 Hi y'all today talking about ensuring plug-in GPL compatibility via github actions a Little bit more about me director of open source initiatives at 10 up On pretty much every social platform including own or github and Twitter or X. I'm at Jeff Paul Also online Jeff Paul calm if you're gonna take a picture of a slide today because you want to get notes This is the one because my slides are up on my website Jeff Paul calm Also, because there's a really nice picture of me on there, too That's from Reykjavik the rainbow road there from the 10-up summit earlier this year 10 ups about 300 people Fully distributed fully remote focused on crafting websites apps and tools for content creators While being mindful and contributing back to the open web Which is the foundation upon which 10 up and in many of our businesses if not all are built upon a Little bit more about that open-source practice. It was founded or formalized in 2019 when I joined the company now up to 10 members strong again all focus on Crafting a better open web of which this project Wordpress is a part of Part of that work is contributing to WordPress core so across major releases ensuring that 10 uppers are contributing in core docs editor wherever it may be finding their Skill sets and helping them find places across major releases Just like 6-3 which came out recently and the 17 10 uppers that were active there Another part of our practice is maintaining a suite of about two dozen plugins Most available on the dot org repo Some examples classify which leverages cloud-based services like Microsoft Azure AI IBM Watson and open AI all very hot right now, right? and by using those providers, it supercharges WordPress content workflows and engagement with AI functionality and distributor helps indicate content and content reuse across websites and Elastic press brings the power of elastic search to a WordPress site. So Those and many of our others Available on that org and all maintained on github which will come into play here in a minute So if you're familiar with Distributing plugins on WordPress org the plugin team has a handbook, right? And there are requirements. There are guidelines that you must follow in order to When you submit a plug-in get accepted into the repo and ideally follow those throughout the diversions from there The first one that's listed is plugins must be compatible with the GPL digging in a little deeper That means not just the code right that means images fonts are those GPL compatible and Dependencies right if you're bundling something with your plug-in also needs to be GPL compatible now Get into a little bit of nightmare scenarios here, right? What if somebody contributes a PR to your project or somebody on your team or you yourself if you are a single contributor for a plug-in and you introduce a new dependency Or potentially a dependency gets updated and there is an incompatible license You declare that you are distributing GPL v2 or later, right? but are you or Or potentially the worst or scenario is you already aren't Actually using third-party dependencies that are GPL compatible, right? Welcome to the life of the director of open source and things that actually unfortunately wake you up in the middle of the night So fortunately those of you on on github Github actions comes to the rescue and cannot help out here It can help you check for those new dependencies that are introduced it can help check for updated dependencies It can help check that those are actually compatible with the license. You are saying Your plug-in is distributed under It can you know if you aren't already aware it can scan that whole code base and report back and say yep no incompatible licenses and Then on going scan all pull requests to make sure that again if somebody introduces a new dependency If a pull request updates a dependency and that license happens to change Make sure that you continue to be compatible as you declare your project to be So at 10 up we make use of one of github's Official actions the dependency review action There are some others that we tested out this one just happened to work for for our case And this is the example I'm going to show you here today so first off you'll add a dependency the dependency review action workflow file to your repo and That basically will say run against all pull requests and use this action to scan for compatible licenses You'll make sure that the license that are compatible with what you're declaring Are mentioned as that's what the action will check against and You'll wait for the results of those scans of the code base fingers crossed, right? And then again all future PRs will continue to be checked against those licenses that you have in this policy Optionally if you maintain multiple projects You can have a policy of the license compatible hosted in a central repository You maintain and all your projects can point back to that single file so that if there's a new License that gets approved and is gpl compatible it can be added in one place instead of two dozen like in the case of 10 up So This is a little small here Which is why you took a picture that first slide where I looked really nice in Reykjavik But what we're looking at here is our project insert special characters And in here within the dot-gig hub folder and then within the workflows folder is the dependency review action There's a lot of comments in here For anybody that does pull this up to be helpful, but the most mindful thing in here is Eventually we are using that dependency review action and then further on down There is a list of allowed licenses That we've done the research and know to be compatible with the license that we declared in this case for insert special characters to be compatible The action alternatively does have a deny list but it seems to be a more prudent approach to Include things that you know to be compatible instead of trying to exclude all the ones that aren't and then potentially some other one isn't Included and now you've got some things getting through that should not be So like I said, here's another version of insert special characters the same workflow file But at the very bottom there is An available here for that config file which we host in the dot-github repo for the tenant organization and Then taking a look at that file that we're linking out to here Effectively just includes those licenses in this central file. This is what we maintain and check against all of our repositories They all point back to this file The actual Licenses that we have in here we pulled from new org also reviewed with spdx.org Which references things that are free software foundation free or Libre as well as the open source initiative Approved licenses, but really the crux of what we have here is coming from new org that they declare as GPL compatible So That first run against your code base a little nerve-wracking right like do you know for certain that everything you have Is compatible right so you've declared word GPL or GPL v2 compatible Sit back and wait for that github action to run if in the scenario where you run into issues and it says this This dependency is not compatible with what you say it should be Simply simply sorry fix that right potentially remove that dependency swap it out for something else And then release an updated version. That's probably the best you can do in this case I would call it out in the change log. I would call it out in the read me Make sure it's obvious that this version is updated because it is now compatible with what you declared it to be So then from there you did that first scan now you want to scan all pull requests, right? So that action will run on all PRs that get opened whether that's you as the repo owner somebody on your team or If you've got people contributing from the community, we'll also check theirs that check again again is against those licenses that you declared and You're not waking up in the middle of the night worried that you are bundling incompatible licenses so That's the long and short of it again reiterating here. You've got that github action that's created That workflow file You've got optionally a policy that you link out to if you're maintaining multiple repos multiple projects multiple plugins Check that code base fix it if you run into issues and then otherwise let this keep running and you will know for certain that Your plug-in is for sure GPL compatible again, whether that's GPL v2 whether that's MIT whether that's BSD 3 clause It'll be compatible with what you say it should be Again, if you've got questions Jeff Paul Jeff dot Paul at tenop.com where I'm the director of open source and again at Jeff Paul across most social platforms And that's all thank you