ci: fix license checks (#247)

fixes #242 --------- Signed-off-by: Jan Kowalleck <[email protected]>
CycloneDX · Jan 14, 2025 · 0abb17f · 0abb17f
1 parent 622ff8d
commit 0abb17f
Show file tree

Hide file tree

Showing 5 changed files with 83 additions and 16 deletions.
diff --git a/.github/workflows/nodejs.yml b/.github/workflows/nodejs.yml
@@ -137,11 +137,11 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 10
     steps:
-      - name: install flict
-        run: pip install flict==1.2.14
       - name: Checkout
         # see https://github.com/actions/checkout
         uses: actions/checkout@v4
+      - name: install tools
+        run: pip install -r tools/test-3rd-party-licenses.requirements.txt
       - name: Setup Node.js ${{ env.NODE_ACTIVE_LTS }}
         # see https://github.com/actions/setup-node
         uses: actions/setup-node@v4
@@ -150,30 +150,30 @@ jobs:
           # cache: 'yarn'
       - name: Setup yarn
         run: corepack enable yarn
-      - name: Setup subject
-        run: yarn install --immutable
       - name: fetch build artifact
         # see https://github.com/actions/download-artifact
         uses: actions/download-artifact@v4
         with:
           name: ${{ env.BUNDLES_DIR }}
           path: ${{ env.BUNDLES_DIR }}
+      - name: Setup subject
+        run: yarn install --immutable
       - name: make NOTICE and summary
         run: |
           mkdir -p _tmp
-          yarn node tools/write-3rd-party-licenses.cjs _tmp/NOTICE _tmp/lsummary
+          yarn node tools/write-3rd-party-licenses.cjs _tmp/NOTICE _tmp/lsummary.json
       - name: artifact build result
         # see https://github.com/actions/upload-artifact
         uses: actions/upload-artifact@v4
         with:
           name: licenses-files
           path: |
             _tmp/NOTICE
-            _tmp/lsummary
+            _tmp/lsummary.json
           retention-days: 5
           if-no-files-found: error
       - name: test license compatibility
-        run: flict display-compatibility $(cat _tmp/lsummary)
+        run: tools/test-3rd-party-licenses.sh _tmp/lsummary.json
 
   test-node:
     needs: [ 'build' ]

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -129,16 +129,43 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 10
     steps:
-      - name: install flict
-        run: pip install flict==1.2.14
+      - name: Checkout
+        # see https://github.com/actions/checkout
+        uses: actions/checkout@v4
+      - name: install tools
+        run: pip install -r tools/test-3rd-party-licenses.requirements.txt
+      - name: Setup Node.js ${{ env.NODE_ACTIVE_LTS }}
+        # see https://github.com/actions/setup-node
+        uses: actions/setup-node@v4
+        with:
+          node-version: ${{ env.NODE_ACTIVE_LTS }}
+          # cache: 'yarn'
+      - name: Setup yarn
+        run: corepack enable yarn
       - name: fetch build artifact
         # see https://github.com/actions/download-artifact
         uses: actions/download-artifact@v4
         with:
-          name: ${{ env.DIST_DIR }}
-          path: ${{ env.DIST_DIR }}
+          name: ${{ env.BUNDLES_DIR }}
+          path: ${{ env.BUNDLES_DIR }}
+      - name: Setup subject
+        run: yarn install --immutable
+      - name: make NOTICE and summary
+        run: |
+          mkdir -p _tmp
+          yarn node tools/write-3rd-party-licenses.cjs _tmp/NOTICE _tmp/lsummary.json
+      - name: artifact build result
+        # see https://github.com/actions/upload-artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: licenses-files
+          path: |
+            _tmp/NOTICE
+            _tmp/lsummary.json
+          retention-days: 5
+          if-no-files-found: error
       - name: test license compatibility
-        run: flict display-compatibility $(cat "$DIST_DIR"/*.lsummary)
+        run: tools/test-3rd-party-licenses.sh _tmp/lsummary.json
 
   test-node:
     needs:

diff --git a/tools/test-3rd-party-licenses.requirements.txt b/tools/test-3rd-party-licenses.requirements.txt
@@ -0,0 +1,2 @@
+# https://pypi.org/project/flict/
+flict==1.2.14
diff --git a/tools/test-3rd-party-licenses.sh b/tools/test-3rd-party-licenses.sh
@@ -0,0 +1,32 @@
+#!/usr/bin/env bash
+set -ue
+EC=0
+
+# file format like: {"ol":"Apache-2.0","ils":["...","MIT","GPL-2.0-only"]}
+LICENSES_JSON="$1"
+
+OL="$(jq -r '.ol' "$LICENSES_JSON")"
+
+flict verify \
+-ol "$OL" \
+-il "$(jq -r '.ils | join(" AND ")' "$LICENSES_JSON")" \
+|| EC=$?;
+
+if [[ $EC -eq 0 ]]
+then
+  exit $EC
+fi
+
+echo "ERROR: non-zero exit code: $EC" >&2
+echo "ERROR: found license issues. lets see details..." >&2
+
+# the below is an alternative
+# it tells which license is incompatible,
+# but it is slower
+
+jq -r '.ils[]' "$LICENSES_JSON" | while read -r IL
+do
+  flict verify -ol "$OL" -il "$IL" >&2
+done
+
+exit $EC
diff --git a/tools/write-3rd-party-licenses.cjs b/tools/write-3rd-party-licenses.cjs
@@ -163,12 +163,18 @@ async function main (outputFile, includeLicense) {
 
 if (require.main === module) {
   const outputFile = process.argv[2] || `${metaFile}.NOTICE`
-  const lsummaryFile = process.argv[3] || `${outputFile}.lsummary`
+  const lsummaryFile = process.argv[3] || `${outputFile}.lsummary.json`
   const includeLicense = false
-  main(outputFile, includeLicense).then(licenses => {
+  const assert = require('assert')
+  main(outputFile, includeLicense).then(ils => {
+    const ol = JSON.parse(readFileSync(join(projectRoot, 'package.json'))).license
+    assert(typeof ol === 'string' && ol.length > 0)
+    assert(ils.size > 0)
     const lsummaryFH = openSync(lsummaryFile, 'w')
-    writeSync(lsummaryFH, JSON.parse(readFileSync(join(projectRoot, 'package.json'))).license + '\n')
-    writeSync(lsummaryFH, Array.from(licenses).sort().join('\n'))
+    writeSync(lsummaryFH, JSON.stringify({
+      ol,
+      ils: Array.from(ils).sort()
+    }))
     closeSync(lsummaryFH)
   })
 } else {
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		# https://pypi.org/project/flict/
		flict==1.2.14