|
| 1 | +# |
| 2 | +# Copyright © 2021-present Arcade Data Ltd (info@arcadedata.com) |
| 3 | +# |
| 4 | +# Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | +# you may not use this file except in compliance with the License. |
| 6 | +# You may obtain a copy of the License at |
| 7 | +# |
| 8 | +# http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | +# |
| 10 | +# Unless required by applicable law or agreed to in writing, software |
| 11 | +# distributed under the License is distributed on an "AS IS" BASIS, |
| 12 | +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 13 | +# See the License for the specific language governing permissions and |
| 14 | +# limitations under the License. |
| 15 | +# |
| 16 | +# SPDX-FileCopyrightText: 2021-present Arcade Data Ltd (info@arcadedata.com) |
| 17 | +# SPDX-License-Identifier: Apache-2.0 |
| 18 | +# |
| 19 | + |
| 20 | +name: License Compliance Check |
| 21 | + |
| 22 | +on: |
| 23 | + schedule: |
| 24 | + # Run weekly on Sunday at midnight UTC |
| 25 | + - cron: '0 0 * * 0' |
| 26 | + workflow_dispatch: |
| 27 | + # Allow manual trigger |
| 28 | + pull_request: |
| 29 | + # Run on PRs that modify dependencies |
| 30 | + paths: |
| 31 | + - '**/pom.xml' |
| 32 | + - 'NOTICE' |
| 33 | + - 'ATTRIBUTIONS.md' |
| 34 | + |
| 35 | +jobs: |
| 36 | + license-check: |
| 37 | + name: Check License Compliance |
| 38 | + runs-on: ubuntu-latest |
| 39 | + |
| 40 | + steps: |
| 41 | + - name: Checkout code |
| 42 | + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 |
| 43 | + |
| 44 | + - name: Set up JDK 21 |
| 45 | + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0 |
| 46 | + with: |
| 47 | + java-version: '21' |
| 48 | + distribution: 'temurin' |
| 49 | + cache: 'maven' |
| 50 | + |
| 51 | + - name: Buid jars |
| 52 | + run: ./mvnw clean install -DskipTests --batch-mode --errors --show-version |
| 53 | + env: |
| 54 | + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |
| 55 | + |
| 56 | + - name: Generate third-party license report |
| 57 | + run: | |
| 58 | + echo "Generating license report..." |
| 59 | + mvn org.codehaus.mojo:license-maven-plugin:2.4.0:add-third-party -DskipTests |
| 60 | + continue-on-error: false |
| 61 | + |
| 62 | + - name: Check for blacklisted licenses |
| 63 | + run: | |
| 64 | + echo "Checking for incompatible licenses (GPL, AGPL, SSPL)..." |
| 65 | + if grep -iE "(GPL|AGPL|SSPL|Commons Clause)" target/generated-sources/license/THIRD-PARTY.txt 2>/dev/null; then |
| 66 | + echo "❌ ERROR: Found incompatible licenses!" |
| 67 | + grep -iE "(GPL|AGPL|SSPL|Commons Clause)" target/generated-sources/license/THIRD-PARTY.txt |
| 68 | + exit 1 |
| 69 | + else |
| 70 | + echo "✅ No blacklisted licenses found" |
| 71 | + fi |
| 72 | +
|
| 73 | + - name: Aggregate license information |
| 74 | + run: | |
| 75 | + echo "Aggregating license information from all modules..." |
| 76 | + mvn org.codehaus.mojo:license-maven-plugin:2.4.0:aggregate-add-third-party -DskipTests |
| 77 | + continue-on-error: true |
| 78 | + |
| 79 | + - name: Download license files |
| 80 | + run: | |
| 81 | + echo "Downloading license files..." |
| 82 | + mvn org.codehaus.mojo:license-maven-plugin:2.4.0:aggregate-download-licenses -DskipTests |
