Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[CI] Automate license check reviews #11766

Merged
merged 3 commits into from
Oct 13, 2022
Merged

[CI] Automate license check reviews #11766

merged 3 commits into from
Oct 13, 2022

Conversation

marcdumais-work
Copy link
Contributor

What it does

Introduce automated license check reviews

In this PR we introduce the option to use our license check tool,
"dash-licenses", in "Automatic IP Team Review Requests" mode [1].
In this mode, any dependency that's found to have an unclear or
suspicious license will be automatically submitted to the Eclipse
Foundation for review. Each such dependency will have a ticket opened
on the Foundation's Gitlab and be automatically reviewed. If the
automated review is not conclusive, a manual assessment will be
performed by the Foundation's IP team.

In our experience, most dependencies are approved automatically
within minutes.

To perform a license check with automated reviews, use the new script:

$> yarn license:check:review

To perform the license check without the automated review, do as before:

$> yarn license:check

Note: for review mode to work, a Personal Access Token from the Foundation's
Gitlab is required, created from an Eclipse committer's Gitlab profile. I went ahead and
set one as a GitHub secret, for this repo.
Set it in an environment variable named "DASH_LICENSES_PAT". E.g. in bash:

$> export DASH_LICENSES_PAT=<token>

[1] https://github.com/eclipse/dash-licenses#automatic-ip-team-review-requests

P.S. we obtained permission to do this a while ago.

How to test

  • Locally, with and without a PAT set, confirm that yarn license:check still works like before
  • Locally, with and without a PAT set, confirm that the new yarn license:check:review works as expected:
    • without PAT: the tool exits immediately with an error message about the missing token
    • with PAT: the tool proceeds to run and creates or points-to existing Gitlab issues about the problematic dependencies.

"btoa": "1.2.1" can be used currently as a suspicious dependency for testing purposes - add it to root package.json and run yarn

Review checklist

Reminder for reviewers

@marcdumais-work marcdumais-work added ci issues related to CI / tests eclipse issues related to eclipse / eclipse foundation labels Oct 13, 2022
@marcdumais-work
Copy link
Contributor Author

OOPS - I will see what I can do about yargs - It worked locally because I had the repo built I guess.

@marcdumais-work
Introduce automated license check reviews
74af422 
In this PR we introduce the option to use our license check tool,
"dash-licenses", in "Automatic IP Team Review Requests" mode [1].
In this mode, any dependency that's found to have an unclear or
suspicious license will be automatically submitted to the Eclipse
Foundation for review. Each such dependency will have a ticket opened
on the Foundation's Gitlab and be automatically reviewed. If the
automated review is not conclusive, a manual assessment will be
performed by the Foundation's IP team.

In our experience, most dependencies are approved automatically
within minutes.

To perform a license check with automated reviews, use the new script:
$> yarn license:check:review

To perform the license check without the automated review, do as before:
$> yarn license:check

Note: for review mode to work, a Personal Access Token from the Foundation's
Gitlab is required, created from a project committer's Gitlab profile.
Set it in an environment variable named "DASH_LICENSES_PAT". E.g. in bash:
$> export DASH_LICENSES_PAT=<token>

[1] https://github.com/eclipse/dash-licenses#automatic-ip-team-review-requests

Signed-off-by: Marc Dumais <[email protected]>
@marcdumais-work
[CI] enable license check auto review mode
db6926f 
In our license check workflow, make use of the new yarn script
"license:check:review".

I have set the required Gitlab Personal Access Token as a repo
secret using the GitHub API (we do not have UI access to this
setting).

Signed-off-by: Marc Dumais <[email protected]>
@marcdumais-work marcdumais-work force-pushed the automate-license-check-reviews branch from f5daa9a to db6926f Compare October 13, 2022 18:08
This was referenced Oct 13, 2022
Closed
Closed
paul-marechal
paul-marechal approved these changes Oct 13, 2022
View reviewed changes
Copy link
Member

@paul-marechal paul-marechal left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Logic LGTM, I only pushed styling and cleanup changes.

@paul-marechal
secrets + cleanup
6fb777e 
Avoid using `shell: true` as I had bad experiences with it on Windows.

Instead sanitize arguments to hide secrets when prompting.
@paul-marechal paul-marechal force-pushed the automate-license-check-reviews branch from 91fa23c to 6fb777e Compare October 13, 2022 19:19
@marcdumais-work marcdumais-work force-pushed the automate-license-check-reviews branch from e34e0c7 to 6fb777e Compare October 13, 2022 19:29
@marcdumais-work marcdumais-work merged commit e96bb5b into master Oct 13, 2022
@marcdumais-work marcdumais-work deleted the automate-license-check-reviews branch October 13, 2022 19:34
@github-actions github-actions bot added this to the 1.31.0 milestone Oct 13, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@paul-marechal paul-marechal paul-marechal approved these changes

@vince-fugnitto vince-fugnitto Awaiting requested review from vince-fugnitto

Assignees
No one assigned
Labels
ci issues related to CI / tests eclipse issues related to eclipse / eclipse foundation
Projects
None yet
Milestone
1.31.0
Development

Successfully merging this pull request may close these issues.
2 participants
@marcdumais-work @paul-marechal