Add dependency license reporting

Boyeep · Boyeep · commit db8acc97d10c · 2026-03-22T02:27:42.000+07:00
diff --git a/.github/workflows/license-report.yml b/.github/workflows/license-report.yml
@@ -0,0 +1,58 @@
+name: License Report
+
+on:
+  push:
+    branches:
+      - main
+  schedule:
+    - cron: "36 3 * * 2"
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  license-report:
+    name: License Report
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Node
+        uses: actions/setup-node@v4
+        with:
+          node-version-file: .nvmrc
+          cache: npm
+          cache-dependency-path: |
+            package-lock.json
+            frontend/package-lock.json
+
+      - name: Setup Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+          cache: pip
+          cache-dependency-path: backend/pyproject.toml
+
+      - name: Install root tooling
+        run: npm ci
+
+      - name: Install frontend dependencies
+        run: npm ci
+        working-directory: frontend
+
+      - name: Install backend dependencies
+        run: |
+          python -m pip install --upgrade pip
+          python -m pip install -e ./backend[dev]
+
+      - name: Generate license reports
+        run: npm run report:licenses
+
+      - name: Upload license reports
+        uses: actions/upload-artifact@v4
+        with:
+          name: license-reports
+          path: reports/licenses/
+          if-no-files-found: error
diff --git a/.gitignore b/.gitignore
@@ -21,3 +21,4 @@ Thumbs.db
 
 __reference_nextjs_go_monorepo_kit/
 deep-research-report.md
+reports/licenses/
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -87,6 +87,14 @@ For a pre-commit style check on staged content, run:
 npm run check:secrets -- --staged
 ```
 
+If you want a full dependency license inventory locally, run:
+
+```bash
+npm run report:licenses
+```
+
+That command writes generated reports into `reports/licenses/`.
+
 Dependency review also runs automatically on pull requests to catch newly introduced vulnerable dependency changes.
 
 ## Changing the API Contract
diff --git a/README.md b/README.md
@@ -96,6 +96,7 @@ npm run dev:down
 npm run api:types
 npm run check:contract
 npm run check:images
+npm run report:licenses
 npm run check:secrets
 npm run check:workflows
 npm run check
@@ -114,6 +115,8 @@ The root check runs:
 
 `check:images` is separate and intended for environments where a Docker daemon is available.
 
+`report:licenses` generates local npm and Python license inventories in `reports/licenses/`.
+
 `check:secrets` scans tracked git content with a pinned `gitleaks` version via Go.
 
 `check:workflows` lints `.github/workflows/` with a pinned `actionlint` version via Go.
@@ -122,6 +125,8 @@ CodeQL code scanning also runs on GitHub for `javascript-typescript`, `python`,
 
 Pull requests also run GitHub dependency review so new vulnerable dependency changes are easier to catch before merge.
 
+A separate GitHub workflow generates license-report artifacts for the root workspace, frontend workspace, and backend Python environment.
+
 ## Releases
 
 - Release Drafter keeps a draft release updated from merged pull requests on `main` and can auto-label incoming pull requests by path.
diff --git a/SECURITY.md b/SECURITY.md
@@ -32,6 +32,7 @@ The repository also uses automated scanning to help catch common security issues
 - `gitleaks` in CI for tracked git content
 - CodeQL code scanning on GitHub for JavaScript/TypeScript, Python, and workflow files
 - GitHub dependency review on pull requests for newly introduced vulnerable dependency changes
+- GitHub license-report artifacts for npm and Python dependency inventories
 
 Those checks do not replace private disclosure. If you believe a vulnerability is real or
 exploitable, please still report it through a private advisory.
