mirror of
https://github.com/Frooodle/Stirling-PDF.git
synced 2026-03-13 02:18:16 +01:00
8bb807471f
# Description of Changes This pull request updates the CI/CD workflows and Gradle configuration to improve build reproducibility, security, and external dependency management. The main changes include standardizing Gradle setup across workflows, securely injecting Maven credentials, and enabling Gradle build caching. There are also minor improvements to dependency version management and plugin repository configuration. **CI/CD Workflow Improvements:** - Standardized Gradle setup across all GitHub Actions workflows by explicitly adding a `Setup Gradle` step using `gradle/actions/setup-gradle@v5.0.0` and specifying Gradle version 8.14. This replaces previous usages and ensures consistency. [[1]](diffhunk://#diff-5c3fa597431eda03ac3339ae6bf7f05e1a50d6fc7333679ec38e21b337cb6721R71-R81) [[2]](diffhunk://#diff-8d23782ae5caff72d55828bb25814854f5f2523f299d7dbcda4a3537dd84c5c3L157-R176) [[3]](diffhunk://#diff-5c3fa597431eda03ac3339ae6bf7f05e1a50d6fc7333679ec38e21b337cb6721R134-R144) [[4]](diffhunk://#diff-5c3fa597431eda03ac3339ae6bf7f05e1a50d6fc7333679ec38e21b337cb6721R206-R216) [[5]](diffhunk://#diff-5c3fa597431eda03ac3339ae6bf7f05e1a50d6fc7333679ec38e21b337cb6721R260-R264) [[6]](diffhunk://#diff-5c3fa597431eda03ac3339ae6bf7f05e1a50d6fc7333679ec38e21b337cb6721R331-R341) [[7]](diffhunk://#diff-3c0f521958c53ad27c967692b4d5480ead136acb33622ee97d39df814b1b202eR339-R351) [[8]](diffhunk://#diff-895b214ee023c8c26048a2a3b946cfb1ebc4f26fbc8a9c2fa54b77c12e763b6bL53-R54) [[9]](diffhunk://#diff-895b214ee023c8c26048a2a3b946cfb1ebc4f26fbc8a9c2fa54b77c12e763b6bL121-R127) [[10]](diffhunk://#diff-895b214ee023c8c26048a2a3b946cfb1ebc4f26fbc8a9c2fa54b77c12e763b6bR206-R217) [[11]](diffhunk://#diff-6a2e9fb077e57351f4a7e10d03b114e256298babdf06e7e7ae666781a5cf36a1R60-R70) [[12]](diffhunk://#diff-62dcbe64a950b4efb54d691e1e87451a8cd535400aa9ea1e40893de5b57cd73bL45-R46) [[13]](diffhunk://#diff-76056236de05155107f6a660f1e3956059e37338011b8f0e72188afcb9b17b6fL46-R56) [[14]](diffhunk://#diff-fd60dc2adec58c1005c4e4164e9c24362fd6082fd3ab0403e54d276d9835fa6eL42-R65) [[15]](diffhunk://#diff-b34ab107dd4bc92075b2e89b6f16e4a2813e267ca7c2afebdb1931a0a3900d5aR102-R114) [[16]](diffhunk://#diff-98b618771a57e1758961359ecacbac2cff7cfef29aa021c3bc294ae926c4ce5bL47-R51) - Enabled Gradle build cache (`--build-cache`) for all build-related commands in workflows, improving build performance and consistency. Also removed unnecessary `clean` commands before builds to further optimize workflow times. [[1]](diffhunk://#diff-5c3fa597431eda03ac3339ae6bf7f05e1a50d6fc7333679ec38e21b337cb6721R71-R81) [[2]](diffhunk://#diff-8d23782ae5caff72d55828bb25814854f5f2523f299d7dbcda4a3537dd84c5c3L157-R176) [[3]](diffhunk://#diff-5c3fa597431eda03ac3339ae6bf7f05e1a50d6fc7333679ec38e21b337cb6721R134-R144) [[4]](diffhunk://#diff-5c3fa597431eda03ac3339ae6bf7f05e1a50d6fc7333679ec38e21b337cb6721R206-R216) [[5]](diffhunk://#diff-5c3fa597431eda03ac3339ae6bf7f05e1a50d6fc7333679ec38e21b337cb6721R331-R341) [[6]](diffhunk://#diff-3c0f521958c53ad27c967692b4d5480ead136acb33622ee97d39df814b1b202eR339-R351) [[7]](diffhunk://#diff-895b214ee023c8c26048a2a3b946cfb1ebc4f26fbc8a9c2fa54b77c12e763b6bL134-R144) [[8]](diffhunk://#diff-895b214ee023c8c26048a2a3b946cfb1ebc4f26fbc8a9c2fa54b77c12e763b6bR206-R217) [[9]](diffhunk://#diff-6a2e9fb077e57351f4a7e10d03b114e256298babdf06e7e7ae666781a5cf36a1R60-R70) [[10]](diffhunk://#diff-76056236de05155107f6a660f1e3956059e37338011b8f0e72188afcb9b17b6fL46-R56) [[11]](diffhunk://#diff-fd60dc2adec58c1005c4e4164e9c24362fd6082fd3ab0403e54d276d9835fa6eL42-R65) [[12]](diffhunk://#diff-b34ab107dd4bc92075b2e89b6f16e4a2813e267ca7c2afebdb1931a0a3900d5aR102-R114) [[13]](diffhunk://#diff-98b618771a57e1758961359ecacbac2cff7cfef29aa021c3bc294ae926c4ce5bL47-R51) **Security