Test for licensecheck #5321

Workflow file for this run

.github/workflows/licensecheck.yml at 1d3f876

	# https://docs.github.com/en/actions/reference/workflows-and-actions/workflow-syntax
	name: License check

	on: # https://docs.github.com/en/actions/reference/workflows-and-actions/events-that-trigger-workflows
	push:
	branches:
	- 'master'
	paths:
	- '**/package.json'
	- '**/package-lock.json'
	- '**/pom.xml'
	- '*/.target'
	- '.github/workflows/licensecheck.yml'
	pull_request:
	branches:
	- 'master'
	paths:
	- '**/package.json'
	- '**/package-lock.json'
	- '**/pom.xml'
	- '*/.target'
	- '.github/workflows/licensecheck.yml'
	issue_comment:
	types: [created]
	workflow_dispatch:
	# https://docs.github.com/en/actions/reference/workflows-and-actions/events-that-trigger-workflows#workflow_dispatch

	jobs:
	###########################################################
	call-mvn-license-check:
	###########################################################
	uses: eclipse-dash/dash-licenses/.github/workflows/mavenLicenseCheck.yml@master
	with:
	projectId: tools.wildwebdeveloper
	javaVersion: 21
	secrets:
	gitlabAPIToken: ${{ secrets.GITLAB_API_TOKEN }}
	permissions:
	pull-requests: write

	###########################################################
	npm-check:
	###########################################################
	if: github.event_name != 'issue_comment' \|\| ( github.event.issue.pull_request != '' && (github.event.comment.body == '/request-license-review') )
	# Run on all non-comment events specified by the calling workflow and for comments on PRs that have a corresponding body.
	runs-on: ubuntu-latest
	permissions:
	contents: read
	pull-requests: write
	steps:
	- uses: actions/checkout@v7
	if: github.event_name == 'push' \|\| github.event_name == 'pull_request'
	- uses: actions/github-script@v9
	if: github.event_name == 'issue_comment'
	id: get-pr
	with:
	script: \|
	const request = {
	owner: context.repo.owner,
	repo: context.repo.repo,
	pull_number: context.issue.number
	}
	core.info(`Getting PR #${request.pull_number} from ${request.owner}/${request.repo}`)
	try {
	const result = await github.rest.pulls.get(request)
	return result.data
	} catch (err) {
	core.setFailed(`Request failed with error ${err}`)
	}
	- uses: actions/checkout@v7
	if: github.event_name == 'issue_comment'
	with:
	repository: ${{ fromJSON(steps.get-pr.outputs.result).head.repo.full_name }}
	ref: ${{ fromJSON(steps.get-pr.outputs.result).head.sha }} # or .head.ref for branch name
	- name: Set up JDK 21
	uses: actions/setup-java@v5
	with:
	java-version: '21'
	distribution: 'temurin'
	- name: Set up Maven
	uses: stCarolas/setup-maven@v5.1
	with:
	maven-version: 3.9.16
	- name: Cache local Maven repository
	uses: actions/cache@v5
	with:
	path: ~/.m2/repository
	key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
	restore-keys: \|
	${{ runner.os }}-maven-
	- name: Prepare NPM deps
	run: mvn -DskipTests -pl org.eclipse.wildwebdeveloper.embedder.node,org.eclipse.wildwebdeveloper package
	- name: Get Dash license tool
	run: \|
	mvn -U dependency:get -Dartifact=org.eclipse.dash:org.eclipse.dash.licenses:1.1.0 -DremoteRepositories="https://repo.eclipse.org/content/repositories/dash-licenses"
	mkdir -p target/dash # Make directory for dash-license review summary
	- name: Set request review parameters
	run: \|
	echo "request-review=1" >> $GITHUB_ENV
	# Always request a review so unvetted licenses are submitted automatically.
	- name: NPM Deps License check
	id: license-check
	shell: bash {0}
	run: \|
	set +x

	savePWD=$PWD
	mkdir -p target/dash # Make directory for dash-license review summary

	projectId="tools.wildwebdeveloper"
	gitlabAPIToken="${{ secrets.GITLAB_API_TOKEN }}"
	dashLicenseToolJar=$(ls ~/.m2/repository/org/eclipse/dash/org.eclipse.dash.licenses/1.1.0/org.eclipse.dash.licenses-*.jar \| tail -n 1)
	npmArgs=" --no-bin-links --ignore-scripts"
	dashArgs="-excludeSources local -summary $savePWD/target/dash/npm-review-summary"
	exitStatus=0
	if [ -n "$gitlabAPIToken" ]; then
	# A GitLab token is available (e.g. on branches/PRs that can access
	# repository secrets), so request a review automatically. Dependabot
	# and fork pull requests don't get the secret; in that case we skip
	# the review request and still produce the summary of unvetted deps.
	dashArgs="$dashArgs -review -project $projectId -token $gitlabAPIToken"
	fi
	#
	# Check NPM dependency licenses in main WildWebDeveloper project
	#
	echo ""
	echo "------ Checking project [org.eclipse.wildwebdeveloper] ------"
	# Tee the output to a log so the reporting step can extract the URLs of
	# the review requests that dash-licenses creates (they are logged to the
	# console but are not part of the -summary CSV file).
	java -jar $dashLicenseToolJar $dashArgs org.eclipse.wildwebdeveloper/package-lock.json 2>&1 \| tee "$savePWD/target/dash/npm-review-log"
	currentStatus=${PIPESTATUS[0]}
	if [[ $currentStatus != 0 ]]; then
	exitStatus=$(($exitStatus + $currentStatus)) # Save for future
	fi
	cd $savePWD

