mirror of
https://github.com/Frooodle/Stirling-PDF.git
synced 2026-03-13 02:18:16 +01:00
daf27b6128
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.12.1 to 2.14.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/step-security/harden-runner/releases">step-security/harden-runner's releases</a>.</em></p> <blockquote> <h2>v2.14.0</h2> <h2>What's Changed</h2> <ul> <li>Selective installation: Harden-Runner now skips installation on GitHub-hosted runners when the repository has a custom property skip_harden_runner, allowing organizations to opt out specific repos.</li> <li>Avoid double install: The action no longer installs Harden-Runner if it’s already present on a GitHub-hosted runner, which could happen when a composite action also installs it.</li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/step-security/harden-runner/compare/v2.13.3...v2.14.0">https://github.com/step-security/harden-runner/compare/v2.13.3...v2.14.0</a></p> <h2>v2.13.3</h2> <h2>What's Changed</h2> <ul> <li>Fixed an issue where process events were not uploaded in certain edge cases.</li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/step-security/harden-runner/compare/v2.13.2...v2.13.3">https://github.com/step-security/harden-runner/compare/v2.13.2...v2.13.3</a></p> <h2>v2.13.2</h2> <h2>What's Changed</h2> <ul> <li>Fixed an issue where there was a limit of 512 allowed endpoints when using block egress policy. This restriction has been removed, allowing for an unlimited number of endpoints to be configured.</li> <li>Harden Runner now automatically detects if the agent is already pre-installed on a custom VM image used by a GitHub-hosted runner. When detected, the action will skip reinstallation and use the existing agent.</li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/step-security/harden-runner/compare/v2.13.1...v2.13.2">https://github.com/step-security/harden-runner/compare/v2.13.1...v2.13.2</a></p> <h2>v2.13.1</h2> <h2>What's Changed</h2> <ul> <li> <p>Graceful handling of HTTP errors: Improved error handling when fetching Harden Runner policies from the StepSecurity Policy Store API, ensuring more reliable execution even in case of temporary network/API issues.</p> </li> <li> <p>Security updates for npm dependencies: Updated vulnerable npm package dependencies to the latest secure versions.</p> </li> <li> <p>Faster enterprise agent downloads: The enterprise agent is now downloaded from GitHub Releases instead of packages.stepsecurity.io, improving download speed and reliability.</p> </li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/step-security/harden-runner/compare/v2.13.0...v2.13.1">https://github.com/step-security/harden-runner/compare/v2.13.0...v2.13.1</a></p> <h2>v2.13.0</h2> <h2>What's Changed</h2> <ul> <li>Improved job markdown summary</li> <li>Https monitoring for all domains (included with the enterprise tier)</li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/step-security/harden-runner/compare/v2...v2.13.0">https://github.com/step-security/harden-runner/compare/v2...v2.13.0</a></p> <h2>v2.12.2</h2> <h2>What's Changed</h2> <p>Added HTTPS Monitoring for additional destinations - *.githubusercontent.com Bug fixes:</p> <ul> <li>Implicitly allow local multicast, local unicast and broadcast IP addresses in block mode</li> <li>Increased policy map size for block mode</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="20cf305ff2"><code>20cf305</code></a> Merge pull request <a href="https://redirect.github.com/step-security/harden-runner/issues/622">#622</a> from step-security/feature/custom-property-skip</li> <li><a href="c51e8eeb6c"><code>c51e8ee</code></a> feat: skip agent install and post step on subsequent runs for GitHub-hosted r...