and Dependency Management:** - Injected Maven credentials (`MAVEN_USER`, `MAVEN_PASSWORD`, `MAVEN_PUBLIC_URL`) as environment variables in all relevant workflow steps, supporting secure access to private or custom Maven repositories. [[1]](diffhunk://#diff-5c3fa597431eda03ac3339ae6bf7f05e1a50d6fc7333679ec38e21b337cb6721R71-R81) [[2]](diffhunk://#diff-8d23782ae5caff72d55828bb25814854f5f2523f299d7dbcda4a3537dd84c5c3L157-R176) [[3]](diffhunk://#diff-5c3fa597431eda03ac3339ae6bf7f05e1a50d6fc7333679ec38e21b337cb6721R134-R144) [[4]](diffhunk://#diff-5c3fa597431eda03ac3339ae6bf7f05e1a50d6fc7333679ec38e21b337cb6721R206-R216) [[5]](diffhunk://#diff-5c3fa597431eda03ac3339ae6bf7f05e1a50d6fc7333679ec38e21b337cb6721R290-R293) [[6]](diffhunk://#diff-5c3fa597431eda03ac3339ae6bf7f05e1a50d6fc7333679ec38e21b337cb6721R331-R341) [[7]](diffhunk://#diff-3c0f521958c53ad27c967692b4d5480ead136acb33622ee97d39df814b1b202eR339-R351) [[8]](diffhunk://#diff-895b214ee023c8c26048a2a3b946cfb1ebc4f26fbc8a9c2fa54b77c12e763b6bR66-R69) [[9]](diffhunk://#diff-895b214ee023c8c26048a2a3b946cfb1ebc4f26fbc8a9c2fa54b77c12e763b6bL134-R144) [[10]](diffhunk://#diff-895b214ee023c8c26048a2a3b946cfb1ebc4f26fbc8a9c2fa54b77c12e763b6bR281-R283) [[11]](diffhunk://#diff-62dcbe64a950b4efb54d691e1e87451a8cd535400aa9ea1e40893de5b57cd73bR57-R60) [[12]](diffhunk://#diff-76056236de05155107f6a660f1e3956059e37338011b8f0e72188afcb9b17b6fR73-R76) [[13]](diffhunk://#diff-fd60dc2adec58c1005c4e4164e9c24362fd6082fd3ab0403e54d276d9835fa6eL42-R65) [[14]](diffhunk://#diff-b34ab107dd4bc92075b2e89b6f16e4a2813e267ca7c2afebdb1931a0a3900d5aR178-R180) [[15]](diffhunk://#diff-98b618771a57e1758961359ecacbac2cff7cfef29aa021c3bc294ae926c4ce5bL47-R51) - Added a `pluginManagement` block in `settings.gradle` to allow Gradle plugins to be resolved from a custom Maven repository if specified by environment variables, increasing flexibility for plugin sourcing. **Build and Dependency Versioning:** - Updated `app/proprietary/build.gradle` to use the `bouncycastleVersion` variable for the Bouncy Castle dependency version, improving maintainability and consistency of dependency versioning. **Workflow Trigger Improvements:** - Expanded the file path triggers in `.github/workflows/sync_files_v2.yml` to include additional Gradle build files, ensuring the workflow runs when any core build files are changed. --- ## Checklist ### General - [ ] I have read the [Contribution Guidelines](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/CONTRIBUTING.md) - [ ] I have read the [Stirling-PDF Developer Guide](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/DeveloperGuide.md) (if applicable) - [ ] I have read the [How to add new languages to Stirling-PDF](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/HowToAddNewLanguage.md) (if applicable) - [ ] I have performed a self-review of my own code - [ ] My changes generate no new warnings ### Documentation - [ ] I have