From a7f0903a49e3f82d8bc185fea27c11603697c0d3 Mon Sep 17 00:00:00 2001 From: LeadGoEngineer Date: Tue, 19 May 2026 07:47:44 -0400 Subject: [PATCH] chore(security): extend license allowlist with BSL-1.0, CC0-1.0, 0BSD MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Adds three permissive SPDX identifiers to the allowlist in both `.github/workflows/security.yml` (the enforced gate) and `SECURITY.md` (the documented policy): - `0BSD` — Zero-Clause BSD. Rare but real. - `BSL-1.0` — Boost Software License (permissive, OSI-approved). Not the source-available Business Source License (BUSL/BSL on the denylist); SECURITY.md now spells the distinction out so future exception requests do not get triggered by the name collision. - `CC0-1.0` — public-domain dedication, common in small Go utilities. Switches the allowlist ordering to ASCII-sorted by SPDX id and pins that ordering with a comment in security.yml, so the workflow env and SECURITY.md stay in sync on future edits. Withings-export-cli carries the same workflow copy; a parallel PR mirrors the change there. crono- and liftoff-export-cli have not onboarded the workflow yet and are out of scope for this PR. Refs QUA-46. Co-Authored-By: Paperclip --- .github/workflows/security.yml | 3 ++- SECURITY.md | 11 +++++++---- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index 08c1e21..018d6a5 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -94,8 +94,9 @@ jobs: contents: read env: # Policy: every direct + transitive Go dep must resolve to one of these SPDX ids. + # Keep this list sorted by SPDX id; SECURITY.md "License allowlist" must match exactly. # See SECURITY.md "Supply-chain policy" for the rationale. - ALLOWED_LICENSES: "Apache-2.0,MIT,BSD-2-Clause,BSD-3-Clause,MPL-2.0,ISC,Unlicense" + ALLOWED_LICENSES: "0BSD,Apache-2.0,BSD-2-Clause,BSD-3-Clause,BSL-1.0,CC0-1.0,ISC,MIT,MPL-2.0,Unlicense" steps: - name: Checkout uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 diff --git a/SECURITY.md b/SECURITY.md index d9b9268..0ee5f1e 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -46,20 +46,23 @@ Every PR — in `common` and in every `*-export-cli` — is gated on a CI workfl - `osv-scanner` for transitive vulnerabilities across the OSV database. - A license-policy check that allowlists only permissive licenses. -**License allowlist** (SPDX identifiers): +**License allowlist** (SPDX identifiers, sorted by SPDX id; must match `ALLOWED_LICENSES` in `.github/workflows/security.yml` exactly): +- `0BSD` - `Apache-2.0` -- `MIT` - `BSD-2-Clause` - `BSD-3-Clause` -- `MPL-2.0` +- `BSL-1.0` (Boost Software License — permissive, OSI-approved; **not** the source-available Business Source License — see denylist entry for `BUSL-*`) +- `CC0-1.0` - `ISC` +- `MIT` +- `MPL-2.0` - `Unlicense` **License denylist** (blocking; not exhaustive): - The GPL family — `GPL-*`, `LGPL-*`, `AGPL-*`. -- `SSPL-*`, `BUSL-*` / `BSL-*`, and other "source-available" licenses. +- `SSPL-*`, `BUSL-*` (Business Source License — sometimes informally written "BSL"; not to be confused with the permissive `BSL-1.0` Boost above), and other "source-available" licenses. - "Custom" or unidentified licenses where the SPDX identifier cannot be resolved. A PR that introduces a denied license is blocked. To request an exception, open an issue against `quantcli/common` with the dependency name, version, license text, and the rationale. Exceptions are rare and case-by-case.