(GH-actions) add allow-licenses list in dependency_review #PR2

[kvramyasri7]

Description of changes

add allow-licenses list in dependency_review.

Used them as a source of truth:

• https://opensource.org/licenses/
• https://spdx.org/licenses/

for checking the list of licenses.

Issue #, if available

Description of how you validated changes

aws-amplify/amplify-ui#4145 Took this as reference PR from sibling team.

Checklist

• PR description included
• yarn test passes
• Tests are changed or added
• Relevant documentation is changed or added (and PR referenced)

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[ashwinkumar6]

Thanks for adding this in @kvramyasri7
Added a comment regarding removing existing license-test workflow

I think it'll be great to also get an approval from product for the acceptable licenses listed in dependecy-review-config.yml just in case

[elorzafe]

any reason to not what currently UI team has https://github.com/aws-amplify/amplify-ui/blob/main/.github/dependency-review/config.yml ?

[kvramyasri7]

from the conversation I had with one of the engineer from ui team, this list is subjected to change. Referencing the latest guide from oss is the tip I had.

[kvramyasri7]

I have updated the license list to Amazon pre-approved list @elorzafe. Please take a look at it now. If you find something that should not be in the list let me know we can chat with the people who made the list and communicate with ui-team as well.

[elorzafe]

I couldnt find this on the pre approved list

[elorzafe]

I have doubts on the following licences:

• 0BSD
• BSDs how can we verify if it has PATENTS
• MPL-2.0
• OLDAP-2.8it seems the approved is OpenLDAP 2.6.6
• Unicode-DFS-2015 and Unicode-DFS-2016

we can verify these with a ticket to osa and also would appreciate @ovalba

[elorzafe]

@ovalba I would like your feedback on this. Thanks!

[elorzafe]

Thanks @kvramyasri7 !