updated relevant docs on [Stirling-PDF's doc repo](https://github.com/Stirling-Tools/Stirling-Tools.github.io/blob/main/docs/) (if functionality has heavily changed) - [ ] I have read the section [Add New Translation Tags](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/HowToAddNewLanguage.md#add-new-translation-tags) (for new translation tags only) ### Translations (if applicable) - [ ] I ran [`scripts/counter_translation.py`](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/docs/counter_translation.md) ### UI Changes (if applicable) - [ ] Screenshots or videos demonstrating the UI changes are attached (e.g., as comments or direct attachments in the PR) ### Testing (if applicable) - [ ] I have tested my changes locally. Refer to the [Testing Guide](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/DeveloperGuide.md#6-testing) for more details.
519 lines
21 KiB
YAML
519 lines
21 KiB
YAML
name: License Report Workflow
|
||
|
||
on:
|
||
push:
|
||
branches:
|
||
- main
|
||
pull_request:
|
||
branches:
|
||
- main
|
||
|
||
concurrency:
|
||
group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.ref_name || github.ref }}
|
||
cancel-in-progress: true
|
||
|
||
permissions:
|
||
contents: read
|
||
|
||
jobs:
|
||
files-changed:
|
||
name: detect what files changed
|
||
runs-on: ubuntu-latest
|
||
timeout-minutes: 3
|
||
outputs:
|
||
licenses-frontend: ${{ steps.changes.outputs.licenses-frontend }}
|
||
licenses-backend: ${{ steps.changes.outputs.licenses-backend }}
|
||
steps:
|
||
- name: Harden the runner (Audit all outbound calls)
|
||
uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
|
||
with:
|
||
egress-policy: audit
|
||
|
||
- name: Checkout repository
|
||
uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
|
||
|
||
- name: Check for file changes
|
||
uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
|
||
id: changes
|
||
with:
|
||
filters: .github/config/.files.yaml
|
||
|
||
generate-frontend-license-report:
|
||
if: needs.files-changed.outputs.licenses-frontend == 'true'
|
||
name: Generate Frontend License Report
|
||
needs: files-changed
|
||
runs-on: ubuntu-latest
|
||
permissions:
|
||
contents: write
|
||
pull-requests: write
|
||
repository-projects: write # Required for enabling automerge
|
||
steps:
|
||
- name: Harden Runner
|
||
uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
|
||
with:
|
||
egress-policy: audit
|
||
|
||
- name: Checkout PR head (default)
|
||
uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
|
||
with:
|
||
fetch-depth: 0
|
||
persist-credentials: false
|
||
|
||
- name: Setup GitHub App Bot
|
||
if: (github.event_name == 'push' || (github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == false)) && github.actor != 'dependabot[bot]'
|
||
id: setup-bot
|
||
uses: ./.github/actions/setup-bot
|
||
with:
|
||
app-id: ${{ secrets.GH_APP_ID }}
|
||
private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
|
||
|
||
- name: Checkout BASE branch (safe script)
|
||
if: github.event_name == 'pull_request'
|
||
uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
|
||
with:
|
||
ref: ${{ github.event.pull_request.base.sha }}
|
||
path: base
|
||
fetch-depth: 1
|
||
persist-credentials: false
|
||
|
||
- name: Set up Node.js
|
||
uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
|
||
with:
|
||
node-version: "22"
|
||
cache: "npm"
|
||
