Scan dependency licenses

.github/dependency-scan-config.yaml

@@ -0,0 +1,95 @@
+fail-on-severity: low
+show-openssf-scorecard: true
+license-check: true
+vulnerability-check: true
+comment-summary-in-pr: always
+
+# List of explicitly allowed licenses for EUPL 1.2 Inbound Compatibility
+# (Allows importing these libraries into a EUPL 1.2 project)
+allow-licenses:
+  # ==========================================
+  # 1. Public domain / no-attribution
+  # ==========================================
+  - CC0-1.0
+  - Unlicense
+  - WTFPL
+  - 0BSD
+
+  # ==========================================
+  # 2. Standard permissive
+  # ==========================================
+  - MIT
+  - Apache-2.0
+  - ISC
+  - BSD-2-Clause
+  - BSD-3-Clause
+  - Zlib
+
+  # ==========================================
+  # 3. Weak copyleft
+  # ==========================================
+  - MPL-1.1
+  - MPL-2.0
+  - CDDL-1.0
+  - EPL-1.0
+  - EPL-2.0
+  - CECILL-2.1
+
+  # ==========================================
+  # 4. Library Copyleft (LGPL)
+  # Explicitly Compatible via EUPL Appendix
+  # ==========================================
+  - LGPL-2.1-only
+  - LGPL-2.1-or-later
+  - LGPL-3.0-only
+  - LGPL-3.0-or-later
+
+  # ==========================================
+  # 5. EUPL
+  # ==========================================
+  - EUPL-1.0
+  - EUPL-1.1
+  - EUPL-1.2
+
+  # ==========================================
+  # 6. Other / Niche permissive licenses
+  # ==========================================
+
+  - AAL
+  - AFL-3.0
+  - Apache-1.1
+  - APL-1.0
+  - APSL-2.0
+  - Artistic-1.0-Perl
+  - Artistic-2.0
+  - BSL-1.0
+  - CATOSL-1.1
+  - CPAL-1.0
+  - CUA-OPL-1.0
+  - ECL-2.0
+  - EFL-2.0
+  - Entessa
+  - EUDatagrid
+  - Fair
+  - LPPL-1.3c
+  - LPL-1.02
+  - MirOS
+  - Motosoto
+  - Multics
+  - NASA-1.3
+  - NCSA
+  - NTP
+  - Naumen
+  - Nokia
+  - PostgreSQL
+  - PSF-2.0
+  - RPSL-1.0
+  - RSCPL
+  - SimPL-2.0
+  - Sleepycat
+  - SPL-1.0
+  - VSL-1.0
+  - W3C
+  - W3C-20150513
+  - Xnet
+  - ZPL-2.0

.github/workflows/codeql.yml

@@ -18,6 +18,6 @@ permissions:
 
 jobs:
   analyze:
-    uses: HSLdevcom/jore4-tools/.github/workflows/shared-codeql.yml@shared-ghas-workflows-v1
+    uses: HSLdevcom/jore4-tools/.github/workflows/shared-codeql.yml@shared-ghas-workflows-v2
     with:
       languages: '["actions", "python"]'

.github/workflows/dependency-scan.yml

@@ -5,7 +5,8 @@ on:
 
 permissions:
   contents: read
+  pull-requests: write
 
 jobs:
   dependency-scan:
-    uses: HSLdevcom/jore4-tools/.github/workflows/shared-dependency-scan.yml@shared-ghas-workflows-v1
+    uses: HSLdevcom/jore4-tools/.github/workflows/shared-dependency-scan.yml@shared-ghas-workflows-v2

.github/workflows/shared-dependency-scan.yml

@@ -5,6 +5,7 @@ on:
 
 permissions:
   contents: read
+  pull-requests: write # Needed to write comment to PR
 
 jobs:
   dependency-review:
@@ -15,3 +16,5 @@ jobs:
 
       - name: Dependency Review
         uses: actions/dependency-review-action@v4
+        with:
+          config-file: HSLdevcom/jore4-tools/.github/dependency-scan-config.yaml@shared-dependency-licenses-v1