My Lawyer Merged My PR: Automating OSS Compliance at Scale

Everyone agrees that OSS license compliance is critical, yet nobody enjoys the process. It usually involves spreadsheets, long email chains, and "shipping anxiety." We decided to treat (legal) license compliance not as a distinct administrative phase, but as a standard CI/CD failure state. In this talk, I will demonstrate how we built a fully automated license defence line. We utilised package manager metadata to build a centralised "allow-list" enforced by CI checks across all repositories. But the real innovation is the exception handling: - **Get Blocked:** When a developer introduces a new license, the build fails with a direct link to our central license repository. - **Review:** The developer opens a PR to add the new license to the allow list. - **And Approved!** Our lawyer, whom we onboarded to GitHub, reviews the legal implications and merges the PR. - **Instant Enablement:** The check turns green, and the code ships. I will share the technical setup, how we cleaned up our metadata, and how integrating Legal into the Pull Request workflow eliminated "showstopper" risks and gave our engineers instant feedback. Additionally, I will also share how we handle the exceptional cases where we cannot add something to a global list.