forked from silverstripe/recipe-kitchen-sink
-
Notifications
You must be signed in to change notification settings - Fork 0
146 lines (134 loc) · 6.31 KB
/
licenses.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
name: Licenses
# This workflow will check the licences of any installed composer and NPM dependencies against a list of
# allowed SPDX identifiers of open source licences. These are contained env variable $SPDX_ALLOWED_DELIMITED
# If any installed non-dev dependencies are found that are not in the allowed list then the job will fail.
# See https://spdx.org/licenses/ for a list of SPDX identifiers.
# Note that the `Unlicense` is an SPDX identifier for an actual license and not a placeholder for a missing license.
on:
# At 4 AM UTC, only on Saturday
workflow_dispatch:
schedule:
- cron: '0 4 * * 6'
permissions: {}
jobs:
checklicenses:
name: Check licenses
runs-on: ubuntu-latest
permissions:
contents: read
env:
SPDX_ALLOWED_DELIMITED: 'MIT;MIT-0;ISC;0BSD;BSD-2-Clause;BSD-3-Clause;Apache-2.0;Python-2.0;CC0-1.0;CC-BY-3.0;CC-BY-4.0;Public Domain;Unlicense'
steps:
- name: Checkout code
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
- name: Get PHP version
id: phpversion
run: |
# Get the PHP version to use from composer.json
PHP=$(jq -r '.require["php"]' composer.json)
# Remove the leading caret
PHP=${PHP//^/}
echo "::set-output name=version::$PHP"
- name: Install PHP
uses: shivammathur/setup-php@c541c155eee45413f5b09a52248675b1a2575231 # v2.31.1
with:
php-version: ${{ steps.phpversion.outputs.version }}
extensions: curl, dom, gd, intl, json, ldap, mbstring, mysql, tidy, zip
tools: composer:v2
- name: Composer install
run: composer install
- name: Composer licenses
run: |
# Validate licenses of all composer dependencies are allowed
echo "Checking licenses of all dependencies"
composer global require madewithlove/license-checker
COMPOSER_GLOBAL_HOME=$(composer -q -n config --global home)
# Update the licenses in installed.json file to be sorted so that allowed SPDX identifier
# are at the top of the list. This is done because the license-checker will only check the first SPDX.
SPDX_ALLOWED_DELIMITED=$SPDX_ALLOWED_DELIMITED php -r '
$allowedSpdxDelimted = getenv("SPDX_ALLOWED_DELIMITED");
$allowedSpdx = explode(";", $allowedSpdxDelimted);
$filename = "vendor/composer/installed.json";
$contents = file_get_contents("vendor/composer/installed.json");
$json = json_decode($contents, true);
foreach ($json["packages"] as &$package) {
if (!isset($package["license"])) {
throw new Exception("License field missing for package " . $package["name"]);
}
usort($package["license"], fn ($spdx) => in_array($spdx, $allowedSpdx) ? -1 : 1);
}
file_put_contents($filename, json_encode($json, JSON_PRETTY_PRINT | JSON_UNESCAPED_SLASHES));
'
# Translate " " to "_" (and back again later) for any SPDX that has a space in it, such as "Public Domain"
# Otherwise the bash for loop will split on the space
SPDX_ALLOWED_LIST=$(echo $SPDX_ALLOWED_DELIMITED | tr " " "_" | tr ";" "\n")
SPDX_USED_LIST=$($COMPOSER_GLOBAL_HOME/vendor/bin/license-checker --no-dev used)
for SPDX_USED in $SPDX_USED_LIST; do
IS_ALLOWED=0
for SPDX_ALLOWED in $SPDX_ALLOWED_LIST; do
SPDX_ALLOWED=$(echo $SPDX_ALLOWED | tr "_" " ")
if [[ $SPDX_USED == $SPDX_ALLOWED ]]; then
IS_ALLOWED=1
break
fi
done
if [[ $IS_ALLOWED == 0 ]]; then
echo "License $SPDX_USED found in composer dependencies is not allowed. Check vendor/composer/installed.json"
exit 1
fi
done
# Remove license-checker as its name will collide with the npm license checker
composer global remove madewithlove/license-checker
echo "All licenses are allowed"
- name: NPM licenses
run: |
# Set nvmdir explicitly before installation. Default dir doesn't work for some reason.
export NVM_DIR="${HOME}/.nvm"
# Installation fails if install dir is specified but doesn't exist
if ! [[ -d "$NVM_DIR" ]]; then
echo "NVM_DIR '$NVM_DIR' doesn't exist - creating it now"
mkdir $NVM_DIR
fi
# Get install nvm script from gha-run-tests
curl -s https://raw.githubusercontent.com/silverstripe/gha-run-tests/refs/heads/1/install-nvm.sh > install-nvm.sh
chmod +x install-nvm.sh
./install-nvm.sh
if [[ $? != 0 ]]; then
echo "Error while installing nvm"
exit 1
fi
# This loads nvm
[ -s "$NVM_DIR/nvm.sh" ] && \. "$NVM_DIR/nvm.sh"
EXCLUDE_PACKAGES='@silverstripe/[email protected];[email protected];[email protected];[email protected];[email protected]'
# Loop all package.json files that were previously installed by composer install
BASEDIR=$(pwd)
FILES=$(find . | grep package.json | grep -v node_modules | grep -v tinymce)
for FILE in $FILES; do
# remove trailing "/package.json"
SUBDIR="${FILE/\/package.json/}"
DIR="$BASEDIR/$SUBDIR"
echo "Checking $DIR"
cd $DIR
if [[ ! -f .nvmrc ]]; then
echo "Missing .nvmrc"
exit 1
fi
nvm install
nvm use
if [[ -z $(which yarn) ]]; then
npm install -g yarn;
fi
yarn install --network-concurrency 1
DEPS=$(jq -r '.dependencies' package.json)
if [[ $DEPS == "null" ]] || [[ $DEPS == "{}" ]]; then
echo "No non-dev dependencies found in $DIR"
continue
fi
if [[ -z $(which license-checker) ]]; then
echo "Installing license-checker"
npm install -g license-checker
fi
license-checker --production --unknown --out /dev/null --onlyAllow "$SPDX_ALLOWED_DELIMITED" --excludePackages "$EXCLUDE_PACKAGES"
echo "All licenses are allowed for $DIR"
done
echo "Passed"