</li> <li><a href="e152b90204"><code>e152b90</code></a> feat: skip harden-runner based on repository custom property</li> <li><a href="ee1faec052"><code>ee1faec</code></a> feat: replace skip-harden-runner with skip-on-custom-property input</li> <li><a href="1dc7c17646"><code>1dc7c17</code></a> feat: add skip-harden-runner input to conditionally skip execution</li> <li><a href="df199fb7be"><code>df199fb</code></a> Merge pull request <a href="https://redirect.github.com/step-security/harden-runner/issues/620">#620</a> from step-security/rc-29</li> <li><a href="03d096a772"><code>03d096a</code></a> update agent</li> <li><a href="40901073af"><code>4090107</code></a> fix: update agent</li> <li><a href="95d9a5deda"><code>95d9a5d</code></a> Merge pull request <a href="https://redirect.github.com/step-security/harden-runner/issues/606">#606</a> from step-security/rc-28</li> <li><a href="87e429d3fb"><code>87e429d</code></a> Update limitations.md</li> <li>Additional commits viewable in <a href="https://github.com/step-security/harden-runner/compare/v2.12.1...20cf305ff2072d973412fa9b1e3a4f227bda3c76">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
511 lines
21 KiB
YAML
511 lines
21 KiB
YAML
name: License Report Workflow
|
||
|
||
on:
|
||
push:
|
||
branches:
|
||
- main
|
||
pull_request:
|
||
branches:
|
||
- main
|
||
|
||
concurrency:
|
||
group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.ref_name || github.ref }}
|
||
cancel-in-progress: true
|
||
|
||
permissions:
|
||
contents: read
|
||
|
||
jobs:
|
||
files-changed:
|
||
name: detect what files changed
|
||
runs-on: ubuntu-latest
|
||
timeout-minutes: 3
|
||
outputs:
|
||
licenses-frontend: ${{ steps.changes.outputs.licenses-frontend }}
|
||
licenses-backend: ${{ steps.changes.outputs.licenses-backend }}
|
||
steps:
|
||
- name: Harden the runner (Audit all outbound calls)
|
||
uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
|
||
with:
|
||
egress-policy: audit
|
||
|
||
- name: Checkout repository
|
||
uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
|
||
|
||
- name: Check for file changes
|
||
uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
|
||
id: changes
|
||
with:
|
||
filters: .github/config/.files.yaml
|
||
|
||
generate-frontend-license-report:
|
||
if: needs.files-changed.outputs.licenses-frontend == 'true'
|
||
name: Generate Frontend License Report
|
||
needs: files-changed
|
||
runs-on: ubuntu-latest
|
||
permissions:
|
||
contents: write
|
||
pull-requests: write
|
||
repository-projects: write # Required for enabling automerge
|
||
steps:
|
||
- name: Harden Runner
|
||
uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
|
||
with:
|
||
egress-policy: audit
|
||
|
||
- name: Checkout PR head (default)
|
||
uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
|
||
with:
|
||
fetch-depth: 0
|
||
persist-credentials: false
|
||
|
||
- name: Setup GitHub App Bot
|
||
if: (github.event_name == 'push' || (github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == false)) && github.actor != 'dependabot[bot]'
|
||
id: setup-bot
|
||
uses: ./.github/actions/setup-bot
|
||
with:
|
||
app-id: ${{ secrets.GH_APP_ID }}
|
||
private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
|
||
|
||
- name: Checkout BASE branch (safe script)
|
||
if: github.event_name == 'pull_request'
|
||
uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
|
||
with:
|
||
ref: ${{ github.event.pull_request.base.sha }}
|
||
path: base
|
||
fetch-depth: 1
|
||
persist-credentials: false
|
||
|
||
- name: Set up Node.js
|
||
uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
|
||
with:
|
||
node-version: "22"
|
||
cache: "npm"
|
||
cache-dependency-path: frontend/package-lock.json
|
||
|
||
- name: Install frontend dependencies
|
||
working-directory: frontend
|
||
env:
|
||
NPM_CONFIG_IGNORE_SCRIPTS: "true"
|
||
run: npm ci --ignore-scripts --audit=false --fund=false
|
||
|
||
- name: Generate frontend license report (internal PR)
|
||
if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == false
|
||
working-directory: frontend
|
||
env:
|
||
PR_IS_FORK: "false"
|
||
run: npm run generate-licenses
|
||
|
||
- name: Generate frontend license report (fork PRs, pinned)
|
||
if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == true
|
||
env:
|
||
NPM_CONFIG_IGNORE_SCRIPTS: "true"
|
||
working-directory: frontend
|
||
run: |
|
||
mkdir -p src/assets
|
||
npx --yes license-report --only=prod --output=json > src/assets/3rdPartyLicenses.json
|
||
|
||
- name: Postprocess with project script (BASE version)
|
||
if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == true
|
||
env:
|
||
PR_IS_FORK: "true"
|
||
run: |
|
||
node base/frontend/scripts/generate-licenses.js \