| 83 | + continue-on-error: true |
| 84 | + |
| 85 | + - name: Sanitize license filenames for upload-artifact compatibility |
| 86 | + if: always() |
| 87 | + run: | |
| 88 | + # upload-artifact forbids: " : < > | * ? \r \n in filenames |
| 89 | + find target/generated-resources/licenses/ -type f 2>/dev/null | while IFS= read -r f; do |
| 90 | + dir="$(dirname "$f")" |
| 91 | + base="$(basename "$f")" |
| 92 | + sanitized="$(printf '%s' "$base" | sed 's/[":<>|*?]/_/g')" |
| 93 | + if [ "$base" != "$sanitized" ]; then |
| 94 | + echo "Renaming: $base -> $sanitized" |
| 95 | + mv "$f" "$dir/$sanitized" |
| 96 | + fi |
| 97 | + done |
| 98 | +
|
| 99 | + - name: Upload license report |
| 100 | + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 |
| 101 | + if: always() |
| 102 | + with: |
| 103 | + name: license-compliance-report |
| 104 | + path: | |
| 105 | + target/generated-sources/license/ |
| 106 | + target/generated-resources/licenses/ |
| 107 | + retention-days: 30 |
| 108 | + |
| 109 | + - name: Comment on PR (if applicable) |
| 110 | + if: github.event_name == 'pull_request' |
| 111 | + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 |
| 112 | + with: |
| 113 | + script: | |
| 114 | + const fs = require('fs'); |
| 115 | + let comment = '## 📜 License Compliance Check\n\n'; |
| 116 | +
|
| 117 | + try { |
| 118 | + const report = fs.readFileSync('target/generated-sources/license/THIRD-PARTY.txt', 'utf8'); |
| 119 | + const lines = report.split('\n').slice(0, 50); |
| 120 | + comment += '✅ License check passed. See artifacts for full report.\n\n'; |
| 121 | + comment += '<details><summary>License Summary (first 50 lines)</summary>\n\n```\n'; |
| 122 | + comment += lines.join('\n'); |
| 123 | + comment += '\n```\n</details>'; |
| 124 | + } catch (error) { |
| 125 | + comment += '⚠️ Could not read license report.\n'; |
| 126 | + } |
| 127 | +
|
| 128 | + github.rest.issues.createComment({ |
| 129 | + issue_number: context.issue.number, |
| 130 | + owner: context.repo.owner, |
| 131 | + repo: context.repo.repo, |
| 132 | + body: comment |
| 133 | + }); |
| 134 | +
|
| 135 | + - name: Summary |
| 136 | + if: always() |
| 137 | + run: | |
| 138 | + echo "### License Compliance Check Complete" >> $GITHUB_STEP_SUMMARY |
| 139 | + echo "" >> $GITHUB_STEP_SUMMARY |
| 140 | + echo "📋 **Reports generated:**" >> $GITHUB_STEP_SUMMARY |
| 141 | + echo "- Third-party licenses list" >> $GITHUB_STEP_SUMMARY |
| 142 | + echo "- Aggregated module licenses" >> $GITHUB_STEP_SUMMARY |
| 143 | + echo "- Downloaded license texts" >> $GITHUB_STEP_SUMMARY |
| 144 | + echo "" >> $GITHUB_STEP_SUMMARY |
| 145 | + echo "📦 Download the 'license-compliance-report' artifact to review full details." >> $GITHUB_STEP_SUMMARY |
| 146 | + echo "" >> $GITHUB_STEP_SUMMARY |
| 147 | + echo "🔍 **How to review locally:**" >> $GITHUB_STEP_SUMMARY |
| 148 | + echo "\`\`\`bash" >> $GITHUB_STEP_SUMMARY |
| 149 | + echo "mvn org.codehaus.mojo:license-maven-plugin:2.4.0:add-third-party" >> $GITHUB_STEP_SUMMARY |
| 150 | + echo "cat target/generated-sources/license/THIRD-PARTY.txt" >> $GITHUB_STEP_SUMMARY |
| 151 | + echo "\`\`\`" >> $GITHUB_STEP_SUMMARY |
0 commit comments