Skip to content

Commit

Permalink
Merge pull request #420 from per1234/check-dependencies
Browse files Browse the repository at this point in the history
Add infrastructure to check for unapproved npm dependency licenses
  • Loading branch information
per1234 authored Oct 8, 2024
2 parents 1b78422 + 025e2b9 commit 4de5fc8
Show file tree
Hide file tree
Showing 16 changed files with 569 additions and 0 deletions.
14 changes: 14 additions & 0 deletions .github/CONTRIBUTING.md
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,20 @@ Thanks!

## Common Development Operations

### Dependency License Metadata

Metadata about the license types of all dependencies is cached in the repository. To update this cache, run the following command from the repository root folder:

```text
task general:cache-dep-licenses
```

The necessary **Licensed** tool can be installed by following [these instructions](https://github.com/github/licensed#as-an-executable).

Unfortunately, **Licensed** does not have Windows support.

An updated cache is also generated whenever the cache is found to be outdated by the "**Check Go Dependencies**" CI workflow and made available for download via the `dep-licenses-cache` [workflow artifact](https://docs.github.com/actions/managing-workflow-runs/downloading-workflow-artifacts).

### Running Checks

Checks and tests are set up to ensure the project content is functional and compliant with the established standards.
Expand Down
156 changes: 156 additions & 0 deletions .github/workflows/check-npm-dependencies-task.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,156 @@
# Source: https://github.com/arduino/tooling-project-assets/blob/main/workflow-templates/check-npm-dependencies-task.md
name: Check npm Dependencies

# See: https://docs.github.com/actions/using-workflows/events-that-trigger-workflows
on:
create:
push:
paths:
- ".github/workflows/check-npm-dependencies-task.ya?ml"
- ".licenses/**"
- ".licensed.json"
- ".licensed.ya?ml"
- "Taskfile.ya?ml"
- "**/.gitmodules"
- "**/.npmrc"
- "**/package.json"
- "**/package-lock.json"
pull_request:
paths:
- ".github/workflows/check-npm-dependencies-task.ya?ml"
- ".licenses/**"
- ".licensed.json"
- ".licensed.ya?ml"
- "Taskfile.ya?ml"
- "**/.gitmodules"
- "**/.npmrc"
- "**/package.json"
- "**/package-lock.json"
schedule:
# Run periodically to catch breakage caused by external changes.
- cron: "0 8 * * WED"
workflow_dispatch:
repository_dispatch:

jobs:
run-determination:
runs-on: ubuntu-latest
permissions: {}
outputs:
result: ${{ steps.determination.outputs.result }}
steps:
- name: Determine if the rest of the workflow should run
id: determination
run: |
RELEASE_BRANCH_REGEX="refs/heads/[0-9]+.[0-9]+.x"
# The `create` event trigger doesn't support `branches` filters, so it's necessary to use Bash instead.
if [[
"${{ github.event_name }}" != "create" ||
"${{ github.ref }}" =~ $RELEASE_BRANCH_REGEX
]]; then
# Run the other jobs.
RESULT="true"
else
# There is no need to run the other jobs.
RESULT="false"
fi
echo "result=$RESULT" >> $GITHUB_OUTPUT
check-cache:
needs: run-determination
if: needs.run-determination.outputs.result == 'true'
runs-on: ubuntu-latest
permissions:
contents: read

steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
submodules: recursive

# This is required to allow jonabc/setup-licensed to install licensed via Ruby gem.
- name: Install Ruby
uses: ruby/setup-ruby@v1
with:
ruby-version: ruby # Install latest version

- name: Install licensed
uses: jonabc/setup-licensed@v1
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
version: 3.x

- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version-file: package.json

- name: Install Task
uses: arduino/setup-task@v2
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
version: 3.x

- name: Update dependencies license metadata cache
run: task --silent general:cache-dep-licenses

- name: Check for outdated cache
id: diff
run: |
git add .
if ! git diff --cached --color --exit-code; then
echo
echo "::error::Dependency license metadata out of sync. See: https://github.com/arduino/tooling-project-assets/blob/main/workflow-templates/check-go-dependencies-task.md#metadata-cache"
exit 1
fi
# Some might find it convenient to have CI generate the cache rather than setting up for it locally
- name: Upload cache to workflow artifact
if: failure() && steps.diff.outcome == 'failure'
uses: actions/upload-artifact@v3
with:
if-no-files-found: error
include-hidden-files: true
name: dep-licenses-cache
path: .licenses/

check-deps:
needs: run-determination
if: needs.run-determination.outputs.result == 'true'
runs-on: ubuntu-latest
permissions:
contents: read

steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
submodules: recursive

# This is required to allow jonabc/setup-licensed to install licensed via Ruby gem.
- name: Install Ruby
uses: ruby/setup-ruby@v1
with:
ruby-version: ruby # Install latest version

- name: Install licensed
uses: jonabc/setup-licensed@v1
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
version: 3.x

- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version-file: package.json

- name: Install Task
uses: arduino/setup-task@v2
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
version: 3.x

- name: Check for dependencies with unapproved licenses
run: task --silent general:check-dep-licenses
63 changes: 63 additions & 0 deletions .licensed.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
# See: https://github.com/github/licensed/blob/master/docs/configuration.md

