NEW Check that all dependency licesnes are permissive

emteknetnz · emteknetnz · commit 04fadc6d1e64 · 2024-12-17T18:24:35.000+13:00
diff --git a/action.yml b/action.yml
@@ -281,6 +281,14 @@ runs:
           echo "Running yarn lint"
           yarn run lint
         fi
+        # Validate licenses of all dependencies are permissive
+        echo "Checking licenses of all dependencies"
+        npm install -g license-checker
+        # A list of allowed software licesnses that are permissive - see https://spdx.org/licenses/ for a list of SPDX identifiers
+        # IMPORTANT! If this is updated also update the same variable in the "Run PHP linting" step
+        SPDX_ALLOWED_DELIMITED="MIT;MIT-0;ISC;0BSD;BSD-2-Clause;BSD-3-Clause;Apache-2.0;Python-2.0;CC0-1.0;CC-BY-3.0;CC-BY-4.0;Public Domain;Unlicense"
+        license-checker --production --unknown --out /dev/null --onlyAllow "$SPDX_ALLOWED_DELIMITED"
+        # If we get to this point, everything was successful
         echo "Passed"
 
     - name: "Run PHP linting"
@@ -302,6 +310,32 @@ runs:
           echo "Running PHPStan"
           vendor/bin/phpstan analyse
         fi
+        # Validate licenses of all dependencies are permissive
+        echo "Checking licenses of all dependencies"
+        composer global require madewithlove/license-checker
+        COMPOSER_GLOBAL_HOME=$(composer -q -n config --global home)
+        # A list of allowed software licesnses that are permissive - see https://spdx.org/licenses/ for a list of SPDX identifiers
+        # IMPORTANT! If this is updated also update the same variable in the "Run JS tests" step
+        SPDX_ALLOWED_DELIMITED="MIT;MIT-0;ISC;0BSD;BSD-2-Clause;BSD-3-Clause;Apache-2.0;Python-2.0;CC0-1.0;CC-BY-3.0;CC-BY-4.0;Public Domain;Unlicense"
+        # translate " " to "__" (and back again later) in case any dependencies have a space in them
+        # otherwise the bash for loop will split on the space
+        SPDX_ALLOWED_LIST=$(echo $SPDX_ALLOWED_DELIMITED | tr " " "__" | tr ";" "\n")
+        SPDX_USED_LIST=$($COMPOSER_GLOBAL_HOME/vendor/bin/license-checker --no-dev used)
+        for SPDX_USED in $SPDX_USED_LIST; do
+          IS_ALLOWED=0
+          for SPDX_ALLOWED in $SPDX_ALLOWED_LIST; do
+            SPDX_ALLOWED=$(echo $SPDX_ALLOWED | tr "__" " ")
+            if [[ $SPDX_USED == $SPDX_ALLOWED ]]; then
+              IS_ALLOWED=1
+              break
+            fi
+          done
+          if [[ $IS_ALLOWED == 0 ]]; then
+            echo "License $SPDX_USED found in composer dependecies is not allowed"
+            exit 1
+          fi
+        done
+        # If we get to this point, everything was successful
         echo "Passed"
 
     - name: "Run PHP coverage"
