Replace dependency review action with go-licence-detector

since it didn't work with golang...

.github/workflows/checks.yaml

@@ -26,13 +26,8 @@ jobs:
         with:
           check-latest: true
           go-version: "1.21"
-      - name: Dependency Review
-        uses: actions/dependency-review-action@v3
-        with:
-          base-ref: ${{ github.event.pull_request.base.sha || 'main' }}
-          deny-licenses: AGPL-1.0, AGPL-3.0, GPL-1.0, GPL-2.0, GPL-3.0, LGPL-2.0, LGPL-2.1, LGPL-3.0, BUSL-1.1
-          fail-on-severity: moderate
-          head-ref: ${{ github.event.pull_request.head.sha || github.ref }}
+      - name: Dependency Licenses Review
+        run: make check-dependency-licenses
       - name: Run govulncheck
         uses: golang/govulncheck-action@v1
       - name: Check for spelling errors

.license-scan-overrides.jsonl

@@ -0,0 +1,2 @@
+{"name": "github.com/jpillora/longestcommon", "licenceType": "MIT"}
+{"name": "github.com/spdx/tools-golang", "licenceTextOverrideFile": "vendor/github.com/spdx/tools-golang/LICENSE.code"}

.license-scan-rules.json

@@ -0,0 +1,11 @@
+{
+  "allowlist": [
+    "Apache-2.0",
+    "BSD-2-Clause",
+    "BSD-3-Clause",
+    "ISC",
+    "MIT",
+    "MPL-2.0",
+    "Unlicense"
+  ]
+}

Makefile

@@ -88,6 +88,11 @@ check-license-headers: FORCE prepare-addlicense
 	@printf "\e[1;36m>> addlicense\e[0m\n"
 	@bash -c 'shopt -s globstar; addlicense --check -ignore "vendor/**" -- **/*.go'
 
+check-dependency-licenses: FORCE
+	@printf "\e[1;36m>> go-licence-detector\e[0m\n"
+	@if ! hash go-licence-detector 2>/dev/null; then printf "\e[1;36m>> Installing go-licence-detector...\e[0m\n"; go install go.elastic.co/go-licence-detector@latest; fi
+	@go list -m -mod=mod -json all | go-licence-detector -includeIndirect -rules .license-scan-rules.json -overrides .license-scan-overrides.jsonl
+
 clean: FORCE
 	git clean -dxf build
 
