From 5976f25a3f0600fedbe6e2ed979616d66268aad9 Mon Sep 17 00:00:00 2001 From: Steve Boyd Date: Thu, 19 Dec 2024 13:50:13 +1300 Subject: [PATCH] NEW Check that all dependency licenses are permissive --- README.md | 8 ++++++++ action.yml | 8 ++++++++ allowed-spdx-delimited.txt | 1 + 3 files changed, 17 insertions(+) create mode 100644 allowed-spdx-delimited.txt diff --git a/README.md b/README.md index d0fbb7e..fff1320 100644 --- a/README.md +++ b/README.md @@ -4,3 +4,11 @@ Run Silverstripe CI matrix tests Only intended to be used within [gha-ci](https://github.com/silverstripe/gha-ci). The inputs all come from the matrix generated as a part of that workflow. GitHub job permissions required: `none` + +## JS license checking + +This action will check the licences of any installed NPM dependencies against a list of allowed SPDX identifiers of open source licences. These are contained in semi-colon delimited list in `allowed-spdx-delimited.txt`. If any insalaled non-dev dependencies are found that are not in the allowed list then the job will fail. See https://spdx.org/licenses/ for a list of SPDX identifiers. + +Note that the `Unlicense` is an SPDX identifier for an actual license and not a placeholder for a missing license. + +Composer dependences are checked seperately in `ci.yml` of `silverstripe/recipe-kitchen-sink`. diff --git a/action.yml b/action.yml index df37a2c..2c5270c 100644 --- a/action.yml +++ b/action.yml @@ -281,6 +281,14 @@ runs: echo "Running yarn lint" yarn run lint fi + # Validate licenses of all NPM dependencies are allowed + echo "Checking licenses of all dependencies" + # The following NPM package report as UNKNOWN or UNLICENSED, though have been manually checked they have permissive licenses: + EXCLUDE_PACKAGES='glob-to-regexp@0.3.0;jquery.are-you-sure@1.9.0;@silverstripe/react-injector@0.2.1;cwp-watea-theme@4.0.0;cwp-starter-theme@4.0.0' + npm install -g license-checker + SPDX_ALLOWED_DELIMITED=$(cat ${{ github.action_path }}/allowed-spdx-delimited.txt | tr -d '\n') + license-checker --production --unknown --out /dev/null --onlyAllow "$SPDX_ALLOWED_DELIMITED" --excludePackages "$EXCLUDE_PACKAGES" + # If we get to this point, everything was successful echo "Passed" - name: "Run PHP linting" diff --git a/allowed-spdx-delimited.txt b/allowed-spdx-delimited.txt new file mode 100644 index 0000000..7a1aedb --- /dev/null +++ b/allowed-spdx-delimited.txt @@ -0,0 +1 @@ +MIT;MIT-0;ISC;0BSD;BSD-2-Clause;BSD-3-Clause;Apache-2.0;Python-2.0;CC0-1.0;CC-BY-3.0;CC-BY-4.0;Public Domain;Unlicense