NEW Check that all dependency licenses are permissive

README.md

@@ -4,3 +4,7 @@ Run Silverstripe CI matrix tests
 Only intended to be used within [gha-ci](https://github.com/silverstripe/gha-ci). The inputs all come from the matrix generated as a part of that workflow.
 
 GitHub job permissions required: `none`
+
+## Licence checking
+
+This action will check the licences of installed NPM and composer dependencies against a list of allowed SPDX identifiers of open source licences. These are contained in semi-colon delimited list in `allowed-spdx-delimited.txt`. If any insatlled non-dev dependencies are found that are not in the allowed list then the job will fail. See https://spdx.org/licenses/ for a list of SPDX identifiers.

action.yml

@@ -281,6 +281,12 @@ runs:
           echo "Running yarn lint"
           yarn run lint
         fi
+        # Validate licenses of all NPM dependencies are allowed
+        echo "Checking licenses of all dependencies"
+        npm install -g license-checker
+        SPDX_ALLOWED_DELIMITED=cat ${{ github.action_path }}/allowed-spdx-delimited.txt | tr -d '\n'
+        license-checker --production --unknown --out /dev/null --onlyAllow "$SPDX_ALLOWED_DELIMITED"
+        # If we get to this point, everything was successful
         echo "Passed"
 
     - name: "Run PHP linting"
@@ -302,6 +308,50 @@ runs:
           echo "Running PHPStan"
           vendor/bin/phpstan analyse
         fi
+        # Validate licenses of all composer dependencies are allowed
+        echo "Checking licenses of all dependencies"
+        composer global require madewithlove/license-checker
+        COMPOSER_GLOBAL_HOME=$(composer -q -n config --global home)
+        SPDX_ALLOWED_DELIMITED=cat ${{ github.action_path }}/allowed-spdx-delimited.txt | tr -d '\n'
+        # Update the licenses in the installed.json file to be sorted so that allowed SPDX identifier
+        # are at the top of the list. This is done because the license-checker will only check the first SPDX.
+        SPDX_ALLOWED_DELIMITED=$SPDX_ALLOWED_DELIMITED php -r '
+          $allowedSpdxDelimted = getenv("SPDX_ALLOWED_DELIMITED");
+          $allowedSpdx = explode(";", $allowedSpdxDelimted);
+          $filename = "vendor/composer/installed.json";
+          $contents = file_get_contents("vendor/composer/installed.json");
+          $json = json_decode($contents, true);
+          foreach ($json["packages"] as &$package) {
+            # A handful of silverstripe packages do not have a license field, though we don't need to check them
+            if (str_starts_with($package["name"], "silverstripe/")) {
+              continue;
+            }
+            if (!isset($package["license"])) {
+              throw new Exception("License field missing for package " . $package["name"]);
+            }
+            usort($package["license"], fn ($spdx) => in_array($spdx, $allowedSpdx) ? -1 : 1);
+          }
+          file_put_contents($filename, json_encode($json, JSON_PRETTY_PRINT | JSON_UNESCAPED_SLASHES));
+        '
+        # Translate " " to "__" (and back again later) for any SPDX that has a space in it, such as "Public Domain"
+        # Otherwise the bash for loop will split on the space
+        SPDX_ALLOWED_LIST=$(echo $SPDX_ALLOWED_DELIMITED | tr " " "__" | tr ";" "\n")
+        SPDX_USED_LIST=$($COMPOSER_GLOBAL_HOME/vendor/bin/license-checker --no-dev used)
+        for SPDX_USED in $SPDX_USED_LIST; do
+          IS_ALLOWED=0
+          for SPDX_ALLOWED in $SPDX_ALLOWED_LIST; do
+            SPDX_ALLOWED=$(echo $SPDX_ALLOWED | tr "__" " ")
+            if [[ $SPDX_USED == $SPDX_ALLOWED ]]; then
+              IS_ALLOWED=1
+              break
+            fi
+          done
+          if [[ $IS_ALLOWED == 0 ]]; then
+            echo "License $SPDX_USED found in composer dependencies is not allowed. Check vendor/composer/installed.json"
+            exit 1
+          fi
+        done
+        # If we get to this point, everything was successful
         echo "Passed"
 
     - name: "Run PHP coverage"

allowed-spdx-delimited.txt

@@ -0,0 +1 @@
+MIT;MIT-0;ISC;0BSD;BSD-2-Clause;BSD-3-Clause;Apache-2.0;Python-2.0;CC0-1.0;CC-BY-3.0;CC-BY-4.0;Public Domain;Unlicense