@@ -105,27 +110,28 @@ help: FORCE
 	@printf "  make \e[36m<target>\e[0m\n"
 	@printf "\n"
 	@printf "\e[1mGeneral\e[0m\n"
-	@printf "  \e[36mvars\e[0m                     Display values of relevant Makefile variables.\n"
-	@printf "  \e[36mhelp\e[0m                     Display this help.\n"
+	@printf "  \e[36mvars\e[0m                       Display values of relevant Makefile variables.\n"
+	@printf "  \e[36mhelp\e[0m                       Display this help.\n"
 	@printf "\n"
 	@printf "\e[1mBuild\e[0m\n"
-	@printf "  \e[36mbuild-all\e[0m                Build all binaries.\n"
-	@printf "  \e[36mbuild/go-makefile-maker\e[0m  Build go-makefile-maker.\n"
-	@printf "  \e[36minstall\e[0m                  Install all binaries. This option understands the conventional 'DESTDIR' and 'PREFIX' environment variables for choosing install locations.\n"
+	@printf "  \e[36mbuild-all\e[0m                  Build all binaries.\n"
+	@printf "  \e[36mbuild/go-makefile-maker\e[0m    Build go-makefile-maker.\n"
+	@printf "  \e[36minstall\e[0m                    Install all binaries. This option understands the conventional 'DESTDIR' and 'PREFIX' environment variables for choosing install locations.\n"
 	@printf "\n"
 	@printf "\e[1mTest\e[0m\n"
-	@printf "  \e[36mcheck\e[0m                    Run the test suite (unit tests and golangci-lint).\n"
-	@printf "  \e[36mrun-golangci-lint\e[0m        Install and run golangci-lint. Installing is used in CI, but you should probably install golangci-lint using your package manager.\n"
-	@printf "  \e[36mbuild/cover.out\e[0m          Run tests and generate coverage report.\n"
-	@printf "  \e[36mbuild/cover.html\e[0m         Generate an HTML file with source code annotations from the coverage report.\n"
-	@printf "  \e[36mstatic-check\e[0m             Run static code checks\n"
+	@printf "  \e[36mcheck\e[0m                      Run the test suite (unit tests and golangci-lint).\n"
+	@printf "  \e[36mrun-golangci-lint\e[0m          Install and run golangci-lint. Installing is used in CI, but you should probably install golangci-lint using your package manager.\n"
+	@printf "  \e[36mbuild/cover.out\e[0m            Run tests and generate coverage report.\n"
+	@printf "  \e[36mbuild/cover.html\e[0m           Generate an HTML file with source code annotations from the coverage report.\n"
+	@printf "  \e[36mstatic-check\e[0m               Run static code checks\n"
 	@printf "\n"
 	@printf "\e[1mDevelopment\e[0m\n"
-	@printf "  \e[36mvendor\e[0m                   Run go mod tidy, go mod verify, and go mod vendor.\n"
-	@printf "  \e[36mvendor-compat\e[0m            Same as 'make vendor' but go mod tidy will use '-compat' flag with the Go version from go.mod file as value.\n"
-	@printf "  \e[36mprepare-addlicense\e[0m       Install addlicense\n"
-	@printf "  \e[36mlicense-headers\e[0m          Add license headers to all .go files excluding the vendor directory.\n"
-	@printf "  \e[36mcheck-license-headers\e[0m    Check license headers in all .go files excluding the vendor directory.\n"
-	@printf "  \e[36mclean\e[0m                    Run git clean.\n"
+	@printf "  \e[36mvendor\e[0m                     Run go mod tidy, go mod verify, and go mod vendor.\n"
+	@printf "  \e[36mvendor-compat\e[0m              Same as 'make vendor' but go mod tidy will use '-compat' flag with the Go version from go.mod file as value.\n"
+	@printf "  \e[36mprepare-addlicense\e[0m         Install addlicense\n"
+	@printf "  \e[36mlicense-headers\e[0m            Add license headers to all .go files excluding the vendor directory.\n"
+	@printf "  \e[36mcheck-license-headers\e[0m      Check license headers in all .go files excluding the vendor directory.\n"
+	@printf "  \e[36mcheck-dependency-licenses\e[0m  Check all dependency licenses using go-licence-detector.\n"
+	@printf "  \e[36mclean\e[0m                      Run git clean.\n"
 
 .PHONY: FORCE

internal/core/constants.go

@@ -28,10 +28,9 @@ const (
 var DefaultGitHubEnterpriseRunnerType = [...]string{"self-hosted", "Linux", "X64"}
 
 const (
-	CacheAction            = "actions/cache@v3"
-	CheckoutAction         = "actions/checkout@v4"
-	SetupGoAction          = "actions/setup-go@v5"
-	DependencyReviewAction = "actions/dependency-review-action@v3"
+	CacheAction    = "actions/cache@v3"
+	CheckoutAction = "actions/checkout@v4"
+	SetupGoAction  = "actions/setup-go@v5"
 
