From 817b6343c8fc2ec1559da5c1e711d51a81d78708 Mon Sep 17 00:00:00 2001 From: Steve Boyd Date: Wed, 18 Dec 2024 11:03:10 +1300 Subject: [PATCH] NEW Check that all dependency licenses are permissive --- README.md | 4 +++ action.yml | 50 ++++++++++++++++++++++++++++++++++++++ allowed-spdx-delimited.txt | 1 + 3 files changed, 55 insertions(+) create mode 100644 allowed-spdx-delimited.txt diff --git a/README.md b/README.md index d0fbb7e..11c06c2 100644 --- a/README.md +++ b/README.md @@ -4,3 +4,7 @@ Run Silverstripe CI matrix tests Only intended to be used within [gha-ci](https://github.com/silverstripe/gha-ci). The inputs all come from the matrix generated as a part of that workflow. GitHub job permissions required: `none` + +## Licence checking + +This action will check the licences of installed NPM and composer dependencies against a list of allowed SPDX identifiers of open source licences. These are contained in semi-colon delimited list in `allowed-spdx-delimited.txt`. If any insatlled non-dev dependencies are found that are not in the allowed list then the job will fail. See https://spdx.org/licenses/ for a list of SPDX identifiers. diff --git a/action.yml b/action.yml index df37a2c..73456d8 100644 --- a/action.yml +++ b/action.yml @@ -281,6 +281,12 @@ runs: echo "Running yarn lint" yarn run lint fi + # Validate licenses of all NPM dependencies are allowed + echo "Checking licenses of all dependencies" + npm install -g license-checker + SPDX_ALLOWED_DELIMITED=cat ${{ github.action_path }}/allowed-spdx-delimited.txt | tr -d '\n' + license-checker --production --unknown --out /dev/null --onlyAllow "$SPDX_ALLOWED_DELIMITED" + # If we get to this point, everything was successful echo "Passed" - name: "Run PHP linting" @@ -302,6 +308,50 @@ runs: echo "Running PHPStan" vendor/bin/phpstan analyse fi + # Validate licenses of all composer dependencies are allowed + echo "Checking licenses of all dependencies" + composer global require madewithlove/license-checker + COMPOSER_GLOBAL_HOME=$(composer -q -n config --global home) + SPDX_ALLOWED_DELIMITED=cat ${{ github.action_path }}/allowed-spdx-delimited.txt | tr -d '\n' + # Update the licenses in the installed.json file to be sorted so that allowed SPDX identifier + # are at the top of the list. This is done because the license-checker will only check the first SPDX. + SPDX_ALLOWED_DELIMITED=$SPDX_ALLOWED_DELIMITED php -r ' + $allowedSpdxDelimted = getenv("SPDX_ALLOWED_DELIMITED"); + $allowedSpdx = explode(";", $allowedSpdxDelimted); + $filename = "vendor/composer/installed.json"; + $contents = file_get_contents("vendor/composer/installed.json"); + $json = json_decode($contents, true); + foreach ($json["packages"] as &$package) { + # A handful of silverstripe packages do not have a license field, though we don't need to check them + if (str_starts_with($package["name"], "silverstripe/")) { + continue; + } + if (!isset($package["license"])) { + throw new Exception("License field missing for package " . $package["name"]); + } + usort($package["license"], fn ($spdx) => in_array($spdx, $allowedSpdx) ? -1 : 1); + } + file_put_contents($filename, json_encode($json, JSON_PRETTY_PRINT | JSON_UNESCAPED_SLASHES)); + ' + # Translate " " to "__" (and back again later) for any SPDX that has a space in it, such as "Public Domain" + # Otherwise the bash for loop will split on the space + SPDX_ALLOWED_LIST=$(echo $SPDX_ALLOWED_DELIMITED | tr " " "__" | tr ";" "\n") + SPDX_USED_LIST=$($COMPOSER_GLOBAL_HOME/vendor/bin/license-checker --no-dev used) + for SPDX_USED in $SPDX_USED_LIST; do + IS_ALLOWED=0 + for SPDX_ALLOWED in $SPDX_ALLOWED_LIST; do + SPDX_ALLOWED=$(echo $SPDX_ALLOWED | tr "__" " ") + if [[ $SPDX_USED == $SPDX_ALLOWED ]]; then + IS_ALLOWED=1 + break + fi + done + if [[ $IS_ALLOWED == 0 ]]; then + echo "License $SPDX_USED found in composer dependencies is not allowed. Check vendor/composer/installed.json" + exit 1 + fi + done + # If we get to this point, everything was successful echo "Passed" - name: "Run PHP coverage" diff --git a/allowed-spdx-delimited.txt b/allowed-spdx-delimited.txt new file mode 100644 index 0000000..7a1aedb --- /dev/null +++ b/allowed-spdx-delimited.txt @@ -0,0 +1 @@ +MIT;MIT-0;ISC;0BSD;BSD-2-Clause;BSD-3-Clause;Apache-2.0;Python-2.0;CC0-1.0;CC-BY-3.0;CC-BY-4.0;Public Domain;Unlicense