Skip to content

Commit

Permalink
MNT Check licenses of installed dependencies
Browse files Browse the repository at this point in the history
  • Loading branch information
emteknetnz committed Dec 18, 2024
1 parent b19f0db commit e291d98
Showing 1 changed file with 79 additions and 0 deletions.
79 changes: 79 additions & 0 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -196,3 +196,82 @@ jobs:
endtoend_suite: versioned-admin
endtoend_config: vendor/silverstripe/versioned-admin/behat.yml
endtoend_tags: job2,job3,job4,job5
checklicenses:
name: Check licenses
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: read
steps:
- name: Checkout code
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
- name: Get PHP version
id: phpversion
run: |
# Get the PHP version to use from composer.json
PHP=$(jq -r '.require["php"]' composer.json)
# Remove the leading caret
PHP=${PHP//^/}
echo "::set-output name=version::$PHP"
- name: Install PHP
uses: shivammathur/setup-php@c541c155eee45413f5b09a52248675b1a2575231 # v2.31.1
with:
php-version: ${{ steps.phpversion.outputs.version }}
extensions: curl, dom, gd, intl, json, ldap, mbstring, mysql, tidy, xdebug, zip
tools: composer:v2
coverage: xdebug
- name: Composer install
run: composer install
- name: Check licenses
run: |
# Validate licenses of all composer dependencies are allowed
echo "Checking licenses of all dependencies"
composer global require madewithlove/license-checker
COMPOSER_GLOBAL_HOME=$(composer -q -n config --global home)
# Fetch a list of allowed SPDX identifiers from the repository
URL=https://raw.githubusercontent.com/silverstripe/gha-run-tests/refs/heads/1/allowed-spdx-delimited.txt
echo "Fetching from $URL"
SPDX_ALLOWED_DELIMITED=$(curl -s $URL)
echo "SPDX_ALLOWED_DELIMITED is $SPDX_ALLOWED_DELIMITED"
if [[ $SPDX_ALLOWED_DELIMITED =~ "404: Not Found" ]]; then
echo "Failed to fetch remote list of allowed SPDX identifiers, falling back to default list"
SPDX_ALLOWED_DELIMITED='MIT;MIT-0;ISC;0BSD;BSD-2-Clause;BSD-3-Clause;Apache-2.0;Python-2.0;CC0-1.0;CC-BY-3.0;CC-BY-4.0;Public Domain;Unlicense'
else
echo "Succesfully fetched remote list of allowed SPDX identifiers"
SPDX_ALLOWED_DELIMITED=$(echo $SPDX_ALLOWED_DELIMITED | tr -d '\n')
fi
# Update the licenses in installed.json file to be sorted so that allowed SPDX identifier
# are at the top of the list. This is done because the license-checker will only check the first SPDX.
SPDX_ALLOWED_DELIMITED=$SPDX_ALLOWED_DELIMITED php -r '
$allowedSpdxDelimted = getenv("SPDX_ALLOWED_DELIMITED");
$allowedSpdx = explode(";", $allowedSpdxDelimted);
$filename = "vendor/composer/installed.json";
$contents = file_get_contents("vendor/composer/installed.json");
$json = json_decode($contents, true);
foreach ($json["packages"] as &$package) {
if (!isset($package["license"])) {
throw new Exception("License field missing for package " . $package["name"]);
}
usort($package["license"], fn ($spdx) => in_array($spdx, $allowedSpdx) ? -1 : 1);
}
file_put_contents($filename, json_encode($json, JSON_PRETTY_PRINT | JSON_UNESCAPED_SLASHES));
'
# Translate " " to "_" (and back again later) for any SPDX that has a space in it, such as "Public Domain"
# Otherwise the bash for loop will split on the space
SPDX_ALLOWED_LIST=$(echo $SPDX_ALLOWED_DELIMITED | tr " " "_" | tr ";" "\n")
SPDX_USED_LIST=$($COMPOSER_GLOBAL_HOME/vendor/bin/license-checker --no-dev used)
for SPDX_USED in $SPDX_USED_LIST; do
IS_ALLOWED=0
for SPDX_ALLOWED in $SPDX_ALLOWED_LIST; do
SPDX_ALLOWED=$(echo $SPDX_ALLOWED | tr "_" " ")
if [[ $SPDX_USED == $SPDX_ALLOWED ]]; then
IS_ALLOWED=1
break
fi
done
if [[ $IS_ALLOWED == 0 ]]; then
echo "License $SPDX_USED found in composer dependencies is not allowed. Check vendor/composer/installed.json"
exit 1
fi
done
echo "All licenses are allowed"

0 comments on commit e291d98

Please sign in to comment.