: Dependency Review +on: [pull_request] + +permissions: {} + +jobs: + dependency-review: + runs-on: ubuntu-latest + permissions: + contents: read + steps: + - name: Checkout repository + uses: actions/checkout@v4 + - name: Dependency Review + uses: actions/dependency-review-action@v4 From d0dc8dc456887c0247d5aef7fe319bf7b42b5ba1 Mon Sep 17 00:00:00 2001 From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> Date: Thu, 25 Jun 2026 14:10:17 +0000 Subject: [PATCH 02/13] Set persist-credentials: false on checkout step Co-Authored-By: Itamar Hartstein --- .github/workflows/dependency-review.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 03840b28d..a967d317f 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -11,5 +11,7 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v4 + with: + persist-credentials: false - name: Dependency Review uses: actions/dependency-review-action@v4 From 0e70a11cb6b3ce0e4f1d3d0906c3c4c363489db1 Mon Sep 17 00:00:00 2001 From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> Date: Thu, 25 Jun 2026 14:20:39 +0000 Subject: [PATCH 03/13] Add workflow_dispatch trigger to dependency review Co-Authored-By: Itamar Hartstein --- .github/workflows/dependency-review.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index a967d317f..7c57d1360 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -1,5 +1,5 @@ name: Dependency Review -on: [pull_request] +on: [pull_request, workflow_dispatch] permissions: {} From a0cd70fd40df14eb36d71046870de21fa50d0956 Mon Sep 17 00:00:00 2001 From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> Date: Thu, 25 Jun 2026 20:35:43 +0000 Subject: [PATCH 04/13] Add license enforcement via allow-licenses Co-Authored-By: Itamar Hartstein --- .github/workflows/dependency-review.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 7c57d1360..4d210b61a 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -15,3 +15,12 @@ jobs: persist-credentials: false - name: Dependency Review uses: actions/dependency-review-action@v4 + with: + allow-licenses: >- + MIT, Apache-2.0, BSD-2-Clause, BSD-3-Clause, ISC, + PSF-2.0, Python-2.0, 0BSD, BlueOak-1.0.0, + CC0-1.0, CC-BY-3.0, CC-BY-4.0, Unlicense, + MPL-2.0, + LGPL-2.1-only, LGPL-2.1-or-later, + LGPL-3.0-only, LGPL-3.0-or-later, + Artistic-2.0 From 7fa5e90c73844b32f6ec612633abbdd7d9018aaa Mon Sep 17 00:00:00 2001 From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> Date: Thu, 25 Jun 2026 20:39:31 +0000 Subject: [PATCH 05/13] Wire workflow_dispatch with base-ref/head-ref inputs Co-Authored-By: Itamar Hartstein --- .github/workflows/dependency-review.yml | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 4d210b61a..56a103178 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -1,5 +1,15 @@ name: Dependency Review -on: [pull_request, workflow_dispatch] +on: + pull_request: + workflow_dispatch: + inputs: + base-ref: + description: Base git ref for comparison (e.g. a tag or commit SHA) + required: true + head-ref: + description: Head git ref for comparison (defaults to HEAD) + required: false + default: HEAD permissions: {} @@ -16,6 +26,8 @@ jobs: - name: Dependency Review uses: actions/dependency-review-action@v4 with: + base-ref: ${{ inputs.base-ref || '' }} + head-ref: ${{ inputs.head-ref || '' }} allow-licenses: >- MIT, Apache-2.0, BSD-2-Clause, BSD-3-Clause, ISC, PSF-2.0, Python-2.0, 0BSD, BlueOak-1.0.0, From 7cfe97810880d0c3e61fe8cb5077c9ee156b7ee2 Mon Sep 17 00:00:00 2001 From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> Date: Sun, 28 Jun 2026 07:52:29 +0000 Subject: [PATCH 06/13] Add fail-on-severity: high to dependency review workflow Co-Authored-By: Itamar Hartstein --- .github/workflows/dependency-review.