diff --git a/.github/workflows/licenses.yml b/.github/workflows/licenses.yml new file mode 100644 index 0000000..2b89669 --- /dev/null +++ b/.github/workflows/licenses.yml @@ -0,0 +1,146 @@ +name: Licenses + +# This workflow will check the licences of any installed composer and NPM dependencies against a list of +# allowed SPDX identifiers of open source licences. These are contained env variable $SPDX_ALLOWED_DELIMITED +# If any installed non-dev dependencies are found that are not in the allowed list then the job will fail. +# See https://spdx.org/licenses/ for a list of SPDX identifiers. +# Note that the `Unlicense` is an SPDX identifier for an actual license and not a placeholder for a missing license. + +on: + # At 4 AM UTC, only on Saturday + workflow_dispatch: + schedule: + - cron: '0 4 * * 6' + +permissions: {} + +jobs: + checklicenses: + name: Check licenses + runs-on: ubuntu-latest + + permissions: + contents: read + + env: + SPDX_ALLOWED_DELIMITED: 'MIT;MIT-0;ISC;0BSD;BSD-2-Clause;BSD-3-Clause;Apache-2.0;Python-2.0;CC0-1.0;CC-BY-3.0;CC-BY-4.0;Public Domain;Unlicense' + + steps: + - name: Checkout code + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + + - name: Get PHP version + id: phpversion + run: | + # Get the PHP version to use from composer.json + PHP=$(jq -r '.require["php"]' composer.json) + # Remove the leading caret + PHP=${PHP//^/} + echo "::set-output name=version::$PHP" + + - name: Install PHP + uses: shivammathur/setup-php@c541c155eee45413f5b09a52248675b1a2575231 # v2.31.1 + with: + php-version: ${{ steps.phpversion.outputs.version }} + extensions: curl, dom, gd, intl, json, ldap, mbstring, mysql, tidy, zip + tools: composer:v2 + + - name: Composer install + run: composer install + + - name: Composer licenses + run: | + # Validate licenses of all composer dependencies are allowed + echo "Checking licenses of all dependencies" + composer global require madewithlove/license-checker + COMPOSER_GLOBAL_HOME=$(composer -q -n config --global home) + # Update the licenses in installed.json file to be sorted so that allowed SPDX identifier + # are at the top of the list. This is done because the license-checker will only check the first SPDX. + SPDX_ALLOWED_DELIMITED=$SPDX_ALLOWED_DELIMITED php -r ' + $allowedSpdxDelimted = getenv("SPDX_ALLOWED_DELIMITED"); + $allowedSpdx = explode(";", $allowedSpdxDelimted); + $filename = "vendor/composer/installed.json"; + $contents = file_get_contents("vendor/composer/installed.json"); + $json = json_decode($contents, true); + foreach ($json["packages"] as &$package) { + if (!isset($package["license"])) { + throw new Exception("License field missing for package " . $package["name"]); + } + usort($package["license"], fn ($spdx) => in_array($spdx, $allowedSpdx) ? -1 : 1); + } + file_put_contents($filename, json_encode($json, JSON_PRETTY_PRINT | JSON_UNESCAPED_SLASHES)); + ' + # Translate " " to "_" (and back again later) for any SPDX that has a space in it, such as "Public Domain" + # Otherwise the bash for loop will split on the space + SPDX_ALLOWED_LIST=$(echo $SPDX_ALLOWED_DELIMITED | tr " " "_" | tr ";" "\n") + SPDX_USED_LIST=$($COMPOSER_GLOBAL_HOME/vendor/bin/license-checker --no-dev used) + for SPDX_USED in $SPDX_USED_LIST; do + IS_ALLOWED=0 + for SPDX_ALLOWED in $SPDX_ALLOWED_LIST; do + SPDX_ALLOWED=$(echo $SPDX_ALLOWED | tr "_" " ") + if [[ $SPDX_USED == $SPDX_ALLOWED ]]; then + IS_ALLOWED=1 + break + fi + done + if [[ $IS_ALLOWED == 0 ]]; then + echo "License $SPDX_USED found in composer dependencies is not allowed. Check vendor/composer/installed.json" + exit 1 + fi + done + # Remove license-checker as its name will collide with the npm license checker + composer global remove madewithlove/license-checker + echo "All licenses are allowed" + + - name: NPM licenses + run: | + # Set nvmdir explicitly before installation. Default dir doesn't work for some reason. + export NVM_DIR="${HOME}/.nvm" + # Installation fails if install dir is specified but doesn't exist + if ! [[ -d "$NVM_DIR" ]]; then + echo "NVM_DIR '$NVM_DIR' doesn't exist - creating it now" + mkdir $NVM_DIR + fi + # Get install nvm script from gha-run-tests + curl -s https://raw.githubusercontent.com/silverstripe/gha-run-tests/refs/heads/1/install-nvm.sh > install-nvm.sh + chmod +x install-nvm.sh + ./install-nvm.sh + if [[ $? != 0 ]]; then + echo "Error while installing nvm" + exit 1 + fi + # This loads nvm + [ -s "$NVM_DIR/nvm.sh" ] && \. "$NVM_DIR/nvm.sh" + EXCLUDE_PACKAGES='@silverstripe/react-injector@0.2.1;cwp-watea-theme@4.0.0;cwp-starter-theme@4.0.0;glob-to-regexp@0.3.0;jquery.are-you-sure@1.9.0' + # Loop all package.json files that were previously installed by composer install + BASEDIR=$(pwd) + FILES=$(find . | grep package.json | grep -v node_modules | grep -v tinymce) + for FILE in $FILES; do + # remove trailing "/package.json" + SUBDIR="${FILE/\/package.json/}" + DIR="$BASEDIR/$SUBDIR" + echo "Checking $DIR" + cd $DIR + if [[ ! -f .nvmrc ]]; then + echo "Missing .nvmrc" + exit 1 + fi + nvm install + nvm use + if [[ -z $(which yarn) ]]; then + npm install -g yarn; + fi + yarn install --network-concurrency 1 + DEPS=$(jq -r '.dependencies' package.json) + if [[ $DEPS == "null" ]] || [[ $DEPS == "{}" ]]; then + echo "No non-dev dependencies found in $DIR" + continue + fi + if [[ -z $(which license-checker) ]]; then + echo "Installing license-checker" + npm install -g license-checker + fi + license-checker --production --unknown --out /dev/null --onlyAllow "$SPDX_ALLOWED_DELIMITED" --excludePackages "$EXCLUDE_PACKAGES" + echo "All licenses are allowed for $DIR" + done + echo "Passed"