ENGINEERING
Block GitHub PRs that add non-compliant package licenses
Scans the dependency manifest changes in every GitHub pull request, fails a status check when a newly added package carries a license outside your allowlist.
How it runs
The automated pipeline, trigger to output.
- TriggerGitHub PR opened or updatedGitHub
- ActionFetch changed manifest files and parse new dependenciesGitHub
- ActionResolve license for each newly added packageGitHub
- LogicCompare licenses against approved allowlist
- ActionSet failing commit status to block mergeGitHub
- OutputComment offending packages and licenses on the PRGitHub
What it does
When a pull request opens or updates, this workflow inspects the diff to the dependency manifest (package.json, requirements.txt, go.mod, etc.), resolves the license of every newly added package, and compares each one against your approved-license allowlist. If any package carries a forbidden or unknown license, it sets a failing commit status so the PR cannot merge, and comments the exact offenders.
When to use it
Use this when you need a hard, automated gate on license drift at the source — before non-compliant code reaches your default branch. Ideal for teams with a strict open-source policy (e.g. no GPL/AGPL in proprietary products) who want enforcement on every PR rather than periodic audits.
How it works
- 1A GitHub pull_request webhook fires on open or synchronize.
- 2The workflow fetches the changed manifest files and parses newly added dependencies.
- 3Each new package's license is resolved from the registry metadata.
- 4A logic step checks every license against the allowlist; if all pass, it posts a success status and exits.
- 5On any violation, it sets a failing GitHub commit status (blocking merge) and posts a comment listing each non-compliant package and its license.
Set it up
What you configure once, before turning it on.
- 1Connect GitHubRepos, issues, pull requests, actions.
- 2Set each agent's modelWe leave models unset so you pick the tier — fast + cheap, or top-quality.
- 3Tune it to your dataEdit the prompts, filters, and field mappings so it matches how your team works.
- 4Test, then turn it onRun once against a sample, confirm the output, then enable the trigger.
More Engineering workflows
Gate breaking API PRs behind downstream consumer acknowledgement
When a PR introduces a breaking contract change, comments the impact summary back on the PR, applies a blocking label.
Publish a versioned API changelog to Confluence on each release tag
On a new semver release tag, gathers the contract changes since the last release and writes a clean.
Agent reviews model-license fit and suggests compliant swaps on the PR
When a PR adds a Hugging Face model, an agent reads the model card and license, judges fit against your commercial-use policy.
Upgrade Impact Router to Module Code Owners
Maps a dependency-bump PR's affected modules to their CODEOWNERS, then DMs each owner on Slack with only the changelog slice that touches code they own.
Re-Voice IVR Prompts on Phone-Tree Config Merge
When a phone-tree config change merges in GitHub, regenerates the ElevenLabs audio for any prompt whose script changed in the diff and opens a follow-up PR adding the new audio…
Upstream Release to Notion Upgrade Brief
When a watched package publishes a new release, fetches the release notes, maps them to the internal modules that depend on it.
Run it inside a business
This workflow drops into a full company template. Import the org, and this is one of the playbooks its agents run.
Run this workflow in your colony.
14-day trial. No DevOps. No Sales call. Provisioned in under a minute.