cache-dependency-path: frontend/package-lock.json
|
||
|
||
- name: Install frontend dependencies
|
||
working-directory: frontend
|
||
env:
|
||
NPM_CONFIG_IGNORE_SCRIPTS: "true"
|
||
run: npm ci --ignore-scripts --audit=false --fund=false
|
||
|
||
- name: Generate frontend license report (internal PR)
|
||
if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == false
|
||
working-directory: frontend
|
||
env:
|
||
PR_IS_FORK: "false"
|
||
run: npm run generate-licenses
|
||
|
||
- name: Generate frontend license report (fork PRs, pinned)
|
||
if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == true
|
||
env:
|
||
NPM_CONFIG_IGNORE_SCRIPTS: "true"
|
||
working-directory: frontend
|
||
run: |
|
||
mkdir -p src/assets
|
||
npx --yes license-report --only=prod --output=json > src/assets/3rdPartyLicenses.json
|
||
|
||
- name: Postprocess with project script (BASE version)
|
||
if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == true
|
||
env:
|
||
PR_IS_FORK: "true"
|
||
run: |
|
||
node base/frontend/scripts/generate-licenses.js \
|
||
--input frontend/src/assets/3rdPartyLicenses.json
|
||
|
||
- name: Copy postprocessed artifacts back (fork PRs)
|
||
if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == true
|
||
run: |
|
||
mkdir -p frontend/src/assets
|
||
if [ -f "base/frontend/src/assets/3rdPartyLicenses.json" ]; then
|
||
cp base/frontend/src/assets/3rdPartyLicenses.json frontend/src/assets/3rdPartyLicenses.json
|
||
fi
|
||
if [ -f "base/frontend/src/assets/license-warnings.json" ]; then
|
||
cp base/frontend/src/assets/license-warnings.json frontend/src/assets/license-warnings.json
|
||
fi
|
||
|
||
- name: Check for license warnings
|
||
run: |
|
||
if [ -f "frontend/src/assets/license-warnings.json" ]; then
|
||
echo "LICENSE_WARNINGS_EXIST=true" >> $GITHUB_ENV
|
||
else
|
||
echo "LICENSE_WARNINGS_EXIST=false" >> $GITHUB_ENV
|
||
fi
|
||
|
||
# PR Event: Check licenses and comment on PR
|
||
- name: Delete previous license check comments
|
||
if: (github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == false) && github.actor != 'dependabot[bot]'
|
||
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
|
||
with:
|
||
github-token: ${{ steps.setup-bot.outputs.token }}
|
||
script: |
|
||
const { owner, repo } = context.repo;
|
||
const prNumber = context.issue.number;
|
||
|
||
// Get all comments on the PR
|
||
const { data: comments } = await github.rest.issues.listComments({
|
||
owner,
|
||
repo,
|
||
issue_number: prNumber,
|
||
per_page: 100
|
||
});
|
||
|
||
// Filter for license check comments
|
||
const licenseComments = comments.filter(comment =>
|
||
comment.body.includes('## ✅ Frontend License Check Passed') ||
|
||
comment.body.includes('## ❌ Frontend License Check Failed')
|
||
);
|
||
|
||
// Delete old license check comments
|
||
for (const comment of licenseComments) {
|
||
console.log(`Deleting old license check comment: ${comment.id}`);
|
||
await github.rest.issues.deleteComment({
|
||
owner,
|
||
repo,
|
||
comment_id: comment.id
|
||
});
|
||
}
|
||
|
||
- name: Summarize results (fork PRs)
|
||
if: (github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == true) || github.actor == 'dependabot[bot]'
|
||
run: |
|
||
{
|
||
echo "## Frontend License Check"
|
||
echo ""
|
||
if [ "${LICENSE_WARNINGS_EXIST}" = "true" ]; then
|
||
echo "❌ **Failed** – incompatible or unknown licenses found."
