-
Notifications
You must be signed in to change notification settings - Fork 10
92 lines (77 loc) · 3.72 KB
/
license-scan.yml
File metadata and controls
92 lines (77 loc) · 3.72 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
name: 'Dependency Review'
on:
workflow_call:
workflow_dispatch:
permissions: { }
jobs:
dependency-review:
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: 'Checkout Repository'
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: 'Dependency Review'
id: review
uses: actions/dependency-review-action@a1d282b36b6f3519aa1f3fc636f609c47dddb294 # v5.0.0
with:
allow-licenses: 0BSD, BSD-1-Clause, BSD-2-Clause, BSD-3-Clause, LGPL-2.0-or-later, LGPL-2.1-or-later, LGPL-3.0-only, LGPL-3.0-or-later, MIT, WTFPL, Apache-2.0, MPL-2.0, ISC
# Note that we explicitly allow LGPL-2.x-or-later, since LGPL-2.x (only) is not compatible with LGPL-3.x
# allow-dependencies-licenses: 'pkg:pypi/numpy'
- name: 'Disallow unlicensed/unknown license'
shell: bash
env:
UNRESOLVED_LICENSES: "${{ steps.review.outputs.invalid-license-changes }}"
run: |
EXPECTED='{"unlicensed":[],"unresolved":[],"forbidden":[]}'
echo $EXPECTED
echo $UNRESOLVED_LICENSES
# get name of unresolved license dependencies
UNRESOLVED_LICENSES_FORMATTED_JSON=$(echo $UNRESOLVED_LICENSES | jq -S '{unlicensed: [.unlicensed[].name], unresolved: [.unresolved[].name], forbidden: [.forbidden[].name]}')
EXPECTED_FORMATTED_JSON=$(echo $EXPECTED | jq -S)
echo $UNRESOLVED_LICENSES_FORMATTED_JSON
echo $EXPECTED_FORMATTED_JSON
if [[ "$UNRESOLVED_LICENSES_FORMATTED_JSON" == "$EXPECTED_FORMATTED_JSON" ]]; then
echo "No unexpected unresolved license changes found."
else
BOLD_RED='\033[1;31m'
RESET='\033[0m'
echo -e "${BOLD_RED}Invalid unresolved license changes found:${RESET}\n$UNRESOLVED_LICENSES"
exit 1
fi
# Rationale:
## https://interoperable-europe.ec.europa.eu/licence/bsd-zero-clause-license
## 0BSD is a very permissive licence, like the BSD-2-Clause, but without the "attribution" requirement to include the authors' copyright notice, the license text and the disclaimer in either source or binary forms. The code may therefore be freely redistributed and relicensed without even mentioning its origin.
#"0BSD",
## Very permissive.
#"BSD-1-Clause",
## https://interoperable-europe.ec.europa.eu/licence/bsd-2-clause-simplified-license
## SD-2 permits almost unlimited freedom with the software so long as you include the BSD copyright notice in it (as is in licence text).
#"BSD-2-Clause",
## https://interoperable-europe.ec.europa.eu/licence/bsd-3-clause-new-or-revised-license
## BSD-3 allows you almost unlimited freedom with the software so long as you include the BSD copyright and license notice in it...
#"BSD-3-Clause",
## Mark: Explicit no BDS-4-Clause aka Old/Original BSD License
#### LGPL ###
## The "or later" makes it so that they are compatible with 3.0.
## "LGPL-2.0-only", # Incompatible with LGPL 3.0.
#"LGPL-2.0-or-later",
## "LGPL-2.1-only", # Incompatible with Apache 2.0 (We would have to "swap" both in that case).
#"LGPL-2.1-or-later",
#"LGPL-3.0-only",
#"LGPL-3.0-or-later",
### MPL ###
## https://interoperable-europe.ec.europa.eu/licence/mozilla-public-license-20
## Version 2.0 is, by default, compatible with LGPL and GPL version 2 or later and with the EUPL...
## MPL-2.0 files can be included in out project as long as the MPL-2.0 code is in separate files and are not modified,
## which is the case for dependencies.
## Any modifications to MPL-2.0 code must be licensed unded MPL-2.0.
# "MPL-2.0",
### MIT ###
#"MIT",
### WTFPL ###
#"WTFPL",
### Apache ###
#"Apache-2.0",