Skip to content

MNT Check licenses of installed dependencies #1380

MNT Check licenses of installed dependencies

MNT Check licenses of installed dependencies #1380

Workflow file for this run

name: CI
on:
push:
pull_request:
workflow_dispatch:
jobs:
# ci:
# name: CI
# uses: silverstripe/gha-ci/.github/workflows/ci.yml@v1
# with:
# # Use simple_matrix to limit the number of created jobs
# # phpunit.xml.dist has a large number of testsuites, all of which are tested with
# # multiple versions of php + databases in both the modules themselves and other recipes
# # such as recipe-form-building
# simple_matrix: true
# # Also include jobs with the lowest version of PHP with --prefer-lowest and
# # the highest version of PHP to ensure everything installs
# # Run recipe-cms testsuite because that's the most likely to have weird conflicts e.g. graphql
# extra_jobs: |
# - php: 8.3
# composer_args: --prefer-lowest
# phpunit: true
# phpunit_suite: recipe-cms
# - php: 8.3
# phpunit: true
# phpunit_suite: recipe-cms
# - php: 8.3
# endtoend: true
# endtoend_suite: silverstripe-elemental
# endtoend_config: vendor/dnadesign/silverstripe-elemental/behat.yml
# endtoend_tags: job1
# - php: 8.3
# endtoend: true
# endtoend_suite: silverstripe-elemental
# endtoend_config: vendor/dnadesign/silverstripe-elemental/behat.yml
# endtoend_tags: job2
# - php: 8.3
# endtoend: true
# endtoend_suite: silverstripe-elemental
# endtoend_config: vendor/dnadesign/silverstripe-elemental/behat.yml
# endtoend_tags: job3
# - php: 8.3
# endtoend: true
# endtoend_suite: silverstripe-elemental
# endtoend_config: vendor/dnadesign/silverstripe-elemental/behat.yml
# endtoend_tags: job4
# - php: 8.3
# endtoend: true
# endtoend_suite: silverstripe-elemental
# endtoend_config: vendor/dnadesign/silverstripe-elemental/behat.yml
# endtoend_tags: job5
# - php: 8.3
# endtoend: true
# endtoend_suite: silverstripe-elemental
# endtoend_config: vendor/dnadesign/silverstripe-elemental/behat.yml
# endtoend_tags: job6,job7,job8,job9
# - php: 8.3
# endtoend: true
# endtoend_suite: silverstripe-elemental-userforms
# endtoend_config: vendor/dnadesign/silverstripe-elemental-userforms/behat.yml
# - php: 8.3
# endtoend: true
# endtoend_suite: silverstripe-advancedworkflow
# endtoend_config: vendor/symbiote/silverstripe-advancedworkflow/behat.yml
# - php: 8.3
# endtoend: true
# endtoend_suite: admin
# endtoend_config: vendor/silverstripe/admin/behat.yml
# endtoend_tags: job1
# - php: 8.3
# endtoend: true
# endtoend_suite: admin
# endtoend_config: vendor/silverstripe/admin/behat.yml
# endtoend_tags: job2
# - php: 8.3
# endtoend: true
# endtoend_suite: admin
# endtoend_config: vendor/silverstripe/admin/behat.yml
# endtoend_tags: job3,job4,job5,job6
# - php: 8.3
# endtoend: true
# endtoend_suite: asset-admin
# endtoend_config: vendor/silverstripe/asset-admin/behat.yml
# endtoend_tags: job1
# - php: 8.3
# endtoend: true
# endtoend_suite: asset-admin
# endtoend_config: vendor/silverstripe/asset-admin/behat.yml
# endtoend_tags: job2
# - php: 8.3
# endtoend: true
# endtoend_suite: asset-admin
# endtoend_config: vendor/silverstripe/asset-admin/behat.yml
# endtoend_tags: job3,job4,job5,job6
# - php: 8.3
# endtoend: true
# endtoend_suite: blog
# endtoend_config: vendor/silverstripe/blog/behat.yml
# - php: 8.3
# endtoend: true
# endtoend_suite: cms
# endtoend_config: vendor/silverstripe/cms/behat.yml
# endtoend_tags: job1
# - php: 8.3
# endtoend: true
# endtoend_suite: cms
# endtoend_config: vendor/silverstripe/cms/behat.yml
# endtoend_tags: job2
# - php: 8.3
# endtoend: true
# endtoend_suite: cms
# endtoend_config: vendor/silverstripe/cms/behat.yml
# endtoend_tags: job3,job4,job5,job6
# - php: 8.3
# endtoend: true
# endtoend_suite: linkfield
# endtoend_config: vendor/silverstripe/linkfield/behat.yml
# endtoend_tags: job1
# - php: 8.3
# endtoend: true
# endtoend_suite: linkfield
# endtoend_config: vendor/silverstripe/linkfield/behat.yml
# endtoend_tags: job2,job3,job4,job5
# - php: 8.3
# endtoend: true
# endtoend_suite: mfa
# endtoend_config: vendor/silverstripe/mfa/behat.yml
# - php: 8.3
# endtoend: true
# endtoend_suite: session-manager
# endtoend_config: vendor/silverstripe/session-manager/behat.yml
# - php: 8.3
# endtoend: true
# endtoend_suite: sharedraftcontent
# endtoend_config: vendor/silverstripe/sharedraftcontent/behat.yml
# - php: 8.3
# endtoend: true
# endtoend_suite: siteconfig
# endtoend_config: vendor/silverstripe/siteconfig/behat.yml
# - php: 8.3
# endtoend: true
# endtoend_suite: subsites
# endtoend_config: vendor/silverstripe/subsites/behat.yml
# - php: 8.3
# endtoend: true
# endtoend_suite: taxonomy
# endtoend_config: vendor/silverstripe/taxonomy/behat.yml
# - php: 8.3
# endtoend: true
# endtoend_suite: totp-authenticator
# endtoend_config: vendor/silverstripe/totp-authenticator/behat.yml
# - php: 8.3
# endtoend: true
# endtoend_suite: userforms
# endtoend_config: vendor/silverstripe/userforms/behat.yml
# - php: 8.3
# endtoend: true
# endtoend_suite: versioned-admin
# endtoend_config: vendor/silverstripe/versioned-admin/behat.yml
# endtoend_tags: job1
# - php: 8.3
# endtoend: true
# endtoend_suite: versioned-admin
# endtoend_config: vendor/silverstripe/versioned-admin/behat.yml
# endtoend_tags: job2,job3,job4,job5
licenses:
name: Licenses
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: read
steps:
- name: Checkout code
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
- name: Get PHP version
id: phpversion
run: |
PHP=$(jq -r '.require["php"]' composer.json)
# Remove the leading caret
PHP=${PHP//^/}
echo "::set-output name=version::$PHP"
- name: Install PHP
uses: shivammathur/setup-php@c541c155eee45413f5b09a52248675b1a2575231 # v2.31.1
with:
php-version: ${{ steps.phpversion.outputs.version }}
extensions: curl, dom, gd, intl, json, ldap, mbstring, mysql, tidy, xdebug, zip
tools: composer:v2
coverage: xdebug
- name: Composer install
run: composer install
- name: Check licenses
runs: |
# Validate licenses of all composer dependencies are allowed
echo "Checking licenses of all dependencies"
composer global require madewithlove/license-checker
COMPOSER_GLOBAL_HOME=$(composer -q -n config --global home)
# Fetch a list of allowed SPDX identifiers from the repository
URL=https://raw.githubusercontent.com/silverstripe/gha-run-tests/refs/heads/1/allowed-spdx-delimited.txt
echo "Fetching from $URL"
SPDX_ALLOWED_DELIMITED=$(curl -s $URL)
if [[ SPDX_ALLOWED_DELIMITED =~ "404: Not Found" ]]; then
echo "Failed to fetch remote list of allowed SPDX identifiers, falling back to default list"
SPDX_ALLOWED_DELIMITED='MIT;MIT-0;ISC;0BSD;BSD-2-Clause;BSD-3-Clause;Apache-2.0;Python-2.0;CC0-1.0;CC-BY-3.0;CC-BY-4.0;Public Domain;Unlicense'
else
echo "Succesfully fetched remote list of allowed SPDX identifiers"
SPDX_ALLOWED_DELIMITED=$(cat ${{ github.action_path }}/allowed-spdx-delimited.txt | tr -d '\n')
fi
# Update the licenses in the installed.json file to be sorted so that allowed SPDX identifier
# are at the top of the list. This is done because the license-checker will only check the first SPDX.
SPDX_ALLOWED_DELIMITED=$SPDX_ALLOWED_DELIMITED php -r '
$allowedSpdxDelimted = getenv("SPDX_ALLOWED_DELIMITED");
$allowedSpdx = explode(";", $allowedSpdxDelimted);
$filename = "vendor/composer/installed.json";
$contents = file_get_contents("vendor/composer/installed.json");
$json = json_decode($contents, true);
foreach ($json["packages"] as &$package) {
# A handful of silverstripe packages do not have a license field, though we do not need to check them
if (str_starts_with($package["name"], "silverstripe/")) {
continue;
}
if (!isset($package["license"])) {
throw new Exception("License field missing for package " . $package["name"]);
}
usort($package["license"], fn ($spdx) => in_array($spdx, $allowedSpdx) ? -1 : 1);
}
file_put_contents($filename, json_encode($json, JSON_PRETTY_PRINT | JSON_UNESCAPED_SLASHES));
'
# Translate " " to "_" (and back again later) for any SPDX that has a space in it, such as "Public Domain"
# Otherwise the bash for loop will split on the space
SPDX_ALLOWED_LIST=$(echo $SPDX_ALLOWED_DELIMITED | tr " " "_" | tr ";" "\n")
SPDX_USED_LIST=$($COMPOSER_GLOBAL_HOME/vendor/bin/license-checker --no-dev used)
for SPDX_USED in $SPDX_USED_LIST; do
IS_ALLOWED=0
for SPDX_ALLOWED in $SPDX_ALLOWED_LIST; do
SPDX_ALLOWED=$(echo $SPDX_ALLOWED | tr "_" " ")
if [[ $SPDX_USED == $SPDX_ALLOWED ]]; then
IS_ALLOWED=1
break
fi
done
if [[ $IS_ALLOWED == 0 ]]; then
echo "License $SPDX_USED found in composer dependencies is not allowed. Check vendor/composer/installed.json"
exit 1
fi
done
echo "All licenses are allowed"