From e291d985f8b35a7ab33c2101cd316341c2da243a Mon Sep 17 00:00:00 2001 From: Steve Boyd Date: Thu, 19 Dec 2024 11:03:26 +1300 Subject: [PATCH] MNT Check licenses of installed dependencies --- .github/workflows/ci.yml | 79 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 79 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 12b9e59..b3acd06 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -196,3 +196,82 @@ jobs: endtoend_suite: versioned-admin endtoend_config: vendor/silverstripe/versioned-admin/behat.yml endtoend_tags: job2,job3,job4,job5 + checklicenses: + name: Check licenses + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: read + steps: + - name: Checkout code + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + - name: Get PHP version + id: phpversion + run: | + # Get the PHP version to use from composer.json + PHP=$(jq -r '.require["php"]' composer.json) + # Remove the leading caret + PHP=${PHP//^/} + echo "::set-output name=version::$PHP" + - name: Install PHP + uses: shivammathur/setup-php@c541c155eee45413f5b09a52248675b1a2575231 # v2.31.1 + with: + php-version: ${{ steps.phpversion.outputs.version }} + extensions: curl, dom, gd, intl, json, ldap, mbstring, mysql, tidy, xdebug, zip + tools: composer:v2 + coverage: xdebug + - name: Composer install + run: composer install + - name: Check licenses + run: | + # Validate licenses of all composer dependencies are allowed + echo "Checking licenses of all dependencies" + composer global require madewithlove/license-checker + COMPOSER_GLOBAL_HOME=$(composer -q -n config --global home) + # Fetch a list of allowed SPDX identifiers from the repository + URL=https://raw.githubusercontent.com/silverstripe/gha-run-tests/refs/heads/1/allowed-spdx-delimited.txt + echo "Fetching from $URL" + SPDX_ALLOWED_DELIMITED=$(curl -s $URL) + echo "SPDX_ALLOWED_DELIMITED is $SPDX_ALLOWED_DELIMITED" + if [[ $SPDX_ALLOWED_DELIMITED =~ "404: Not Found" ]]; then + echo "Failed to fetch remote list of allowed SPDX identifiers, falling back to default list" + SPDX_ALLOWED_DELIMITED='MIT;MIT-0;ISC;0BSD;BSD-2-Clause;BSD-3-Clause;Apache-2.0;Python-2.0;CC0-1.0;CC-BY-3.0;CC-BY-4.0;Public Domain;Unlicense' + else + echo "Succesfully fetched remote list of allowed SPDX identifiers" + SPDX_ALLOWED_DELIMITED=$(echo $SPDX_ALLOWED_DELIMITED | tr -d '\n') + fi + # Update the licenses in installed.json file to be sorted so that allowed SPDX identifier + # are at the top of the list. This is done because the license-checker will only check the first SPDX. + SPDX_ALLOWED_DELIMITED=$SPDX_ALLOWED_DELIMITED php -r ' + $allowedSpdxDelimted = getenv("SPDX_ALLOWED_DELIMITED"); + $allowedSpdx = explode(";", $allowedSpdxDelimted); + $filename = "vendor/composer/installed.json"; + $contents = file_get_contents("vendor/composer/installed.json"); + $json = json_decode($contents, true); + foreach ($json["packages"] as &$package) { + if (!isset($package["license"])) { + throw new Exception("License field missing for package " . $package["name"]); + } + usort($package["license"], fn ($spdx) => in_array($spdx, $allowedSpdx) ? -1 : 1); + } + file_put_contents($filename, json_encode($json, JSON_PRETTY_PRINT | JSON_UNESCAPED_SLASHES)); + ' + # Translate " " to "_" (and back again later) for any SPDX that has a space in it, such as "Public Domain" + # Otherwise the bash for loop will split on the space + SPDX_ALLOWED_LIST=$(echo $SPDX_ALLOWED_DELIMITED | tr " " "_" | tr ";" "\n") + SPDX_USED_LIST=$($COMPOSER_GLOBAL_HOME/vendor/bin/license-checker --no-dev used) + for SPDX_USED in $SPDX_USED_LIST; do + IS_ALLOWED=0 + for SPDX_ALLOWED in $SPDX_ALLOWED_LIST; do + SPDX_ALLOWED=$(echo $SPDX_ALLOWED | tr "_" " ") + if [[ $SPDX_USED == $SPDX_ALLOWED ]]; then + IS_ALLOWED=1 + break + fi + done + if [[ $IS_ALLOWED == 0 ]]; then + echo "License $SPDX_USED found in composer dependencies is not allowed. Check vendor/composer/installed.json" + exit 1 + fi + done + echo "All licenses are allowed"