|
||
if [ -f "frontend/src/assets/license-warnings.json" ]; then
|
||
echo ""
|
||
echo "### Warnings"
|
||
jq -r '.warnings[] | "- \(.message)"' frontend/src/assets/license-warnings.json || true
|
||
fi
|
||
else
|
||
echo "✅ **Passed** – no license warnings detected."
|
||
fi
|
||
echo ""
|
||
echo "_Note: This is a fork PR. PR comments are disabled; use this summary._"
|
||
} >> "$GITHUB_STEP_SUMMARY"
|
||
|
||
- name: Comment on PR - License Check Results
|
||
if: (github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == false) && github.actor != 'dependabot[bot]'
|
||
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
|
||
with:
|
||
github-token: ${{ steps.setup-bot.outputs.token }}
|
||
script: |
|
||
const { owner, repo } = context.repo;
|
||
const prNumber = context.issue.number;
|
||
const hasWarnings = process.env.LICENSE_WARNINGS_EXIST === 'true';
|
||
|
||
let commentBody;
|
||
|
||
if (hasWarnings) {
|
||
// Read warnings file to get specific issues
|
||
const fs = require('fs');
|
||
let warningDetails = '';
|
||
try {
|
||
const warnings = JSON.parse(fs.readFileSync('frontend/src/assets/license-warnings.json', 'utf8'));
|
||
warningDetails = warnings.warnings.map(w => `- ${w.message}`).join('\n');
|
||
} catch (e) {
|
||
warningDetails = 'Unable to read warning details';
|
||
}
|
||
|
||
commentBody = `## ❌ Frontend License Check Failed
|
||
|
||
The frontend license check has detected compatibility warnings that require review:
|
||
|
||
${warningDetails}
|
||
|
||
**Action Required:** Please review these licenses to ensure they are acceptable for your use case before merging.
|
||
|
||
_This check will fail the PR until license issues are resolved._`;
|
||
} else {
|
||
commentBody = `## ✅ Frontend License Check Passed
|
||
|
||
All frontend licenses have been validated and no compatibility warnings were detected.
|
||
|
||
The frontend license report has been updated successfully.`;
|
||
}
|
||
|
||
await github.rest.issues.createComment({
|
||
owner,
|
||
repo,
|
||
issue_number: prNumber,
|
||
body: commentBody
|
||
});
|
||
|
||
- name: Fail workflow if license warnings exist (PR only)
|
||
if: github.event_name == 'pull_request' && env.LICENSE_WARNINGS_EXIST == 'true'
|
||
run: |
|
||
echo "❌ License warnings detected. Failing the workflow."
|
||
exit 1
|
||
|
||
# Push Event: Commit license files and create PR
|
||
- name: Commit changes (Push only)
|
||
if: github.event_name == 'push'
|
||
run: |
|
||
git add frontend/src/assets/3rdPartyLicenses.json
|
||
# Note: Do NOT commit license-warnings.json - it's only for PR review
|
||
git diff --staged --quiet || echo "CHANGES_DETECTED=true" >> $GITHUB_ENV
|
||
|
||
- name: Prepare PR body (Push only)
|
||
if: github.event_name == 'push'
|
||
run: |
|
||
PR_BODY="Auto-generated by ${{ steps.setup-bot.outputs.app-slug }}[bot]
|
||
|
||
This PR updates the frontend license report based on changes to package.json dependencies."
|
||
|
||
if [ "${{ env.LICENSE_WARNINGS_EXIST }}" = "true" ]; then
|
||
PR_BODY="$PR_BODY
|
||
|
||
## ⚠️ License Compatibility Warnings
|
||
|
||
The following licenses may require review for corporate compatibility:
|
||
|
||
$(cat frontend/src/assets/license-warnings.json | jq -r '.warnings[].message')
|
||
|
||
Please review these licenses to ensure they are acceptable for your use case."
