Add automated dependency license checking with cargo-deny #98
Description
Context
As part of an OSS license due diligence review, we found that this repository has no automated mechanism to verify that dependency licenses are acceptable. The restate server repo already uses cargo-deny successfully — this issue tracks adding the same for the Kubernetes operator.
Recommended approach
1. Add deny.toml
Use the restate server's deny.toml as a starting template:
[licenses]
allow = [
# Permissive
"MIT",
"Apache-2.0",
"Apache-2.0 WITH LLVM-exception",
"BSD-2-Clause",
"BSD-3-Clause",
"ISC",
"BSL-1.0",
"CC0-1.0",
"Zlib",
"Unicode-3.0",
"Unicode-DFS-2016",
"OpenSSL",
"0BSD",
]
confidence-threshold = 0.82. Add CI workflow
Either add a dedicated workflow or integrate into the existing CI (.github/workflows/ci.yml):
- uses: EmbarkStudios/cargo-deny-action@v2
with:
command: check licenses3. Add justfile target
deny:
cargo deny check
lint: check-fmt clippy denyWhy this matters
The operator is MIT-licensed and distributed as a container image. It's deployed in customer Kubernetes clusters. An automated license gate ensures no strong copyleft (GPL, AGPL, SSPL) dependencies accidentally enter the dependency tree through routine updates.
Current state (as of 2026-03-16)
All current dependencies are permissively licensed — this is purely a preventive measure.