diff --git a/.github/workflows/e2e_tests.yaml b/.github/workflows/e2e_tests.yaml index cc5f785b3e..1537b838f2 100644 --- a/.github/workflows/e2e_tests.yaml +++ b/.github/workflows/e2e_tests.yaml @@ -1,9 +1,9 @@ name: Run Explorer e2e Tests on: push: - + pull_request: - + workflow_dispatch: jobs: diff --git a/.github/workflows/license-checker.yml b/.github/workflows/license-checker.yml new file mode 100644 index 0000000000..2c9f2af232 --- /dev/null +++ b/.github/workflows/license-checker.yml @@ -0,0 +1,42 @@ +name: License Checker + +on: + push: + branches: + - main + - develop + pull_request: + types: [opened, synchronize] + workflow_dispatch: + +jobs: + license-checker: + permissions: + contents: read + packages: write + runs-on: self-hosted + if: | + "contains(github.event.head_commit.message, 'release-please--branches--main')" || + ${{ github.event_name == 'pull_request' }} + steps: + - name: Checkout + uses: actions/checkout@v3 + + - name: 🫡 Setup node + uses: actions/setup-node@v1 + with: + node-version: 16 + + - name: Setup Ruby + uses: ruby/setup-ruby@v1 + with: + ruby-version: "3.2" + bundler-cache: true + + - name: Install license_finder + run: | + gem install license_finder + + - name: Check licenses + run: | + ./tools/license-checker.sh diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml index fad545dcb1..867682d001 100644 --- a/.github/workflows/publish.yaml +++ b/.github/workflows/publish.yaml @@ -6,7 +6,7 @@ on: - main - develop pull_request: - types: [ opened, synchronize ] + types: [opened, synchronize] workflow_dispatch: env: diff --git a/tools/license-checker.sh b/tools/license-checker.sh new file mode 100755 index 0000000000..8f2d1a0c80 --- /dev/null +++ b/tools/license-checker.sh @@ -0,0 +1,101 @@ +LICENSES_FILE=tools/licenses.txt +WHITELIST_PACKAGES_FILE=tools/whitelist-packages.txt + +function print_warning { + if [ ${#WARNING_DEPENDENCIES[@]} -gt 0 ]; then + echo "[!] WARNING: Some packages are not safe:" + for DEPENDENCIES in "${WARNING_DEPENDENCIES[@]}"; do + echo "$DEPENDENCIES" + done + fi +} + +WHITELIST_PACKAGES_ARRAY=() + +APPROVED_LICENSES_ARRAY=() +while read line || [ -n "$line" ]; do + APPROVED_LICENSES_ARRAY+=("^$line$") +done <$LICENSES_FILE + +WHITELIST_PACKAGES_ARRAY=() +WARNING_WHITELIST_PACKAGES_ARRAY=() + +while read line || [ -n "$line" ]; do + if [[ "$line" =~ ^\! ]]; then + WARNING_WHITELIST_PACKAGES_ARRAY+=("^${line:1}$") + continue + fi + WHITELIST_PACKAGES_ARRAY+=("^$line$") +done <$WHITELIST_PACKAGES_FILE + +APPROVED_LICENSES_REGEX=$( + IFS="|" + echo "${APPROVED_LICENSES_ARRAY[*]}" +) + +WHITELIST_PACKAGES_REGEX=$( + IFS="|" + echo "${WHITELIST_PACKAGES_ARRAY[*]}" +) + +WARNING_WHITELIST_PACKAGES_REGEX=$( + IFS="|" + echo "${WARNING_WHITELIST_PACKAGES_ARRAY[*]}" +) + +REJECTED_DEPENDENCIES=() +WARNING_DEPENDENCIES=() + +LICENSES=$(license_finder report | tail -n +2) + +IFS=$'\n' read -rd '' -a DEPENDENCIES <<<"$LICENSES" + +for DEPENDENCY in "${DEPENDENCIES[@]}"; do + + DEPENDENCY_NAME=$(echo "$DEPENDENCY" | cut -d ',' -f 1 | xargs) + DEPENDENCY_VERSION=$(echo "$DEPENDENCY" | cut -d ',' -f 2 | xargs) + DEPENDENCY_LICENSES=$(echo "$DEPENDENCY" | cut -d ',' -f 3- | tr -d '"' | xargs) + + if [[ "$DEPENDENCY_NAME" =~ $WHITELIST_PACKAGES_REGEX ]]; then + continue + fi + + if [[ "$DEPENDENCY_NAME" =~ $WARNING_WHITELIST_PACKAGES_REGEX ]]; then + WARNING_DEPENDENCIES+=("$DEPENDENCY") + continue + fi + + IFS=$',' read -rd '' -a SPLITTED_DEPENDENCY_LICENSES <<<"$DEPENDENCY_LICENSES" + + HAVE_REJECTED_DEPENDENCY=0 + LICENSES_WITH_STATUS=() + + for DEPENDENCY_LICENSE in "${SPLITTED_DEPENDENCY_LICENSES[@]}"; do + DEPENDENCY_LICENSE=$(echo "$DEPENDENCY_LICENSE" | xargs) + if [[ ! "$DEPENDENCY_LICENSE" =~ $APPROVED_LICENSES_REGEX ]]; then + HAVE_REJECTED_DEPENDENCY=1 + LICENSES_WITH_STATUS+=("[!] $DEPENDENCY_LICENSE") + fi + done + + if [ $HAVE_REJECTED_DEPENDENCY -eq 1 ]; then + JOINED_NEW_DEPENDENCY_LICENSE=$( + IFS=", " + echo "${LICENSES_WITH_STATUS[*]}" + ) + REJECTED_DEPENDENCIES+=("$DEPENDENCY_NAME, $DEPENDENCY_VERSION, $JOINED_NEW_DEPENDENCY_LICENSE") + fi +done + +if [ ${#REJECTED_DEPENDENCIES[@]} -gt 0 ]; then + echo "[!] ERROR: Some packages are not approved:" + for DEPENDENCY in "${REJECTED_DEPENDENCIES[@]}"; do + echo "$DEPENDENCY" + done + print_warning + exit 1 +else + echo "[+] All packages are approved" + print_warning + exit 0 +fi diff --git a/tools/licenses.txt b/tools/licenses.txt new file mode 100644 index 0000000000..ceda36a316 --- /dev/null +++ b/tools/licenses.txt @@ -0,0 +1,13 @@ +MIT +Apache 2.0 +BSD +MPL 2.0 +EPL 2.0 +EDL 1.0 +Eclipse Public License v2.0 +BSD License 3 +ISC +BSD Zero Clause License +Mozilla Public License 2.0 +New BSD +Simplified BSD \ No newline at end of file diff --git a/tools/whitelist-packages.txt b/tools/whitelist-packages.txt new file mode 100644 index 0000000000..bbb86234a2 --- /dev/null +++ b/tools/whitelist-packages.txt @@ -0,0 +1,4 @@ +@typescript-eslint/parser +!react-use +redux-devtools-extension +string-format \ No newline at end of file