ci: FINOS license compliance workflow (#271) (#272)

## Summary

- Adds `license.yml` workflow enforcing FINOS license category
compliance on every push/PR to main
- Removes `gradle-suppressions.xml` (OWASP dependency-check no longer
used; CVE scanning handled by Grype)

## Changes

### Gradle (`com.github.jk1:gradle-license-report`)
- `checkLicense` task applied to all subprojects, scans
`runtimeClasspath` only
- `gradle-allowed-licenses.json` — FINOS Category A (permitted) +
Category B (permitted with CONTRIBUTING notice); Category X omitted →
build fails on violation
- `gradle-license-overrides.txt` — PSV overrides for two deps with
malformed POM license declarations (`org.jspecify:jspecify`,
`com.nimbusds:oauth2-oidc-sdk`), both confirmed Apache-2.0
- `InventoryHtmlReportRenderer` generates a grouped HTML report uploaded
as a CI artifact

### npm (`license-checker-rseidelsohn`)
- Added as pinned devDependency in frontend `package.json`
- `license-check` npm script checks production deps only (`--production
--excludePrivatePackages`)
- All 13 production deps pass: MIT / BSD-3-Clause / Apache-2.0 / ISC

## Test plan

- [x] `./gradlew checkLicense -PskipFrontend` passes clean across all
three subprojects locally
- [x] `npm run license-check` passes locally (13 deps, all FINOS
Category A)
- [x] CI `license.yml` workflow passes on this PR

closes #271

Author: coopernetes

.github/workflows/license.yml

@@ -0,0 +1,54 @@
+name: License Compliance
+
+permissions:
+  contents: read
+
+on:
+  push:
+    branches: ["main"]
+  pull_request:
+    branches: ["main"]
+
+jobs:
+  license-gradle:
+    name: Gradle (license)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # ratchet:actions/checkout@v6
+
+      - uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # ratchet:actions/setup-java@v5
+        with:
+          distribution: temurin
+          java-version: 25
+          cache: gradle
+
+      - name: Check licenses
+        run: ./gradlew checkLicense -PskipFrontend
+
+      - name: Upload license report
+        if: always()
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # ratchet:actions/upload-artifact@v7
+        with:
+          name: gradle-license-report
+          path: "**/build/reports/dependency-license/"
+          retention-days: 30
+
+  license-npm:
+    name: npm (license)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # ratchet:actions/checkout@v6
+
+      - name: Install dependencies
+        run: npm ci --prefer-offline
+        working-directory: git-proxy-java-dashboard/frontend
+
+      - name: Check licenses
+        run: npm run license-check
+        working-directory: git-proxy-java-dashboard/frontend

build.gradle

@@ -11,6 +11,7 @@ plugins {
     id 'com.diffplug.spotless' version '8.4.0' apply false
     id 'org.cyclonedx.bom' version '3.2.4'
     id 'com.github.node-gradle.node' version '7.1.0' apply false
+    id 'com.github.jk1.dependency-license-report' version '2.9' apply false
 }
 
 ext {
@@ -105,6 +106,20 @@ tasks.register('installGitHooks') {
 subprojects {
     apply plugin: 'com.diffplug.spotless'
     apply plugin: 'jacoco-report-aggregation'
+    apply plugin: 'com.github.jk1.dependency-license-report'
+
+    licenseReport {
+        allowedLicensesFile = rootProject.file('gradle-allowed-licenses.json')
+        configurations = ['runtimeClasspath']
+        excludeOwnGroup = true
+        excludeBoms = true
+        // These deps have malformed POM license declarations (null name or quoted MIME-style string)
+        // but are confirmed Apache-2.0. Overrides in gradle-license-overrides.txt fix the HTML report.
+        excludes = ['org.jspecify:jspecify', 'com.nimbusds:oauth2-oidc-sdk']
+        renderers = [new com.github.jk1.license.render.InventoryHtmlReportRenderer(
+                         'index.html', 'git-proxy-java', rootProject.file('gradle-license-overrides.txt')),
+                     new com.github.jk1.license.render.JsonReportRenderer('licenses.json')]
+    }
 
     spotless {
         java {