Tracking: Add automated dependency license checking across all repositories #4491
Description
Overview
An OSS license due diligence review found that only 2 out of 10 Restate repositories have automated dependency license checking:
| Repository | Has license check? | Tool |
|---|---|---|
✅ restate |
Yes | cargo-deny (in deps.yml) |
✅ sdk-java |
Yes | jk1/dependency-license-report (in Gradle check task) |
❌ sdk-rust |
No | — |
❌ sdk-shared-core |
No | — |
❌ sdk-typescript |
No | — |
❌ sdk-python |
No | — |
❌ sdk-go |
No | — |
❌ restate-web-ui |
No | — |
❌ restate-operator |
No | — |
❌ restate-cloud |
No | — |
Goal
Each repository should have a CI gate that prevents merging code that introduces dependencies with strong copyleft licenses (GPL, AGPL, SSPL). The idiomatic tool depends on the ecosystem:
| Ecosystem | Tool | Already used in |
|---|---|---|
| Rust | cargo-deny |
restate |
| Java/Kotlin | jk1/dependency-license-report |
sdk-java |
| TypeScript | license-checker or allowed-licenses |
— |
| Python | liccheck or pip-licenses |
— |
| Go | go-licenses |
— |
Tracked issues
- Add automated dependency license checking with cargo-deny sdk-rust#103
- Add automated dependency license checking with cargo-deny sdk-shared-core#70
- Add automated dependency license checking sdk-typescript#659
- Add automated dependency license checking (Python + Rust) sdk-python#182
- Add automated dependency license checking with go-licenses sdk-go#134
- Add automated dependency license checking restate-web-ui#557
- Add automated dependency license checking with cargo-deny restate-operator#98
- restatedev/restate-cloud#570
Current state
All dependencies across all 10 repos are currently clean — no strong copyleft violations found (5,753 dependency entries audited on 2026-03-16). These issues are preventive measures to ensure no regressions occur through routine dependency updates.
Metadata
Metadata
Assignees
Labels
No labels