ci: add licence-check workflow — validates production dep licences against MIT-compatible allowlist

.gitea/workflows/licence-check.yml

@@ -0,0 +1,38 @@
+name: Licence Check
+
+on:
+  push:
+    branches: ["**"]
+    paths:
+      - "package.json"
+      - "package-lock.json"
+      - ".gitea/workflows/licence-check.yml"
+  pull_request:
+    branches: ["**"]
+    paths:
+      - "package.json"
+      - "package-lock.json"
+      - ".gitea/workflows/licence-check.yml"
+
+jobs:
+  licence-check:
+    name: Dependency licence compatibility
+    runs-on: ubuntu-latest
+    continue-on-error: true
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: "22"
+
+      - name: Install production dependencies
+        run: npm ci --omit=dev
+
+      - name: Check licence compatibility
+        run: |
+          npx --yes license-checker --production \
+            --onlyAllow "MIT;ISC;MIT-0;BSD-2-Clause;BSD-3-Clause;Apache-2.0;CC0-1.0;BlueOak-1.0.0" \
+            --excludePrivatePackages \
+            && echo "All production dependency licences are compatible with MIT."