|
||
fi
|
||
|
||
echo "PR_BODY<<EOF" >> $GITHUB_ENV
|
||
echo "$PR_BODY" >> $GITHUB_ENV
|
||
echo "EOF" >> $GITHUB_ENV
|
||
|
||
- name: Create Pull Request (Push only)
|
||
id: cpr
|
||
if: github.event_name == 'push' && env.CHANGES_DETECTED == 'true'
|
||
uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
|
||
with:
|
||
token: ${{ steps.setup-bot.outputs.token }}
|
||
commit-message: "Update Frontend 3rd Party Licenses"
|
||
committer: ${{ steps.setup-bot.outputs.committer }}
|
||
author: ${{ steps.setup-bot.outputs.committer }}
|
||
signoff: true
|
||
branch: update-frontend-3rd-party-licenses
|
||
base: main
|
||
title: "Update Frontend 3rd Party Licenses"
|
||
body: ${{ env.PR_BODY }}
|
||
labels: Licenses,github-actions,frontend
|
||
draft: false
|
||
delete-branch: true
|
||
sign-commits: true
|
||
|
||
- name: Enable Pull Request Automerge (Push only)
|
||
if: github.event_name == 'push' && steps.cpr.outputs.pull-request-operation == 'created' && env.LICENSE_WARNINGS_EXIST == 'false'
|
||
run: gh pr merge --squash --auto "${{ steps.cpr.outputs.pull-request-number }}"
|
||
env:
|
||
GH_TOKEN: ${{ steps.setup-bot.outputs.token }}
|
||
|
||
- name: Add review required label (Push only)
|
||
if: github.event_name == 'push' && steps.cpr.outputs.pull-request-operation == 'created' && env.LICENSE_WARNINGS_EXIST == 'true'
|
||
run: gh pr edit "${{ steps.cpr.outputs.pull-request-number }}" --add-label "license-review-required"
|
||
env:
|
||
GH_TOKEN: ${{ steps.setup-bot.outputs.token }}
|
||
|
||
generate-backend-license-report:
|
||
if: needs.files-changed.outputs.licenses-backend == 'true'
|
||
needs: files-changed
|
||
name: Generate Backend License Report
|
||
runs-on: ubuntu-latest
|
||
permissions:
|
||
contents: write
|
||
pull-requests: write
|
||
repository-projects: write # Required for enabling automerge
|
||
steps:
|
||
- name: Harden Runner
|
||
uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
|
||
with:
|
||
egress-policy: audit
|
||
|
||
- name: Checkout repository
|
||
uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
|
||
with:
|
||
fetch-depth: 0
|
||
persist-credentials: false
|
||
|
||
- name: Setup GitHub App Bot
|
||
if: (github.event_name == 'push' || (github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == false)) && github.actor != 'dependabot[bot]'
|
||
id: setup-bot
|
||
uses: ./.github/actions/setup-bot
|
||
with:
|
||
app-id: ${{ secrets.GH_APP_ID }}
|
||
private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
|
||
|
||
- name: Set up JDK 21
|
||
uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 # v5.0.0
|
||
with:
|
||
java-version: "21"
|
||
distribution: "temurin"
|
||
|
||
- name: Setup Gradle
|
||
uses: gradle/actions/setup-gradle@4d9f0ba0025fe599b4ebab900eb7f3a1d93ef4c2 # v5.0.0
|
||
with:
|
||
gradle-version: 8.14
|
||
|
||
- name: Check licenses and generate report
|
||
id: license-check
|
||
run: |
|
||
./gradlew checkLicense generateLicenseReport || echo "LICENSE_CHECK_FAILED=true" >> $GITHUB_ENV
|
||
env:
|
||
MAVEN_USER: ${{ secrets.MAVEN_USER }}
|
||
MAVEN_PASSWORD: ${{ secrets.MAVEN_PASSWORD }}
|
||
MAVEN_PUBLIC_URL: ${{ secrets.MAVEN_PUBLIC_URL }}
|
||
DISABLE_ADDITIONAL_FEATURES: false
|
||
STIRLING_PDF_DESKTOP_UI: true
|
||
|
||
- name: Check for license compatibility issues
|
||
run: |
|
||
if [ -f build/reports/dependency-license/dependencies-without-allowed-license.json ] && \
|
||
