-
Notifications
You must be signed in to change notification settings - Fork 33
198 lines (178 loc) · 8.98 KB
/
mavenLicenseCheck.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
# *************************************************************************
# * Copyright (c) 2022, 2023 Hannes Wellmann and others.
# *
# * This program and the accompanying materials are made available under
# * the terms of the Eclipse Public License 2.0 which accompanies this
# * distribution, and is available at https://www.eclipse.org/legal/epl-2.0
# *
# * SPDX-License-Identifier: EPL-2.0
# * Hannes Wellmann - initial API and implementation
# *************************************************************************
# This workflow will check for Maven projects if the licenses of all (transitive) dependencies are vetted.
name: License vetting status check
on:
workflow_call:
inputs:
projectId:
description: 'The "projectId" used when license vetting is requested'
type: string
required: false
default: ''
setupScript:
description: 'Optional bash script that is executed before the license check and is intended to prepare the checked out project if necessary'
type: string
required: false
default: ''
submodules:
description: |
Whether to checkout submodules: `true` to checkout submodules or `recursive` to recursively checkout submodules.
When the `ssh-key` input is not provided, SSH URLs beginning with `[email protected]:` are converted to HTTPS.
The value is just passed as it is to the github/actions/checkout action: https://github.com/actions/checkout#usage
type: string
required: false
default: 'false'
mavenVersion:
description: 'The version of Maven set up to run the license-check build'
type: string
required: false
default: '3.9.6'
javaVersion:
description: 'The version of Java set up to run the license-check build'
type: string
required: false
default: '21'
secrets:
gitlabAPIToken:
description: 'The authentication token (scope: api) from gitlab.eclipse.org of the calling repository. Only required if license vetting is requested'
required: false
jobs:
check-licenses:
if: github.event_name != 'issue_comment' || ( github.event.issue.pull_request != '' && (github.event.comment.body == '/request-license-review') )
# Run on all non-comment events specified by the calling workflow and for comments on PRs that have a corresponding body.
runs-on: ubuntu-latest
permissions:
pull-requests: write
steps:
- name: Check dependabot PR
run: echo "isDependabotPR=1" >> $GITHUB_ENV
if: >
github.event_name == 'pull_request' && (github.event.action == 'opened' || github.event.action == 'synchronize' || github.event.action == 'reopened')
&& github.actor == 'dependabot[bot]' && github.actor_id == '49699333'
# For 'issue_comment'-events this job only runs if a comment was added to a PR with body specified above
- name: Set review request
run: echo "request-review=1" >> $GITHUB_ENV
if: github.event_name == 'issue_comment' || env.isDependabotPR
# For 'issue_comment'-events this job only runs if a comment was added to a PR with body specified above
- name: Process license-vetting request
if: env.request-review && (!env.isDependabotPR)
uses: actions/github-script@v7
with:
script: |
const payload = await github.rest.repos.getCollaboratorPermissionLevel({
...context.repo, username: context.actor
});
const userPermission = payload?.data?.permission;
let reaction = 'rocket'
if (!(userPermission == 'write' || userPermission == 'admin')) { // not a committer
// Not a committer -> abort workflow
core.setFailed("Only committers are permitted to request license vetting and " + context.actor + " isn't one.")
reaction = '-1'
}
// react on comment to give early feedback that the request was understood
await github.rest.reactions.createForIssueComment({
...context.repo, comment_id: context.payload?.comment?.id, content: reaction
});
# By default the git-ref checked out for events triggered by comments to PRs is 'refs/heads/master'
# and for events triggered by PR creation/updates the ref is 'refs/pull/<PR-number>/merge'.
# So by default only the master-branch would be considered when requesting license-reviews, but we want the PR's state.
# Unless the PR is closed, then we want the master-branch, which allows subsequent license review requests.
- uses: actions/checkout@v4
# use default ref 'refs/pull/<PR-number>/merge' for PR-events and 'refs/heads/master' for comments if the PR is closed
if: github.event.issue.pull_request == '' || github.event.issue.state != 'open'
with:
submodules: ${{ inputs.submodules }}
- uses: actions/checkout@v4
with:
ref: 'refs/pull/${{ github.event.issue.number }}/merge'
submodules: ${{ inputs.submodules }}
if: github.event.issue.pull_request != '' && github.event.issue.state == 'open'
- uses: actions/setup-java@v4
with:
java-version: ${{ inputs.javaVersion }}
distribution: 'temurin'
- name: Cache local Maven repository
uses: actions/cache@v4
with:
path: ~/.m2/repository
# re-cache on changes in the pom and target files
key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml', '**/*.target') }}
restore-keys: |
${{ runner.os }}-maven-
- name: Set up Maven
uses: stCarolas/setup-maven@v5
with:
maven-version: ${{ inputs.mavenVersion }}
- name: Prepare for license check
run: ${{ inputs.setupScript }}
if: inputs.setupScript !=''
- name: Check license vetting status (and ask for review if requested)
id: check-license-vetting
uses: eclipse-dash/dash-licenses/.github/actions/maven-license-check-action@master
with:
request-review: ${{ env.request-review }}
project-id: ${{ inputs.projectId }}
env:
GITLAB_API_TOKEN: ${{ secrets.gitlabAPIToken }}
- name: Process license check results
if: env.request-review
uses: actions/github-script@v7
with:
script: |
const fs = require('fs')
const licenesVetted = ${{ steps.check-license-vetting.outputs.licenses-vetted }}
let commentBody = ''
// if context.payload.comment is empty, this is an explicit review-request through a comment, if not an automated one, e.g. for dependabot PRs
if ( context.payload.comment ) {
commentBody += '> ' + context.payload.comment.body + '\n\n'
} else if ( licenesVetted ){
core.info('License review request made automatically but all licenses are already vetted.')
return; // Don't create a comment in this case, the checks in the UI indicate the state already.
} else {
// This run encountered pending reviews, which have been requested automatically, e.g. for dependabot PRs
core.setFailed("Some dependencies must be vetted and their review was requested. Rerun this check once these reviews succeeded.")
}
if( licenesVetted ) {
commentBody += ':heavy_check_mark: All licenses already successfully vetted.\n'
} else {
const reviewSummaryFile = process.env.GITHUB_WORKSPACE + '/target/dash/review-summary'
core.info("Read review summary at " + reviewSummaryFile)
let content = "";
if ( fs.existsSync( reviewSummaryFile )) {
content = fs.readFileSync( reviewSummaryFile, {encoding: 'utf8'}).trim();
}
if ( content ) { // not empty
commentBody += 'License review requests:\n'
const lines = content.split('\n')
for(var line = 0; line < lines.length; line++){
commentBody += ('- ' + lines[line] + '\n')
}
commentBody += '\n'
commentBody += 'After all reviews have concluded, re-run the license-vetting check from the Github Actions web-interface to update its status.\n'
} else {
core.setFailed("License vetting build failed, but no reviews are created")
commentBody += ':warning: Failed to request review of not vetted licenses.\n'
}
}
commentBody += '\n'
commentBody += 'Workflow run (with attached summary files):\n'
commentBody += context.serverUrl + "/" + process.env.GITHUB_REPOSITORY + "/actions/runs/" + context.runId
github.rest.issues.createComment({
issue_number: context.issue.number, ...context.repo, body: commentBody
})
- uses: actions/upload-artifact@v4
if: always() && env.request-review
with:
name: '${{ inputs.projectId }}-license-vetting-summary'
path: |
target/dash/review-summary
target/dash/summary