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 56a103178..656b5046b 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -26,6 +26,7 @@ jobs: - name: Dependency Review uses: actions/dependency-review-action@v4 with: + fail-on-severity: high base-ref: ${{ inputs.base-ref || '' }} head-ref: ${{ inputs.head-ref || '' }} allow-licenses: >- From 68569490cfc5e6b85b88a54292dc9dcc16440ba8 Mon Sep 17 00:00:00 2001 From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> Date: Sun, 28 Jun 2026 08:02:22 +0000 Subject: [PATCH 07/13] Expand license allowlist to handle compound SPDX expressions Add deny-licenses for AGPL, SSPL, BUSL, Elastic. Co-Authored-By: Itamar Hartstein --- .github/workflows/dependency-review.yml | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 656b5046b..7f39e5b61 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -30,10 +30,20 @@ jobs: base-ref: ${{ inputs.base-ref || '' }} head-ref: ${{ inputs.head-ref || '' }} allow-licenses: >- - MIT, Apache-2.0, BSD-2-Clause, BSD-3-Clause, ISC, - PSF-2.0, Python-2.0, 0BSD, BlueOak-1.0.0, + MIT, MIT-0, Apache-2.0, BSD-2-Clause, BSD-3-Clause, ISC, + PSF-2.0, Python-2.0, CNRI-Python, 0BSD, BlueOak-1.0.0, CC0-1.0, CC-BY-3.0, CC-BY-4.0, Unlicense, - MPL-2.0, + MPL-2.0, NCSA, ZPL-2.1, HPND-Markus-Kuhn, LGPL-2.1-only, LGPL-2.1-or-later, - LGPL-3.0-only, LGPL-3.0-or-later, - Artistic-2.0 + LGPL-3.0-only, LGPL-3.0-or-later, LGPL-3.0, + GPL-1.0-only, GPL-1.0-or-later, + GPL-2.0-only, GPL-2.0-or-later, + GPL-3.0-only, GPL-3.0-or-later, + Artistic-2.0, Artistic-1.0-Perl, + LicenseRef-scancode-public-domain, + LicenseRef-scancode-public-domain-disclaimer, + LicenseRef-scancode-protobuf + deny-licenses: >- + AGPL-3.0-only, AGPL-3.0-or-later, + SSPL-1.0, BUSL-1.1, + Elastic-2.0 From db1a4cff7bbe3c25ea13bc9d5294aff5e894c96c Mon Sep 17 00:00:00 2001 From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> Date: Sun, 28 Jun 2026 08:03:37 +0000 Subject: [PATCH 08/13] Remove deny-licenses (cannot use both allow and deny) Co-Authored-By: Itamar Hartstein --- .github/workflows/dependency-review.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 7f39e5b61..161c8e351 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -43,7 +43,3 @@ jobs: LicenseRef-scancode-public-domain, LicenseRef-scancode-public-domain-disclaimer, LicenseRef-scancode-protobuf - deny-licenses: >- - AGPL-3.0-only, AGPL-3.0-or-later, - SSPL-1.0, BUSL-1.1, - Elastic-2.0 From 9efb44eaf377ec1a58177b60c1a222684ccbcd87 Mon Sep 17 00:00:00 2001 From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> Date: Sun, 28 Jun 2026 08:48:03 +0000 Subject: [PATCH 09/13] Block GPL, exempt specific packages with compound licenses Co-Authored-By: Itamar Hartstein --- .github/workflows/dependency-review.yml | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 161c8e351..f2c84fac9 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -36,10 +36,16 @@ jobs: MPL-2.0, NCSA, ZPL-2.1, HPND-Markus-Kuhn, LGPL-2.1-only, LGPL-2.1-or-later, LGPL-3.0-only, LGPL-3.0-or-later, LGPL-3.0, - GPL-1.0-only, GPL-1.0-or-later, - GPL-2.0-only, GPL-2.0-or-later, - GPL-3.0-only, GPL-3.0-or-later, Artistic-2.0, Artistic-1.0-Perl, LicenseRef-scancode-public-domain, LicenseRef-scancode-public-domain-disclaimer, LicenseRef-scancode-protobuf + # Packages with GPL in compound license expressions that are actually + # safe (dual-licensed, LGPL, or CPython license boilerplate). + allow-dependencies-licenses: >- + pkg:pypi/aiohappyeyeballs, + pkg:pypi/gitdb, + pkg:pypi/lxml, + pkg:pypi/python-gitlab, + pkg:pypi/text-unidecode, + pkg:pypi/typing-extensions From cffd4cd621cfb1381cf1ac42da4bfb8a5fcfb5d1 Mon Sep 17 00:00:00 2001 From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> Date: Sun, 28 Jun 2026 08:56:18 +0000 Subject: [PATCH 10/13] Organize allow-licenses into commented sections Co-Authored-By: Itamar Hartstein --- .github/workflows/dependency-review.yml | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index f2c84fac9..aaf8baa9c 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -29,19 +29,25 @@ jobs: fail-on-severity: high base-ref: ${{ inputs.base-ref || '' }} head-ref: ${{ inputs.head-ref || '' }} + # Permissive licenses + # Weak copyleft (LGPL/MPL) — safe for commercial use, even BYOC + # LicenseRef-scancode-* — permissive licenses without official SPDX IDs allow-licenses: >- MIT, MIT-0, Apache-2.0, BSD-2-Clause, BSD-3-Clause, ISC, PSF-2.0, Python-2.0, CNRI-Python, 0BSD, BlueOak-1.0.0, CC0-1.0, CC-BY-3.0, CC-BY-4.0, Unlicense, - MPL-2.0, NCSA, ZPL-2.1, HPND-Markus-Kuhn, - LGPL-2.1-only, LGPL-2.1-or-later, - LGPL-3.0-only, LGPL-3.0-or-later, LGPL-3.0, + NCSA, ZPL-2.1, HPND-Markus-Kuhn, Artistic-2.0, Artistic-1.0-Perl, LicenseRef-scancode-public-domain, LicenseRef-scancode-public-domain-disclaimer, - LicenseRef-scancode-protobuf + LicenseRef-scancode-protobuf, + MPL-2.0, + LGPL-2.1-only, LGPL-2.1-or-later, + LGPL-3.0-only, LGPL-3.0-or-later, LGPL-3.0 # Packages with GPL in compound license expressions that are actually # safe (dual-licensed, LGPL, or CPython license boilerplate). + # These are exempted individually so that genuinely GPL-only packages + # are still blocked. allow-dependencies-licenses: >- pkg:pypi/aiohappyeyeballs, pkg:pypi/gitdb, From 984be5a68a244dff046cf46ad8a50137a82d8582 Mon Sep 17 00:00:00 2001 From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> Date: Sun, 28 Jun 2026 09:01:47 +0000 Subject: [PATCH 11/13] Move license config to separate file with categorized comments Co-Authored-By: Itamar Hartstein --- .github/dependency-review-config.yml | 47 +++++++++++++++++++++++++ .github/workflows/dependency-review.yml | 28 +-------------- 2 files changed, 48 insertions(+), 27 deletions(-) create mode 100644 .github/dependency-review-config.yml diff --git a/.github/dependency-review-config.yml b/.github/dependency-review-config.yml new file mode 100644 index 000000000..5f2e0a302 --- /dev/null +++ b/.github/dependency-review-config.yml @@ -0,0 +1,47 @@ +# Permissive licenses +allow-licenses: + - MIT + - MIT-0 + - Apache-2.0 + - BSD-2-Clause + - BSD-3-Clause + - ISC + - PSF-2.0 + - Python-2.0 + - CNRI-Python + - 0BSD + - BlueOak-1.0.0 + - CC0-1.0 + - CC-BY-3.0 + - CC-BY-4.0 + - Unlicense + - NCSA + - ZPL-2.1 + - HPND-Markus-Kuhn + - Artistic-2.0 + - Artistic-1.0-Perl + # Permissive licenses without official SPDX IDs (ScanCode identifiers) + - LicenseRef-scancode-public-domain + - LicenseRef-scancode-public-domain-disclaimer + - LicenseRef-scancode-protobuf + # Weak copyleft (LGPL/MPL) — safe as libraries in commercial software + - MPL-2.0 + - LGPL-2.1-only + - LGPL-2.1-or-later + - LGPL-3.0-only + - LGPL-3.0-or-later + - LGPL-3.0 + +fail-on-severity: high + +# Packages with GPL in compound license expressions that are actually +# safe (dual-licensed, LGPL, or CPython license boilerplate). +# These are exempted individually so that genuinely GPL-only packages +# are still blocked. +allow-dependencies-licenses: + - pkg:pypi/aiohappyeyeballs + - pkg:pypi/gitdb + - pkg:pypi/lxml + - pkg:pypi/python-gitlab + - pkg:pypi/text-unidecode + - pkg:pypi/typing-extensions diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index aaf8baa9c..4714051aa 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -26,32 +26,6 @@ jobs: - name: Dependency Review uses: actions/dependency-review-action@v4 with: - fail-on-severity: high base-ref: ${{ inputs.base-ref || '' }} head-ref: ${{ inputs.head-ref || '' }} - # Permissive licenses - # Weak copyleft (LGPL/MPL) — safe for commercial use, even BYOC - # LicenseRef-scancode-* — permissive licenses without official SPDX IDs - allow-licenses: >- - MIT, MIT-0, Apache-2.0, BSD-2-Clause, BSD-3-Clause, ISC, - PSF-2.0, Python-2.0, CNRI-Python, 0BSD, BlueOak-1.0.0, - CC0-1.0, CC-BY-3.0, CC-BY-4.0, Unlicense, - NCSA, ZPL-2.1, HPND-Markus-Kuhn, - Artistic-2.0, Artistic-1.0-Perl, - LicenseRef-scancode-public-domain, - LicenseRef-scancode-public-domain-disclaimer, - LicenseRef-scancode-protobuf, - MPL-2.0, - LGPL-2.1-only, LGPL-2.1-or-later, - LGPL-3.0-only, LGPL-3.0-or-later, LGPL-3.0 - # Packages with GPL in compound license expressions that are actually - # safe (dual-licensed, LGPL, or CPython license boilerplate). - # These are exempted individually so that genuinely GPL-only packages - # are still blocked. - allow-dependencies-licenses: >- - pkg:pypi/aiohappyeyeballs, - pkg:pypi/gitdb, - pkg:pypi/lxml, - pkg:pypi/python-gitlab, - pkg:pypi/text-unidecode, - pkg:pypi/typing-extensions + config-file: ./.github/dependency-review-config.yml From 2d4c2c0fe1b952bea436a33a17309c0e986132bd Mon Sep 17 00:00:00 2001 From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> Date: Sun, 28 Jun 2026 15:22:02 +0000 Subject: [PATCH 12/13] Add license exceptions for new uv.lock dependencies Co-Authored-By: Itamar Hartstein --- .github/dependency-review-config.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/dependency-review-config.yml b/.github/dependency-review-config.yml index 5f2e0a302..c6adbeb58 100644 --- a/.github/dependency-review-config.yml +++ b/.github/dependency-review-config.yml @@ -4,6 +4,7 @@ allow-licenses: - MIT-0 - Apache-2.0 - BSD-2-Clause + - BSD-2-Clause-Views - BSD-3-Clause - ISC - PSF-2.0 @@ -44,4 +45,8 @@ allow-dependencies-licenses: - pkg:pypi/lxml - pkg:pypi/python-gitlab - pkg:pypi/text-unidecode + - pkg:pypi/python-daemon + - pkg:pypi/rfc3987-syntax + - pkg:pypi/types-sqlalchemy-utils - pkg:pypi/typing-extensions + - pkg:pypi/wirerope From 2d4b73fdb8814e66ed258e756082dc39a9b71d1c Mon Sep 17 00:00:00 2001 From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> Date: Sun, 28 Jun 2026 15:32:58 +0000 Subject: [PATCH 13/13] Trim unused license exceptions (no Python deps in this dbt package) Co-Authored-By: Itamar Hartstein --- .github/dependency-review-config.yml | 16 ---------------- 1 file changed, 16 deletions(-) diff --git a/.github/dependency-review-config.yml b/.github/dependency-review-config.yml index c6adbeb58..b7a5f2ea8 100644 --- a/.github/dependency-review-config.yml +++ b/.github/dependency-review-config.yml @@ -34,19 +34,3 @@ allow-licenses: - LGPL-3.0 fail-on-severity: high - -# Packages with GPL in compound license expressions that are actually -# safe (dual-licensed, LGPL, or CPython license boilerplate). -# These are exempted individually so that genuinely GPL-only packages -# are still blocked. -allow-dependencies-licenses: - - pkg:pypi/aiohappyeyeballs - - pkg:pypi/gitdb - - pkg:pypi/lxml - - pkg:pypi/python-gitlab - - pkg:pypi/text-unidecode - - pkg:pypi/python-daemon - - pkg:pypi/rfc3987-syntax - - pkg:pypi/types-sqlalchemy-utils - - pkg:pypi/typing-extensions - - pkg:pypi/wirerope