jq '.dependenciesWithoutAllowedLicenses | length > 0' build/reports/dependency-license/dependencies-without-allowed-license.json | grep -q true; then
|
||
echo "LICENSE_WARNINGS_EXIST=true" >> $GITHUB_ENV
|
||
else
|
||
echo "LICENSE_WARNINGS_EXIST=false" >> $GITHUB_ENV
|
||
fi
|
||
if: always()
|
||
|
||
- name: Upload artifact on license issues
|
||
if: env.LICENSE_WARNINGS_EXIST == 'true'
|
||
uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
|
||
with:
|
||
name: backend-dependencies-without-allowed-license.json
|
||
path: build/reports/dependency-license/dependencies-without-allowed-license.json
|
||
|
||
- name: Move license file
|
||
if: env.LICENSE_CHECK_FAILED != 'true' && env.LICENSE_WARNINGS_EXIST == 'false'
|
||
run: |
|
||
mkdir -p app/core/src/main/resources/static
|
||
cp build/reports/dependency-license/index.json app/core/src/main/resources/static/3rdPartyLicenses.json
|
||
|
||
- name: Delete previous backend license check comments
|
||
if: (github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == false) && github.actor != 'dependabot[bot]'
|
||
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
|
||
with:
|
||
github-token: ${{ steps.setup-bot.outputs.token }}
|
||
script: |
|
||
const { owner, repo } = context.repo;
|
||
const prNumber = context.issue.number;
|
||
|
||
const { data: comments } = await github.rest.issues.listComments({
|
||
owner,
|
||
repo,
|
||
issue_number: prNumber,
|
||
per_page: 100
|
||
});
|
||
|
||
const backendLicenseComments = comments.filter(comment =>
|
||
comment.body.includes('## ✅ Backend License Check Passed') ||
|
||
comment.body.includes('## ❌ Backend License Check Failed')
|
||
);
|
||
|
||
for (const comment of backendLicenseComments) {
|
||
console.log(`Deleting old backend license comment: ${comment.id}`);
|
||
await github.rest.issues.deleteComment({
|
||
owner,
|
||
repo,
|
||
comment_id: comment.id
|
||
});
|
||
}
|
||
|
||
- name: Comment on PR - Backend License Check Results
|
||
if: (github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == false) && github.actor != 'dependabot[bot]'
|
||
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
|
||
with:
|
||
github-token: ${{ steps.setup-bot.outputs.token }}
|
||
script: |
|
||
const hasWarnings = process.env.LICENSE_WARNINGS_EXIST === 'true';
|
||
const fs = require('fs');
|
||
let warningDetails = '';
|
||
|
||
if (hasWarnings) {
|
||
try {
|
||
const warningsFile = 'build/reports/dependency-license/dependencies-without-allowed-license.json';
|
||
if (fs.existsSync(warningsFile)) {
|
||
const data = JSON.parse(fs.readFileSync(warningsFile, 'utf8'));
|
||
if (data.length > 0) {
|
||
warningDetails = data.map(dep => `- **${dep.moduleName}@${dep.moduleVersion}** – ${dep.moduleLicenses.map(l => l.licenseName).join(', ')}`).join('\n');
|
||
}
|
||
}
|
||
} catch (e) {
|
||
warningDetails = 'Unable to parse warning details.';
|
||
}
|
||
}
|
||
|
||
let commentBody;
|
||
if (hasWarnings) {
|
||
commentBody = `## ❌ Backend License Check Failed
|
||
|
||
The backend license check has detected dependencies with incompatible or unallowed licenses:
|
||
|
||
${warningDetails || 'See uploaded artifact for details.'}
|
||
|
||
**Action Required:** Please review these licenses and resolve before merging.
|
||
|
||
_This check will fail the PR until license issues are resolved._`;
|
||
} else {
|
||
commentBody = `## ✅ Backend License Check Passed
|
||
|
||
All backend dependencies have valid and allowed licenses.