diff --git a/backend/pyproject.toml b/backend/pyproject.toml
@@ -20,6 +20,7 @@ dependencies = [
 [project.optional-dependencies]
 dev = [
   "httpx>=0.28,<1.0",
+  "pip-licenses>=5.5,<6.0",
   "pytest>=8.3,<9.0",
   "ruff>=0.11,<1.0",
 ]
diff --git a/future-reference-feature.md b/future-reference-feature.md
@@ -22,6 +22,7 @@ The template-grade layer is the part worth reusing almost anywhere:
 - split CI
 - release automation
 - security scanning
+- license reporting
 - repo governance
 - image/build verification
 - smoke testing after release
@@ -65,6 +66,7 @@ Files:
 - `scripts/check-release-smoke.mjs`
 - `scripts/check-actionlint.mjs`
 - `scripts/check-secrets.mjs`
+- `scripts/report-licenses.mjs`
 - `package.json`
 
 Why it matters:
@@ -213,14 +215,17 @@ Generic takeaway:
 Files:
 
 - `scripts/check-secrets.mjs`
+- `scripts/report-licenses.mjs`
 - `.github/workflows/template-ci.yml`
 - `.github/workflows/codeql.yml`
+- `.github/workflows/license-report.yml`
 - `SECURITY.md`
 
 What it covers here:
 
 - tracked git content scanned with `gitleaks`
 - CodeQL scanning for JavaScript/TypeScript, Python, and workflow files
+- generated license inventories for npm and Python dependencies
 - private disclosure guidance
 
 Why it matters:
@@ -233,6 +238,7 @@ Generic takeaway:
 
 - secret scanning is a near-default for public repos
 - CodeQL or equivalent static analysis is a strong baseline for maintained starters
+- non-blocking license reporting is a good bridge before stricter allowlist enforcement
 
 ### 9. Workflow Linting
 
diff --git a/package.json b/package.json
@@ -11,6 +11,7 @@
     "check:release-smoke": "node scripts/check-release-smoke.mjs",
     "check:secrets": "node scripts/check-secrets.mjs",
     "check:workflows": "node scripts/check-actionlint.mjs",
+    "report:licenses": "node scripts/report-licenses.mjs",
     "check": "node scripts/check.mjs"
   },
   "keywords": [
diff --git a/scripts/report-licenses.mjs b/scripts/report-licenses.mjs
@@ -0,0 +1,134 @@
+import { existsSync, mkdirSync, rmSync, writeFileSync } from "node:fs";
+import { spawnSync } from "node:child_process";
+import path from "node:path";
+import process from "node:process";
+
+const root = process.cwd();
+const frontendDir = path.join(root, "frontend");
+const backendDir = path.join(root, "backend");
+const reportDir = path.join(root, "reports", "licenses");
+const npmLicenseTool = "license-checker-rseidelsohn@4.4.2";
+
+function resolvePythonCommand(workingDir) {
+  const localPython =
+    process.platform === "win32"
+      ? path.join(workingDir, ".venv", "Scripts", "python.exe")
+      : path.join(workingDir, ".venv", "bin", "python");
+
+  return existsSync(localPython) ? localPython : "python";
+}
+
+function runAndCapture(command, args, cwd) {
+  const result = spawnSync(command, args, {
+    cwd,
+    encoding: "utf8",
+    stdio: "pipe",
+    shell: process.platform === "win32",
+  });
+
+  if (result.error) {
+    throw result.error;
+  }
+
+  if (result.status !== 0) {
+    const details = [result.stdout, result.stderr].filter(Boolean).join("\n").trim();
+    throw new Error(
+      details
+        ? `Command failed: ${command} ${args.join(" ")}\n${details}`
+        : `Command failed: ${command} ${args.join(" ")}`,
+    );
+  }
+
+  return result.stdout;
+}
+
+function writeReport(filename, content) {
+  const outputPath = path.join(reportDir, filename);
+  const normalized = content.endsWith("\n") ? content : `${content}\n`;
+  writeFileSync(outputPath, normalized, "utf8");
+}
+
+const backendPython = resolvePythonCommand(backendDir);
+
+rmSync(reportDir, { recursive: true, force: true });
+mkdirSync(reportDir, { recursive: true });
+
+writeReport(
+  "root-npm.json",
+  runAndCapture(
+    "npx",
+    [
+      "--yes",
+      npmLicenseTool,
