MNT Check licenses of installed dependencies

silverstripe · Dec 18, 2024 · b6a53e4 · b6a53e4
1 parent b19f0db
commit b6a53e4
Showing 1 changed file with 83 additions and 0 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -196,3 +196,86 @@ jobs:
           endtoend_suite: versioned-admin
           endtoend_config: vendor/silverstripe/versioned-admin/behat.yml
           endtoend_tags: job2,job3,job4,job5
+  checklicenses:
+    name: Check licenses
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: read
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+      - name: Get PHP version
+        id: phpversion
+        run: |
+          # Get the PHP version to use from composer.json
+          PHP=$(jq -r '.require["php"]' composer.json)
+          # Remove the leading caret
+          PHP=${PHP//^/}
+          echo "::set-output name=version::$PHP"
+      - name: Install PHP
+        uses: shivammathur/setup-php@c541c155eee45413f5b09a52248675b1a2575231 # v2.31.1
+        with:
+          php-version: ${{ steps.phpversion.outputs.version }}
+          extensions: curl, dom, gd, intl, json, ldap, mbstring, mysql, tidy, xdebug, zip
+          tools: composer:v2
+          coverage: xdebug
+      - name: Composer install
+        run: composer install
+      - name: Check licenses
+        run: |
+          # Validate licenses of all composer dependencies are allowed
+          echo "Checking licenses of all dependencies"
+          composer global require madewithlove/license-checker
+          COMPOSER_GLOBAL_HOME=$(composer -q -n config --global home)
+          # Fetch a list of allowed SPDX identifiers from the repository
+          URL=https://raw.githubusercontent.com/silverstripe/gha-run-tests/refs/heads/1/allowed-spdx-delimited.txt
+          echo "Fetching from $URL"
+          SPDX_ALLOWED_DELIMITED=$(curl -s $URL)
+          echo "SPDX_ALLOWED_DELIMITED is $SPDX_ALLOWED_DELIMITED"
+          if [[ $SPDX_ALLOWED_DELIMITED =~ "404: Not Found" ]]; then
+            echo "Failed to fetch remote list of allowed SPDX identifiers, falling back to default list"
+            SPDX_ALLOWED_DELIMITED='MIT;MIT-0;ISC;0BSD;BSD-2-Clause;BSD-3-Clause;Apache-2.0;Python-2.0;CC0-1.0;CC-BY-3.0;CC-BY-4.0;Public Domain;Unlicense'
+          else
+            echo "Succesfully fetched remote list of allowed SPDX identifiers"
+            SPDX_ALLOWED_DELIMITED=$(echo $SPDX_ALLOWED_DELIMITED | tr -d '\n')
+          fi
+          # Update the licenses in installed.json file to be sorted so that allowed SPDX identifier
+          # are at the top of the list. This is done because the license-checker will only check the first SPDX.
+          SPDX_ALLOWED_DELIMITED=$SPDX_ALLOWED_DELIMITED php -r '
+            $allowedSpdxDelimted = getenv("SPDX_ALLOWED_DELIMITED");
+            $allowedSpdx = explode(";", $allowedSpdxDelimted);
+            $filename = "vendor/composer/installed.json";
+            $contents = file_get_contents("vendor/composer/installed.json");
+            $json = json_decode($contents, true);
+            foreach ($json["packages"] as &$package) {
+              # A handful of silverstripe packages do not have a license field, though we do not need to check them
+              if (str_starts_with($package["name"], "silverstripe/")) {
+                continue;
+              }
+              if (!isset($package["license"])) {
+                throw new Exception("License field missing for package " . $package["name"]);
+              }
+              usort($package["license"], fn ($spdx) => in_array($spdx, $allowedSpdx) ? -1 : 1);
+            }
+            file_put_contents($filename, json_encode($json, JSON_PRETTY_PRINT | JSON_UNESCAPED_SLASHES));
+          '
+          # Translate " " to "_" (and back again later) for any SPDX that has a space in it, such as "Public Domain"
+          # Otherwise the bash for loop will split on the space
+          SPDX_ALLOWED_LIST=$(echo $SPDX_ALLOWED_DELIMITED | tr " " "_" | tr ";" "\n")
+          SPDX_USED_LIST=$($COMPOSER_GLOBAL_HOME/vendor/bin/license-checker --no-dev used)
+          for SPDX_USED in $SPDX_USED_LIST; do
+            IS_ALLOWED=0
+            for SPDX_ALLOWED in $SPDX_ALLOWED_LIST; do
+              SPDX_ALLOWED=$(echo $SPDX_ALLOWED | tr "_" " ")
+              if [[ $SPDX_USED == $SPDX_ALLOWED ]]; then
+                IS_ALLOWED=1
+                break
+              fi
+            done
+            if [[ $IS_ALLOWED == 0 ]]; then
+              echo "License $SPDX_USED found in composer dependencies is not allowed. Check vendor/composer/installed.json"
+              exit 1
+            fi
+          done
+          echo "All licenses are allowed"