From d5d6e4ce102d41132600ae98f7bcab904343a92b Mon Sep 17 00:00:00 2001 From: Steve Boyd Date: Tue, 17 Dec 2024 18:33:33 +1300 Subject: [PATCH] NEW Check that all dependency licenses are permissive --- action.yml | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/action.yml b/action.yml index df37a2c..84c6b8b 100644 --- a/action.yml +++ b/action.yml @@ -281,6 +281,14 @@ runs: echo "Running yarn lint" yarn run lint fi + # Validate licenses of all dependencies are permissive + echo "Checking licenses of all dependencies" + npm install -g license-checker + # A list of allowed software licesnses that are permissive - see https://spdx.org/licenses/ for a list of SPDX identifiers + # IMPORTANT! If this is updated also update the same variable in the "Run PHP linting" step + SPDX_ALLOWED_DELIMITED="MIT;MIT-0;ISC;0BSD;BSD-2-Clause;BSD-3-Clause;Apache-2.0;Python-2.0;CC0-1.0;CC-BY-3.0;CC-BY-4.0;Public Domain;Unlicense" + license-checker --production --unknown --out /dev/null --onlyAllow "$SPDX_ALLOWED_DELIMITED" + # If we get to this point, everything was successful echo "Passed" - name: "Run PHP linting" @@ -302,6 +310,32 @@ runs: echo "Running PHPStan" vendor/bin/phpstan analyse fi + # Validate licenses of all dependencies are permissive + echo "Checking licenses of all dependencies" + composer global require madewithlove/license-checker + COMPOSER_GLOBAL_HOME=$(composer -q -n config --global home) + # A list of allowed software licesnses that are permissive - see https://spdx.org/licenses/ for a list of SPDX identifiers + # IMPORTANT! If this is updated also update the same variable in the "Run JS tests" step + SPDX_ALLOWED_DELIMITED="MIT;MIT-0;ISC;0BSD;BSD-2-Clause;BSD-3-Clause;Apache-2.0;Python-2.0;CC0-1.0;CC-BY-3.0;CC-BY-4.0;Public Domain;Unlicense" + # Translate " " to "__" (and back again later) for any SPDX that has a space in it, such as "Public Domain" + # Otherwise the bash for loop will split on the space + SPDX_ALLOWED_LIST=$(echo $SPDX_ALLOWED_DELIMITED | tr " " "__" | tr ";" "\n") + SPDX_USED_LIST=$($COMPOSER_GLOBAL_HOME/vendor/bin/license-checker --no-dev used) + for SPDX_USED in $SPDX_USED_LIST; do + IS_ALLOWED=0 + for SPDX_ALLOWED in $SPDX_ALLOWED_LIST; do + SPDX_ALLOWED=$(echo $SPDX_ALLOWED | tr "__" " ") + if [[ $SPDX_USED == $SPDX_ALLOWED ]]; then + IS_ALLOWED=1 + break + fi + done + if [[ $IS_ALLOWED == 0 ]]; then + echo "License $SPDX_USED found in composer dependencies is not allowed. Check vendor/composer/installed.json" + exit 1 + fi + done + # If we get to this point, everything was successful echo "Passed" - name: "Run PHP coverage"