 	DockerLoginAction     = "docker/login-action@v3"
 	DockerMetadataAction  = "docker/metadata-action@v5"

internal/ghworkflow/workflow_checks.go

@@ -27,14 +27,8 @@ func checksWorkflow(cfg *core.GithubWorkflowConfiguration, ignoreWords []string)
 
 	if cfg.SecurityChecks.Enabled && !cfg.IsSelfHostedRunner {
 		j.addStep(jobStep{
-			Name: "Dependency Review",
-			Uses: core.DependencyReviewAction,
-			With: map[string]any{
-				"base-ref":         fmt.Sprintf("${{ github.event.pull_request.base.sha || '%s' }}", cfg.Global.DefaultBranch),
-				"head-ref":         "${{ github.event.pull_request.head.sha || github.ref }}",
-				"fail-on-severity": "moderate",
-				"deny-licenses":    "AGPL-1.0, AGPL-3.0, GPL-1.0, GPL-2.0, GPL-3.0, LGPL-2.0, LGPL-2.1, LGPL-3.0, BUSL-1.1",
-			},
+			Name: "Dependency Licenses Review",
+			Run:  "make check-dependency-licenses",
 		})
 
 		j.addStep(jobStep{

internal/makefile/license-scan-overrides.jsonl

@@ -0,0 +1,2 @@
+{"name": "github.com/jpillora/longestcommon", "licenceType": "MIT"}
+{"name": "github.com/spdx/tools-golang", "licenceTextOverrideFile": "vendor/github.com/spdx/tools-golang/LICENSE.code"}

internal/makefile/license-scan-rules.json

@@ -0,0 +1,11 @@
+{
+  "allowlist": [
+    "Apache-2.0",
+    "BSD-2-Clause",
+    "BSD-3-Clause",
+    "ISC",
+    "MIT",
+    "MPL-2.0",
+    "Unlicense"
+  ]
+}

internal/makefile/makefile.go

@@ -19,14 +19,24 @@
 package makefile
 
 import (
+	_ "embed"
 	"fmt"
+	"os"
 	"path"
 	"path/filepath"
 	"strings"
 
+	"github.com/sapcc/go-bits/must"
+
 	"github.com/sapcc/go-makefile-maker/internal/core"
 )
 
+//go:embed license-scan-rules.json
+var licenseRules []byte
+
+//go:embed license-scan-overrides.jsonl
+var scanOverrides []byte
+
 // newMakefile defines the structure of the Makefile. Order is important as categories,
 // rules, and definitions will appear in the exact order as they are defined.
 func newMakefile(cfg *core.Configuration, sr core.ScanResult) *makefile {
@@ -257,12 +267,30 @@ endif
 			target:        "check-license-headers",
 			phony:         true,
 			prerequisites: []string{"prepare-addlicense"},
-			recipe: []string{fmt.Sprintf(
+			recipe: []string{
 				`@printf "\e[1;36m>> addlicense\e[0m\n"`,
-				`@bash -c 'shopt -s globstar; addlicense --check %s -- %s'`,
-				strings.Join(ignorePatterns, " "),
-				strings.Join(patterns, " "),
-			)},
+				fmt.Sprintf(`@bash -c 'shopt -s globstar; addlicense --check %s -- %s'`,
+					strings.Join(ignorePatterns, " "),
+					strings.Join(patterns, " "),
+				)},
+		})
+
+		licenseRulesFile := ".license-scan-rules.json"
+		must.Succeed(os.WriteFile(licenseRulesFile, licenseRules, 0666))
+
+		scanOverridesFile := ".license-scan-overrides.jsonl"
+		must.Succeed(os.WriteFile(scanOverridesFile, scanOverrides, 0666))
+
+		dev.addRule(rule{
+			description: "Check all dependency licenses using go-licence-detector.",
+			target:      "check-dependency-licenses",
+			phony:       true,
+			recipe: []string{
+				`@printf "\e[1;36m>> go-licence-detector\e[0m\n"`,
+				`@if ! hash go-licence-detector 2>/dev/null; then printf "\e[1;36m>> Installing go-licence-detector...\e[0m\n"; go install go.elastic.co/go-licence-detector@latest; fi`,
+				fmt.Sprintf(`@go list -m -mod=mod -json all | go-licence-detector -includeIndirect -rules %s -overrides %s`,
+					licenseRulesFile, scanOverridesFile),
+			},
 		})
 	}