[ci] run dash-licenses as part of GH workflow #9953
Conversation
marcdumais-work
added
ci
Add a "3PP FOSS license check" GitHub workflow, that uses the Eclipse Foundation dash-licences tool to validate the licenses of our npm dependencies. One can also run the license check locally with command: "yarn license:check" I have considered 3 alternatives: 1) add the license check as a step of the build job of the build workflow. The license check step needs to report success or it will fail the build job and the publish job (when it applies). If the license check reports success, it's burried in the multiple steps of its job, not discoverable from the PR page. 2) add the license check as a new job in the build workflow. This works better but there is redundency in the job - we need to re-install node, checkout the repo, etc. One advantage of this approach is that the license check has visibility in the PR's CI checks section and can be made to fail without impacting the other jobs. 3) (chosen) add a new workflow for the license check Like option 2, this gives the license check visibility in the PR's CI checks section and the job can fail without impacting other workflows/jobs. This option has the additional advantage that it's quite generic (for npm/yarn projects) and could be re-used more easily, without changing the main workflow of the adopting repo. Signed-off-by: Marc Dumais <[email protected]>
marcdumais-work
force-pushed
the
dash-licenses
branch
from
cd1519b to
a3a4f8f
Compare
paul-marechal
force-pushed
the
dash-licenses
branch
from
97afd41 to
ab01051
Compare
paul-marechal
force-pushed
the
dash-licenses
branch
from
ab01051 to
d8117e2
Compare
|
Also how do we deal with the failing CI? |
paul-marechal
force-pushed
the
dash-licenses
branch
2 times, most recently
from
15e23d6 to
55d652c
Compare
paul-marechal
force-pushed
the
dash-licenses
branch
from
55d652c to
cfec5e0
Compare
For now this is just informational. It's expected that the license check job will be shown as failed all the time. PRs that introduce new dependencies should still check them as per our process. In parallel, the dependencies that routinely fail the check are being investigated, and their number will slowly go down, eventually to zero (in theory). As a follow-up, we could add a white-list of dependencies that are know to be ok for our project (or at least being investigated), that would be filtered-out. |
I can see to implement this, because I am not fond of having a failed check on each and every PR from now on :) |
It does reflect reality though - not all that's listed is approved or being investigated ATM. |
|
Agreed, but I think "unknown" status is different from flat out "dependency license is problematic" hence why I would only expect to fail because of the latter. |
paul-marechal
force-pushed
the
dash-licenses
branch
from
0fa132a to
099145d
Compare
paul-marechal
force-pushed
the
dash-licenses
branch
from
099145d to
808cd45
Compare
|
\o/ Woohoo the 3PP check is green! I added a commit that implements a baseline: Even if The baseline is currently a map of entries (as reported by @marcdumais-work I invite you to fill the baseline with URLs to relevant CQs for what you know about. This should help with understanding what's the state of each dependency defined in this baseline. In the future as those dependencies get cleared or not, we shall remove entries from that baseline until it is emptied? |
|
Note that I also tried to update the documentation about PR handling regarding this new check. |
yes, we can do that. I submitted a CQ recently that should clear all our production dependencies, so for the most part, the baseline is composed of lower-priority test/build dependencies. |
Did a first pass, adding information in the `license-check-baseline.json` file. Signed-off-by: Marc Dumais <[email protected]>
Signed-off-by: Marc Dumais <[email protected]>
One bonus feature could be to list those baseline dependencies that have not come-up in the current scan. It probably means they can be removed, e.g. when we next modify that file. |
|
@marcdumais-work done. Apparently there were updates as entries that I had to include in the baseline yesterday seem to not be reported today:
edit: I also notice that GitHub action just got mixed up when printing stdout and stderr...It should look like this:
Weird quirk, but fine to me for now. |
|
Will merge after the 1.17.0 release. |
I manually ran the license-check in the "auto-submit" mode, which knocked-off a few dependencies. I'll do that once in a while. |