+      "--json",
+      "--relativeLicensePath",
+      "--relativeModulePath",
+    ],
+    root,
+  ),
+);
+
+writeReport(
+  "root-npm-summary.txt",
+  runAndCapture("npx", ["--yes", npmLicenseTool, "--summary"], root),
+);
+
+writeReport(
+  "frontend-npm.json",
+  runAndCapture(
+    "npx",
+    [
+      "--yes",
+      npmLicenseTool,
+      "--json",
+      "--relativeLicensePath",
+      "--relativeModulePath",
+    ],
+    frontendDir,
+  ),
+);
+
+writeReport(
+  "frontend-npm-summary.txt",
+  runAndCapture("npx", ["--yes", npmLicenseTool, "--summary"], frontendDir),
+);
+
+writeReport(
+  "backend-python.json",
+  runAndCapture(
+    backendPython,
+    ["-m", "piplicenses", "--from=mixed", "--with-urls", "--format=json"],
+    backendDir,
+  ),
+);
+
+writeReport(
+  "backend-python-summary.txt",
+  runAndCapture(
+    backendPython,
+    ["-m", "piplicenses", "--from=mixed", "--summary", "--order=license"],
+    backendDir,
+  ),
+);
+
+writeReport(
+  "README.md",
+  [
+    "# License Reports",
+    "",
+    `Generated from \`${path.basename(root)}\` on ${new Date().toISOString()}.`,
+    "",
+    "Files:",
+    "",
+    "- `root-npm.json`: root workspace npm dependency license inventory.",
+    "- `root-npm-summary.txt`: aggregated license counts for the root workspace.",
+    "- `frontend-npm.json`: frontend workspace npm dependency license inventory.",
+    "- `frontend-npm-summary.txt`: aggregated license counts for the frontend workspace.",
+    "- `backend-python.json`: backend Python dependency license inventory.",
+    "- `backend-python-summary.txt`: aggregated license counts for the backend Python environment.",
+    "",
+    "These reports are generated artifacts and should not be committed.",
+  ].join("\n"),
+);
+
+console.log(`Created license reports in ${path.relative(root, reportDir)}`);
diff --git a/template-playbook.md b/template-playbook.md
@@ -34,11 +34,13 @@ If a template only has code and no repo workflow, it is usually still a prototyp
 - `check:images` if the repo ships deployable containers
 - `check:workflows`
 - `check:secrets`
+- `report:licenses` if the repo has third-party dependencies worth auditing
 
 ### CI
 
 - workflow lint
 - secret scan
+- dependency review on pull requests
 - app verification
 - cross-platform check if relevant
 - packaging or Docker build check if relevant
@@ -74,7 +76,9 @@ soon.md
 .github/ISSUE_TEMPLATE/*
 .github/release-drafter.yml
 .github/labels.json
+.github/dependency-review-config.yml
 .github/workflows/template-ci.yml
+.github/workflows/dependency-review.yml
 .github/workflows/release-drafter.yml
 .github/workflows/release.yml
 .github/workflows/release-smoke.yml
@@ -84,6 +88,7 @@ scripts/dev.mjs
 scripts/check.mjs
 scripts/check-actionlint.mjs
 scripts/check-secrets.mjs
+scripts/report-licenses.mjs
 ```
 
 Add these if relevant:
@@ -149,6 +154,8 @@ If you want the version that scales better for open source or long-term reuse, a
 - published artifacts should get smoke-tested
 - workflows should be linted
 - secrets should be scanned
+- dependency changes should be reviewed on pull requests
+- dependency licenses should be reportable without manual digging
 - release steps should be automated
 - docs should explain maintainer flow, not just user setup
 

Original file line number	Diff line number	Diff line change
`@@ -21,3 +21,4 @@ Thumbs.db`
`21`	`21`
`22`	`22`	`__reference_nextjs_go_monorepo_kit/`
`23`	`23`	`deep-research-report.md`
	`24`	`+reports/licenses/`
Original file line number	Diff line number	Diff line change
`@@ -20,6 +20,7 @@ dependencies = [`
`20`	`20`	`[project.optional-dependencies]`
`21`	`21`	`dev = [`
`22`	`22`	`"httpx>=0.28,<1.0",`
	`23`	`+ "pip-licenses>=5.5,<6.0",`
`23`	`24`	`"pytest>=8.3,<9.0",`
`24`	`25`	`"ruff>=0.11,<1.0",`
`25`	`26`	`]`