|
||
|
||
The backend license report has been updated successfully.`;
|
||
}
|
||
|
||
await github.rest.issues.createComment({
|
||
owner: context.repo.owner,
|
||
repo: context.repo.repo,
|
||
issue_number: context.issue.number,
|
||
body: commentBody
|
||
});
|
||
|
||
- name: Fail workflow if license warnings exist (PR only)
|
||
if: github.event_name == 'pull_request' && env.LICENSE_WARNINGS_EXIST == 'true'
|
||
run: |
|
||
echo "❌ Backend license warnings detected. Failing the workflow."
|
||
exit 1
|
||
|
||
- name: Commit changes (push only)
|
||
if: github.event_name == 'push' && env.LICENSE_WARNINGS_EXIST == 'false'
|
||
run: |
|
||
git config user.name "${{ steps.setup-bot.outputs.committer }}"
|
||
git config user.email "${{ steps.setup-bot.outputs.committer-email || 'bot@github.com' }}"
|
||
git add app/core/src/main/resources/static/3rdPartyLicenses.json
|
||
git diff --staged --quiet || echo "CHANGES_DETECTED=true" >> $GITHUB_ENV
|
||
|
||
- name: Prepare PR body (push only)
|
||
if: github.event_name == 'push' && env.CHANGES_DETECTED == 'true'
|
||
run: |
|
||
PR_BODY="Auto-generated by ${{ steps.setup-bot.outputs.app-slug }}[bot]
|
||
|
||
This PR updates the backend license report based on dependency changes."
|
||
|
||
if [ "${{ env.LICENSE_WARNINGS_EXIST }}" = "true" ]; then
|
||
PR_BODY="$PR_BODY
|
||
|
||
## ⚠️ License Compatibility Warnings
|
||
|
||
Incompatible licenses detected – manual review required before merge."
|
||
fi
|
||
echo "PR_BODY<<EOF" >> $GITHUB_ENV
|
||
echo "$PR_BODY" >> $GITHUB_ENV
|
||
echo "EOF" >> $GITHUB_ENV
|
||
|
||
- name: Create Pull Request (push only)
|
||
if: github.event_name == 'push' && env.CHANGES_DETECTED == 'true'
|
||
id: cpr
|
||
uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
|
||
with:
|
||
token: ${{ steps.setup-bot.outputs.token }}
|
||
commit-message: "Update Backend 3rd Party Licenses"
|
||
committer: ${{ steps.setup-bot.outputs.committer }}
|
||
author: ${{ steps.setup-bot.outputs.committer }}
|
||
signoff: true
|
||
branch: update-backend-3rd-party-licenses
|
||
base: main
|
||
title: "Update Backend 3rd Party Licenses"
|
||
body: ${{ env.PR_BODY }}
|
||
labels: Licenses,github-actions,backend
|
||
delete-branch: true
|
||
sign-commits: true
|
||
|
||
- name: Enable Pull Request Automerge (push only, no warnings)
|
||
if: github.event_name == 'push' && steps.cpr.outputs.pull-request-operation == 'created' && env.LICENSE_WARNINGS_EXIST == 'false'
|
||
run: gh pr merge --squash --auto "${{ steps.cpr.outputs.pull-request-number }}"
|
||
env:
|
||
GH_TOKEN: ${{ steps.setup-bot.outputs.token }}
|
||
|
||
- name: Add review required label (push only, with warnings)
|
||
if: github.event_name == 'push' && steps.cpr.outputs.pull-request-operation == 'created' && env.LICENSE_WARNINGS_EXIST == 'true'
|
||
run: gh pr edit "${{ steps.cpr.outputs.pull-request-number }}" --add-label "license-review-required"
|
||
env:
|
||
GH_TOKEN: ${{ steps.setup-bot.outputs.token }}
|