Add a "3PP FOSS license check" GitHub workflow that uses the Eclipse Foundation dash-licences tool to validate the licenses of our npm dependencies. One can also run the license check locally with command: "yarn license:check" I have considered 3 alternatives: 1) Add the license check as a step of the build job of the build workflow. The license check step needs to report success or it will fail the build job and the publish job (when it applies). If the license check reports success, it's buried in the multiple steps of its job, not discoverable from the PR page. 2) Add the license check as a new job in the build workflow. This works better but there is redundancy in the job - we need to re-install node, checkout the repo, etc. One advantage of this approach is that the license check has visibility in the PR's CI checks section and can be made to fail without impacting the other jobs. 3) _(chosen)_ Add a new workflow for the license check. Like option 2 this gives the license check visibility in the PR's CI checks section and the job can fail without impacting other workflows/jobs. This option has the additional benefit that it's quite generic (for npm/yarn projects) and could be re-used more easily, without changing the main workflow of the adopting repo. --- It is worth noting that there are some dependencies that are not yet completely cleared in this repository (which most likely come from the time before Theia was an Eclipse project). The tool exits with an error set because of those. The solution implemented here is to have a "baseline" of dependencies known to make `dash-licenses` trip, and to ignore the scan error only if everything that is being reported is part of the baseline. This means that the GitHub Action check on PRs should only fail if new "restricted" dependencies are introduced, which indicates that actions must be taken, such as creating CQs. Even when green it is worth checking the logs of the check since it will report any dependency that is no longer required in the baseline: This will happen once the various databases are updated following the CQs we fill! Signed-off-by: Marc Dumais <[email protected]> Co-authored-by: Paul Marechal <[email protected]>
Add a "3PP FOSS license check" GitHub workflow that uses the Eclipse Foundation dash-licences tool to validate the licenses of our npm dependencies. One can also run the license check locally with command: "yarn license:check" I have considered 3 alternatives: 1) Add the license check as a step of the build job of the build workflow. The license check step needs to report success or it will fail the build job and the publish job (when it applies). If the license check reports success, it's buried in the multiple steps of its job, not discoverable from the PR page. 2) Add the license check as a new job in the build workflow. This works better but there is redundancy in the job - we need to re-install node, checkout the repo, etc. One advantage of this approach is that the license check has visibility in the PR's CI checks section and can be made to fail without impacting the other jobs. 3) _(chosen)_ Add a new workflow for the license check. Like option 2 this gives the license check visibility in the PR's CI checks section and the job can fail without impacting other workflows/jobs. This option has the additional benefit that it's quite generic (for npm/yarn projects) and could be re-used more easily, without changing the main workflow of the adopting repo. --- It is worth noting that there are some dependencies that are not yet completely cleared in this repository (which most likely come from the time before Theia was an Eclipse project). The tool exits with an error set because of those. The solution implemented here is to have a "baseline" of dependencies known to make `dash-licenses` trip, and to ignore the scan error only if everything that is being reported is part of the baseline. This means that the GitHub Action check on PRs should only fail if new "restricted" dependencies are introduced, which indicates that actions must be taken, such as creating CQs. Even when green it is worth checking the logs of the check since it will report any dependency that is no longer required in the baseline: This will happen once the various databases are updated following the CQs we fill! Signed-off-by: Marc Dumais <[email protected]> Co-authored-by: Paul Marechal <[email protected]>
What it does
Add a "3PP FOSS license check" GitHub workflow, that uses
the Eclipse Foundation's
dash-licencestool to validate thelicenses of our npm dependencies.
One can also run the license check locally with command:
"yarn license:check"
I have considered 3 alternatives:
(1) add the license check as a step of the build job of the build workflow.
The license check step needs to report
success or it will fail the build job and the publish job
(when it applies). If the license check reports success, it's
burried in the multiple steps of its job, not discoverable
from the PR page.
(2) add the license check as a new job in the build workflow.
This works better but there is redundency in the job - we need
to re-install node, checkout the repo, etc.
One advantage of this approach is that the license check has
visibility in the PR's CI checks section and can be made to fail
without impacting the other jobs.
(3) (chosen) add a new workflow for the license check
Like option 2, this gives the license check visibility
in the PR's CI checks section and the job can fail without impacting
other workflows/jobs.
This option has the additional advantage that it's quite
generic (npm/yarn projects) and could be re-used more
easily, without changing the main workflow of the adopting repo.
How to test
yarn license:checkand verify that ~38 dependencies are found that need attention3PP License Checkfails, and in the log, lists the same dependenciesReview checklist
Reminder for reviewers