	echo ""
	if [[ $exitStatus == 0 ]]; then # All licenses are vetted
	# echo "::set-output name=build-succeeded::$(echo 1)"
	echo "build-succeeded=1" >> $GITHUB_OUTPUT
	echo "All licenses are vetted"
	else
	# echo "::set-output name=build-succeeded::$(echo 0)"
	echo "build-succeeded=0" >> $GITHUB_OUTPUT
	if [ ${{ env.request-review }} ]; then
	echo "Some contents requires a review"
	echo ""
	echo "The NPM dependency License Check review summary is saved in 'target/dash/npm-review-summary'"
	else
	echo "Committers can request a review by commenting '/request-license-review'"
	exit 1
	fi
	fi
	echo ""

	- name: Report required license reviews and fail
	if: always() && steps.license-check.outputs.build-succeeded == '0'
	uses: actions/github-script@v9
	with:
	script: \|
	const fs = require('fs');
	const summaryPath = 'target/dash/npm-review-summary';
	let summary = '';
	try {
	summary = fs.readFileSync(summaryPath, 'utf8');
	} catch (err) {
	core.setFailed(`Could not read NPM review summary at '${summaryPath}': ${err}`);
	return;
	}
	// The summary is a CSV produced by dash-licenses: "id, license, status, source".
	// Dependencies whose status is "restricted" still require a license review.
	const needsReview = summary
	.split('\n')
	.map(line => line.trim())
	.filter(line => line.length > 0)
	.map(line => line.split(',').map(field => field.trim()))
	.filter(fields => fields[2] === 'restricted');
	if (needsReview.length === 0) {
	core.setFailed('The NPM license check failed but no restricted dependencies were found in the review summary.');
	return;
	}
	// dash-licenses creates a review request (an IP Lab GitLab issue) for
	// each unvetted dependency and logs its URL to the console. Parse the
	// captured log to associate each dependency id with its review URL.
	const reviewUrls = {};
	try {
	const log = fs.readFileSync('target/dash/npm-review-log', 'utf8');
	let currentId = null;
	for (const line of log.split('\n')) {
	const required = line.match(/A review is required for (.+?)\.\s*$/);
	if (required) {
	currentId = required[1].trim();
	continue;
	}
	const url = line.match(/A review request (?:was created\|already exists)\s+(\S+)/);
	if (url && currentId) {
	reviewUrls[currentId] = url[1];
	currentId = null;
	}
	}
	} catch (err) {
	core.info(`No review log found to extract review request URLs: ${err}`);
	}
	const list = needsReview
	.map(fields => {
	const url = reviewUrls[fields[0]];
	const link = url ? ` — [review request](${url})` : '';
	return `- \`${fields[0]}\` (license: ${fields[1] \|\| 'unknown'}, source: ${fields[3] \|\| 'none'})${link}`;
	})
	.join('\n');
	const anyReviewCreated = Object.keys(reviewUrls).length > 0;
	const footer = anyReviewCreated
	? 'A review request has been submitted to the Eclipse IP team for each dependency listed above (see the linked issues). These dependencies must be approved before this change can be merged.'
	: 'No review request could be created automatically (this happens for fork pull requests, where the GitLab token is unavailable). A committer can submit the review requests by commenting `/request-license-review` on this pull request. These dependencies must be approved before this change can be merged.';
	const body = [
	'## :warning: NPM dependency license review required',
	'',
	'The following NPM dependencies have licenses that are not yet vetted and require a review before they can be used:',
	'',
	list,
	'',
	footer,
	].join('\n');
	core.summary.addRaw(body).write();
	const prNumber = context.issue && context.issue.number;
	if (prNumber) {
	// Posting a comment requires a token with write access. For pull
	// requests opened from forks the GITHUB_TOKEN is read-only, so the
	// comment can't be posted there; the '/request-license-review'
	// issue_comment flow runs in the base repo and can comment instead.
	try {
	await github.rest.issues.createComment({
	owner: context.repo.owner,
	repo: context.repo.repo,
	issue_number: prNumber,
	body,
	});
	} catch (err) {
	core.warning(`Could not post review comment (likely a fork pull request with a read-only token): ${err}`);
	}
	} else {
	core.info('No pull request context available; skipping PR comment.');
	}
	core.setFailed('Some NPM dependencies require a license review.');

	- uses: actions/upload-artifact@v7
	if: always() && env.request-review
	with:
	name: tools.wildwebdeveloper-npm-license-vetting-summary
	path: \|
	target/dash/npm-review-summary
	target/dash/npm-review-log
	target/dash/summary

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Test for licensecheck #5321

Workflow file

Test for licensecheck #5321

Uh oh!

Workflow file for this run