Hi all,
After recent and noticeable enhancements in Tycho and dash-license tool, the eclipse.platform.releng.aggregator GitHub repo now has some automated license check enabled s a GitHub workflow and votes on Pull Requests. It does run a `mvn dependency:list` against the whole aggregator and gathers all dependencies coordinates. As Tycho now keeps more information about original Maven artifacts in p2 metadata, the dependency coordinates are Maven ones as often as possible. Then the dash-license tool is invoked on this list of dependencies to emit an error in case some dependency doesn't meet Eclipse IP criteria (usually according to information from the ClearlyDefined database).
As a result, if you want to update a dependency (anywhere in the project, including in eclipse-sdk-prereqs.target), then this check will detect and fail within minutes if this dependency requires a dedicated IP review; or succeed if there is no IP concern.
With such automation, the workflow to upgrade some external dependency becomes to just edit the .target, submit a PR and wait enough for the check to process (and merge if successful). The feedback loop is much faster and the process is less prone to human error.
I imagine those who have had to deal with dependency updates in the time of Orbit and IPZilla enjoy to see the same results in minimal updates and a few minutes of monitoring when it used to be days or weeks before Maven deps and dash-license tool.
Enjoy!
