vuu/.github/workflows/legal-report.yml at main · finos/vuu · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
name: Legal report with Maven

on:
  workflow_dispatch:
  push:
    branches:
      - "main"
      - "release-*"
  pull_request:
    paths:
      - '**/pom.xml'
      - '.github/workflows/legal-report.yml'

jobs:

  legal-scanning:
    runs-on: ubuntu-latest

    strategy:
      matrix:
        package-folder: [toolbox, vuu, vuu-java]

    steps:
    - uses: actions/checkout@v6

    - name: Set up JDK 1.17
      uses: actions/setup-java@v5
      with:
        java-version: 17
        java-package: jdk
        distribution: temurin
        cache: 'maven'

    - name: Install XQ
      run: |
        sudo apt-get update
        sudo apt-get install xq

    - name: Make mvnw executable
      run: chmod +x mvnw

    - name: License XML report
      run: ./mvnw -B -ntp clean install org.codehaus.mojo:license-maven-plugin:download-licenses -pl ${{ matrix.package-folder }} -am -DskipTests -DlicensesOutputDirectory=${{ matrix.package-folder }}

    - name: Validate XML report
      working-directory: ${{ matrix.package-folder }}
      run: |
        #!/bin/bash

        ALLOWED_LICENCES=(
          "Apache 2"
          "Apache 2.0"
          "Apache 2.0 License"
          "Apache License 2.0"
          "Apache License, Version 2.0"
          "Apache-2.0"
          "BSD"
          "BSD licence"
          "BSD Licence 3"
          "BSD-3-Clause"
          "BSD 3-Clause \"New\" or \"Revised\" License (BSD-3-Clause)"
          "Eclipse Public License 1.0"
          "Eclipse Public License - v 1.0"
          "Eclipse Public License - v 2.0"
          "Eclipse Public License v2.0"
          "GNU Lesser General Public License"
          "MIT"
          "MIT License"
          "New BSD License"
          "The Apache Software License, Version 2.0"
          "the Apache License, ASL Version 2.0"
          "The Apache License, Version 2.0"
          "The BSD License"
          "Unicode/ICU License"
        )

        #Parse unique licenses in dependencies
        readarray -t LICENSES < <(cat target/generated-resources/licenses.xml | xq -x '//name' | sort -u)

        BANNED=()

        # Collect the ones that arent allowed
        for license1 in "${LICENSES[@]}"; do
          found=false
          for license2 in "${ALLOWED_LICENCES[@]}"; do
            if [[ "$license1" == "$license2" ]]; then
              found=true
              break
            fi
          done
          if [[ "$found" == false ]]; then
            BANNED+=("$license1")
          fi
        done

        if [ ${#BANNED[@]} -ne 0 ]; then
          echo "Banned licenses found:"
          for license in "${BANNED[@]}"; do
             echo " - $license"
          done
          exit 1
        fi

    - name: Upload license XML reports
      uses: actions/upload-artifact@v5
      with:
        name: ${{ matrix.package-folder }}-license-xml-report
        path: '**/${{ matrix.package-folder }}/target/generated-resources/licenses.xml'