Add automated dependency license checking (Python + Rust) #182
Description
Context
As part of an OSS license due diligence review, we found that this repository has no automated mechanism to verify that dependency licenses are acceptable. This is a hybrid Python + Rust (maturin/PyO3) project, so both ecosystems need coverage.
Recommended approach
Rust side: cargo-deny
Add a deny.toml alongside the existing Cargo.toml:
[licenses]
allow = [
"MIT",
"Apache-2.0",
"Apache-2.0 WITH LLVM-exception",
"BSD-2-Clause",
"BSD-3-Clause",
"ISC",
"BSL-1.0",
"CC0-1.0",
"Zlib",
"Unicode-3.0",
"Unicode-DFS-2016",
"OpenSSL",
"0BSD",
]
confidence-threshold = 0.8Add to CI:
- uses: EmbarkStudios/cargo-deny-action@v2
with:
command: check licensesPython side: liccheck or pip-licenses
Option A: liccheck — add a [tool.liccheck] section to pyproject.toml:
[tool.liccheck]
authorized_licenses = [
"MIT License",
"Apache Software License",
"BSD License",
"ISC License (ISCL)",
"Python Software Foundation License",
"Mozilla Public License 2.0 (MPL 2.0)",
]Run as: liccheck -r <requirements-file>
Option B: pip-licenses — run as a CI step:
pip-licenses --allow-only="MIT;Apache-2.0;BSD-2-Clause;BSD-3-Clause;ISC;PSF-2.0;MPL-2.0"Note on the published wheel
The published restate-sdk wheel currently has dependencies = [] (zero Python runtime deps) — all deps are in optional extras ([openai], [adk], etc.). The Rust native extension has its dependencies statically compiled in. License checking is still valuable as a preventive measure and to cover the optional extras that users install.
Why this matters
An automated license gate ensures no strong copyleft (GPL, AGPL, SSPL) dependencies accidentally enter the dependency tree through routine updates to either the Rust or Python side.
Current state (as of 2026-03-16)
All current dependencies (146 Python, 113 Rust) are permissively licensed — this is purely a preventive measure.