Task #905 - Add scan-licenses.yml GA workflow #145
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,26 @@ | ||
| name: Scan licenses | ||
|
|
||
| concurrency: | ||
| group: ${{ github.workflow }}-${{ github.ref }} | ||
| cancel-in-progress: true | ||
|
|
||
| on: | ||
| workflow_call: | ||
|
|
||
| jobs: | ||
| scanning: | ||
| runs-on: ubuntu-latest | ||
| name: License scanning | ||
| steps: | ||
| - name: Git checkout | ||
| uses: actions/checkout@v3 | ||
| - name: Set up Ruby | ||
| uses: ruby/setup-ruby@v1 | ||
| with: | ||
| bundler-cache: true | ||
| - name: Run license scanning | ||
| run: | | ||
| bundle config --local deployment false | ||
| bundle lock --add-platform x86_64-linux | ||
| bundle config --local deployment true | ||
|
Comment on lines
+23
to
+25
There was a problem hiding this comment. This block looks like it's trying to perform a trick/hack. Why do we need this? Is there a more conventional way of achieving the same result? There was a problem hiding this comment. First, I tried just to call There was a problem hiding this comment. Seems like you uncovered a problem with our setup. This is a native extension compilation problem, which originates from our Nokogiri installation docs contains compelling arguments to explicitly list platforms making bundler install precompiled binaries instead of compiling deps natively. @lovro-bikic your comment here was the trigger to move from explicitly listing platforms to using |
||
| bundle exec license_finder | ||
|
Comment on lines
+23
to
+26
There was a problem hiding this comment. I'd actually like to have this as a script in the project, similar to e.g. default_rails_template/template.rb Lines 164 to 178 in ce3d228 That way developers can run the script locally and modify it if needed. There was a problem hiding this comment. For simple one/two-liners, I find it's more complex when CI workflow is referencing project scripts. GH workflow is coupled with the default_rails_template, and it makes it less portable. In this case, I'm OK with both approaches, but in general, I'm in favor of workflow being self-sustainable, and project scripts should be used only where necessary. |
||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,12 @@ | ||
| name: Scan licenses | ||
|
|
||
| on: | ||
| workflow_dispatch: | ||
| push: | ||
| paths: | ||
| - 'Gemfile*' | ||
| - 'package.json' | ||
|
|
||
| jobs: | ||
| scanning: | ||
| uses: infinum/default_rails_template/.github/workflows/scan-licenses.yml@v1 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How are the developers notified that there are issues with some licenses?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agree, we should setup a Slack notification here.
DevOps used https://github.com/rtCamp/action-slack-notify
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think Slack notification is necessary for this step.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@nikajukic I tried to use https://github.com/rtCamp/action-slack-notify for sending slack notifications but it looks like they require us to install this https://slack.com/apps/A0F7XDUAZ-incoming-webhooks?tab=settings&next_id=0