ci: add license compliance workflow and CI Testing Pipeline gate

[carlos-alm]

Summary

• Add [SHIELD] Open Source Licenses workflow — scans dependencies against a permissive license allowlist on dependency changes, weekly schedule, and manual dispatch
• Add CI Testing Pipeline aggregation job to ci.yml for a single required status check instead of every matrix combination
• Update admin-guide.md with the new required status checks (CI Testing Pipeline, License Compliance Scan)

Test plan

• Verify CI Testing Pipeline job passes when all matrix jobs pass
• Verify license compliance scan runs and produces artifact reports
• Confirm admin-guide.md reflects the correct required checks

[greptile-apps]

Greptile Summary

Adds license compliance scanning workflow and consolidates CI status checks into a single required gate job. The new [SHIELD] Open Source Licenses workflow scans npm dependencies against a permissive license allowlist (MIT, BSD, Apache, ISC, etc.) and fails if restrictive licenses (GPL, AGPL, LGPL, SSPL, BSL) are detected. The CI Testing Pipeline aggregation job simplifies branch protection by requiring one status check instead of every matrix combination.

Key changes:

• New license compliance workflow triggers on dependency file changes, weekly schedule, and manual dispatch
• Generates JSON/CSV reports and provides detailed GitHub step summaries with license distribution
• CI pipeline gate job consolidates lint, test, and rust-check results with if: always() and needs dependency
• Updated admin guide reflects new required status checks: CI Testing Pipeline and License Compliance Scan

Minor issue:

• License workflow uses actions/checkout@v6 and actions/setup-node@v6 while most repository workflows use v4 (consider standardizing for consistency)

Confidence Score: 4/5

• Safe to merge with one minor style inconsistency that can be addressed in follow-up
• Well-implemented CI infrastructure improvements with proper error handling and comprehensive license scanning. The aggregation job correctly uses if: always() with needs dependencies. Only minor issue is action version inconsistency (v6 vs v4) which doesn't affect functionality but breaks consistency with existing workflows.
• Consider standardizing action versions in .github/workflows/shield-license-compliance.yml to match repository conventions (v4 instead of v6)

Important Files Changed

Filename	Overview
.github/workflows/ci.yml	Added CI Testing Pipeline aggregation job to consolidate matrix results into single required status check
.github/workflows/shield-license-compliance.yml	New workflow for license compliance scanning with permissive license allowlist, runs on dependency changes and weekly schedule
docs/admin-guide.md	Updated required status checks to reference new CI Testing Pipeline and License Compliance Scan jobs

_{Last reviewed commit: eeeb68b}

[greptile-apps]

_{3 files reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

Inconsistent action versions with rest of repository workflows — most workflows use actions/checkout@v4 and actions/setup-node@v4, but this uses v6 for both

Suggested change

	uses: actions/checkout@v6
	- name: Setup Node.js
	uses: actions/setup-node@v6
	- name: Checkout code
	uses: actions/checkout@v4
	- name: Setup Node.js
	uses: actions/setup-node@v4

_{Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!}