# Source: https://github.com/arduino/tooling-project-assets/blob/main/workflow-templates/assets/check-dependencies/Apache-2.0/.licensed.yml
allowed:
# The following are based on https://www.apache.org/legal/resolved.html#category-a
- apache-2.0
- apache-1.1
- php-3.01
# "MX4J License" - no SPDX ID
- bsd-2-clause
- bsd-2-clause-netbsd # Deprecated ID for `bsd-2-clause`
- bsd-2-clause-views
- bsd-2-clause-freebsd # Deprecated ID for `bsd-2-clause-views`
- bsd-3-clause
- bsd-3-clause-clear
# "DOM4J License" - no SPDX ID
- postgresql
# "Eclipse Distribution License 1.0" - no SPDX ID
- mit
- x11
- isc
- smlnj
- standardml-nj # Deprecated ID for `smlnj`
# "Cup Parser Generator" - no SPDX ID
- icu
- ncsa
- w3c
# "W3C Community Contributor License Agreement" - no SPDX ID
- xnet
- zlib
# "FSF autoconf license" - no SPDX ID
- afl-3.0
# "Service+Component+Architecture+Specifications" - no SPDX ID
# "OOXML XSD ECMA License"
- ms-pl
- cc-pddc
- psf-2.0
# "Python Imaging Library Software License"
- apafml
- bsl-1.0
- ogl-uk-3.0
- wtfpl
- unicode-tou
- zpl-2.0
# "ACE license" - no SPDX ID
- upl-1.0
# "Open Grid Forum License" - no SPDX ID
# 'Google "Additional IP Rights Grant (Patents)" file' - no SPDX ID
- unlicense
- hpnd
- mulanpsl-2.0
- cc0-1.0
# The following are based on individual license text
- lgpl-2.0-or-later
- lgpl-2.0+ # Deprecated ID for `lgpl-2.0-or-later`
- lgpl-2.1-only
- lgpl-2.1 # Deprecated ID for `lgpl-2.1-only`
- lgpl-2.1-or-later
- lgpl-2.1+ # Deprecated ID for `lgpl-2.1-or-later`
- lgpl-3.0-only
- lgpl-3.0 # Deprecated ID for `lgpl-3.0-only`
- lgpl-3.0-or-later
- lgpl-3.0+ # Deprecated ID for `lgpl-3.0-or-later`
20 changes: 20 additions & 0 deletions .licenses/npm/@actions/core.dep.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
---
name: "@actions/core"
version: 1.11.1
type: npm
summary: Actions core lib
homepage: https://github.com/actions/toolkit/tree/main/packages/core
license: mit
licenses:
- sources: LICENSE.md
text: |-
The MIT License (MIT)
Copyright 2019 GitHub
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
notices: []
20 changes: 20 additions & 0 deletions .licenses/npm/@actions/exec.dep.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
---
name: "@actions/exec"
version: 1.1.1
type: npm
summary: Actions exec lib
homepage: https://github.com/actions/toolkit/tree/main/packages/exec
license: mit
licenses:
- sources: LICENSE.md
text: |-
The MIT License (MIT)
Copyright 2019 GitHub
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
notices: []
32 changes: 32 additions & 0 deletions .licenses/npm/@actions/http-client.dep.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
---
name: "@actions/http-client"
version: 2.2.3
type: npm
summary: Actions Http Client
homepage: https://github.com/actions/toolkit/tree/main/packages/http-client
license: mit
licenses:
- sources: LICENSE
text: |
Actions Http Client for Node.js
Copyright (c) GitHub, Inc.
All rights reserved.
MIT License
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and
associated documentation files (the "Software"), to deal in the Software without restriction,
including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense,
and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so,
subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED *AS IS*, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT
LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN
NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
notices: []
20 changes: 20 additions & 0 deletions .licenses/npm/@actions/io.dep.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
---
name: "@actions/io"
version: 1.1.3
type: npm
summary: Actions io lib
homepage: https://github.com/actions/toolkit/tree/main/packages/io
license: mit
licenses:
- sources: LICENSE.md
text: |-
The MIT License (MIT)
Copyright 2019 GitHub
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
notices: []
20 changes: 20 additions & 0 deletions .licenses/npm/@actions/tool-cache.dep.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
---
name: "@actions/tool-cache"
version: 2.0.1
type: npm
summary: Actions tool-cache lib
homepage: https://github.com/actions/toolkit/tree/main/packages/tool-cache
license: mit
licenses:
- sources: LICENSE.md
text: |-
The MIT License (MIT)
Copyright 2019 GitHub
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
notices: []
30 changes: 30 additions & 0 deletions .licenses/npm/@fastify/busboy.dep.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
---
name: "@fastify/busboy"
version: 2.0.0
type: npm
summary: A streaming parser for HTML form data for node.js
homepage:
license: mit
licenses:
- sources: LICENSE
text: |-
Copyright Brian White. All rights reserved.
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to
deal in the Software without restriction, including without limitation the
rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
sell copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in
all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
IN THE SOFTWARE.
notices: []
Loading

0 comments on commit 4de5fc8

Please sign in to comment.