From 6f9c39440aeeaed410c2c6d615f65b3da849d4fe Mon Sep 17 00:00:00 2001
From: pgherveou <pgherveou@gmail.com>
Date: Fri, 5 Jun 2026 15:47:59 +0200
Subject: [PATCH] ci: enforce dependency license allowlist with cargo-deny

Add a 'Dependency licenses' CI job running 'cargo deny check licenses'
against the deny.toml allowlist, and include it in the ci-status gate so
a disallowed (e.g. copyleft) dependency fails the build.
---
 .github/workflows/ci.yml | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 1e3b07da..10d6f536 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -47,6 +47,19 @@ jobs:
       - name: cargo test
         run: cargo test --workspace --all-features
 
+  licenses:
+    name: Dependency licenses
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: cargo deny check licenses
+        uses: EmbarkStudios/cargo-deny-action@bb137d7af7e4fb67e5f82a49c4fce4fad40782fe # v2.0.20
+        with:
+          command: check licenses
+
   codegen:
     name: Codegen
     runs-on: ubuntu-latest
@@ -259,12 +272,13 @@ jobs:
     name: CI Status
     if: always()
     runs-on: ubuntu-latest
-    needs: [rust, codegen, ts-client, playground, explorer, e2e]
+    needs: [rust, licenses, codegen, ts-client, playground, explorer, e2e]
     steps:
       - name: Check all jobs
         run: |
           results=(
             "${{ needs.rust.result }}"
+            "${{ needs.licenses.result }}"
             "${{ needs.codegen.result }}"
             "${{ needs.ts-client.result }}"
             "${{ needs.playground.result }}"