FOSSA license scanning GitHub Action added

[idvoretskyi]

Fixes #808

Signed-off-by: Ihor Dvoretskyi ihor@linux.com

[idvoretskyi]

FYI - to have this action work properly, we'll have to add the FOSSA API key as a GitHub secrets variable (secrets.FOSSA_API_KEY).

[zroubalik]

@idvoretskyi how can I get FOSSA API key? I can add it to Github secrets.

[zroubalik]

@ahmelsayed I hitting an issue when trying to build the tools image today (including the changes from this PR, but they are not relevant), I haven't seen such problem before. By chance do you have an idea what could go wrong? Is there any problem with the microsoft repo?

...
Creating config file /etc/apt/apt.conf.d/50unattended-upgrades with new version
Setting up python3-software-properties (0.96.24.32.12) ...
Setting up software-properties-common (0.96.24.32.12) ...
Processing triggers for libc-bin (2.27-3ubuntu1) ...
Processing triggers for dbus (1.12.2-1ubuntu1.1) ...
deb [arch=amd64] https://packages.microsoft.com/repos/azure-cli/ bionic main
Warning: apt-key output should not be parsed (stdout is not a terminal)
Executing: /tmp/apt-key-gpghome.IKSNBCVfqT/gpg.1.sh --keyserver packages.microsoft.com --recv-keys BC528686B50D79E339D3721CEB3E94ADBE1229CF
gpg: keyserver receive failed: Connection timed out
The command '/bin/sh -c apt-get install apt-transport-https lsb-release software-properties-common dirmngr -y &&     AZ_REPO=$(lsb_release -cs) &&     echo "deb [arch=amd64] https://packages.microsoft.com/repos/azure-cli/ $AZ_REPO main" |         tee /etc/apt/sources.list.d/azure-cli.list &&     apt-key --keyring /etc/apt/trusted.gpg.d/Microsoft.gpg adv         --keyserver packages.microsoft.com         --recv-keys BC528686B50D79E339D3721CEB3E94ADBE1229CF &&     apt-get update &&     apt-get install -y azure-cli' returned a non-zero code: 2

[idvoretskyi]

@zroubalik I've tried to build the local image using this Dockerfile, had the same issue, so can confirm.

[ahmelsayed]

Yes, I'm seeing the same issue as well. Looks like a general issue with that keyserver.

$ gpg  --keyserver packages.microsoft.com --recv-keys BC528686B50D79E339D3721CEB3E94ADBE1229CF
gpg: keyserver receive failed: Connection timed out

changing it to the ubuntu keyserver worked.

$ gpg  --keyserver keyserver.ubuntu.com --recv-keys BC528686B50D79E339D3721CEB3E94ADBE1229CF
gpg: key 0xEB3E94ADBE1229CF: "Microsoft (Release signing) <gpgsecurity@microsoft.com>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1

#861

[zroubalik]

Yes, I'm seeing the same issue as well. Looks like a general issue with that keyserver.

$ gpg  --keyserver packages.microsoft.com --recv-keys BC528686B50D79E339D3721CEB3E94ADBE1229CF
gpg: keyserver receive failed: Connection timed out

changing it to the ubuntu keyserver worked.

$ gpg  --keyserver keyserver.ubuntu.com --recv-keys BC528686B50D79E339D3721CEB3E94ADBE1229CF
gpg: key 0xEB3E94ADBE1229CF: "Microsoft (Release signing) <gpgsecurity@microsoft.com>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1

#861

@ahmelsayed thanks, helped.

@idvoretskyi the image is updated.

[idvoretskyi]

@zroubalik here we go ^

[idvoretskyi]

@zroubalik it seems that build fails because of the non-available FOSSA API key.

[ahmelsayed]

I think secrets are not passed to actions run from a fork.

[idvoretskyi]

@ahmelsayed they are not passed from the fork, but we have secrets added to the current repo itself.

[ahmelsayed]

I was referring to this note from github

I'm thinking this is what's causing the setting to be empty in the workflow. I see @zroubalik added it 7 hours ago (though I can't see the value)

I think if you remove the debug echo we should be able to merge it and see if it passes on master.

[zroubalik]

@ahmelsayed good catch, it seems like this could be the problem.

[zroubalik]

the echo is still here

[idvoretskyi]

@zroubalik done.

[zroubalik]

Let's give it a try!