|
||
--input frontend/src/assets/3rdPartyLicenses.json
|
||
|
||
- name: Copy postprocessed artifacts back (fork PRs)
|
||
if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == true
|
||
run: |
|
||
mkdir -p frontend/src/assets
|
||
if [ -f "base/frontend/src/assets/3rdPartyLicenses.json" ]; then
|
||
cp base/frontend/src/assets/3rdPartyLicenses.json frontend/src/assets/3rdPartyLicenses.json
|
||
fi
|
||
if [ -f "base/frontend/src/assets/license-warnings.json" ]; then
|
||
cp base/frontend/src/assets/license-warnings.json frontend/src/assets/license-warnings.json
|
||
fi
|
||
|
||
- name: Check for license warnings
|
||
run: |
|
||
if [ -f "frontend/src/assets/license-warnings.json" ]; then
|
||
echo "LICENSE_WARNINGS_EXIST=true" >> $GITHUB_ENV
|
||
else
|
||
echo "LICENSE_WARNINGS_EXIST=false" >> $GITHUB_ENV
|
||
fi
|
||
|
||
# PR Event: Check licenses and comment on PR
|
||
- name: Delete previous license check comments
|
||
if: (github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == false) && github.actor != 'dependabot[bot]'
|
||
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
|
||
with:
|
||
github-token: ${{ steps.setup-bot.outputs.token }}
|
||
script: |
|
||
const { owner, repo } = context.repo;
|
||
const prNumber = context.issue.number;
|
||
|
||
// Get all comments on the PR
|
||
const { data: comments } = await github.rest.issues.listComments({
|
||
owner,
|
||
repo,
|
||
issue_number: prNumber,
|
||
per_page: 100
|
||
});
|
||
|
||
// Filter for license check comments
|
||
const licenseComments = comments.filter(comment =>
|
||
comment.body.includes('## ✅ Frontend License Check Passed') ||
|
||
comment.body.includes('## ❌ Frontend License Check Failed')
|
||
);
|
||
|
||
// Delete old license check comments
|
||
for (const comment of licenseComments) {
|
||
console.log(`Deleting old license check comment: ${comment.id}`);
|
||
await github.rest.issues.deleteComment({
|
||
owner,
|
||
repo,
|
||
comment_id: comment.id
|
||
});
|
||
}
|
||
|
||
- name: Summarize results (fork PRs)
|
||
if: (github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == true) || github.actor == 'dependabot[bot]'
|
||
run: |
|
||
{
|
||
echo "## Frontend License Check"
|
||
echo ""
|
||
if [ "${LICENSE_WARNINGS_EXIST}" = "true" ]; then
|
||
echo "❌ **Failed** – incompatible or unknown licenses found."
|
||
if [ -f "frontend/src/assets/license-warnings.json" ]; then
|
||
echo ""
|
||
echo "### Warnings"
|
||
jq -r '.warnings[] | "- \(.message)"' frontend/src/assets/license-warnings.json || true
|
||
fi
|
||
else
|
||
echo "✅ **Passed** – no license warnings detected."
|
||
fi
|
||
echo ""
|
||
echo "_Note: This is a fork PR. PR comments are disabled; use this summary._"
|
||
} >> "$GITHUB_STEP_SUMMARY"
|
||
|
||
- name: Comment on PR - License Check Results
|
||
if: (github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == false) && github.actor != 'dependabot[bot]'
|
||
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
|
||
with:
|
||
github-token: ${{ steps.setup-bot.outputs.token }}
|
||
script: |
|
||
const { owner, repo } = context.repo;
|
||
const prNumber = context.issue.number;
|
||
const hasWarnings = process.env.LICENSE_WARNINGS_EXIST === 'true';
|
||
|
||
let commentBody;
|
||
|
||
if (hasWarnings) {
|
||
// Read warnings file to get specific issues
|
||
const fs = require('fs');
|
||
let warningDetails = '';
|
||
try {
|
||
const warnings = JSON.parse(fs.readFileSync('frontend/src/assets/license-warnings.json', 'utf8'));
|
||
warningDetails = warnings.warnings.map(w => `- ${w.message}`).join('\n');
|
||
} catch (e) {
|
||
warningDetails = 'Unable to read warning details';
|
||
}
|
||
|
||
commentBody = `## ❌ Frontend License Check Failed
|
||
|
||
The frontend license check has detected compatibility warnings that require review:
|
||
|
||
${warningDetails}
|
||
|
||
**Action Required:** Please review these licenses to ensure they are acceptable for your use case before merging.
|
||
|
||
_This check will fail the PR until license issues are resolved._`;
|
||
} else {
|
||
commentBody = `## ✅ Frontend License Check Passed
|
||
|
||
All frontend licenses have been validated and no compatibility warnings were detected.
|
||
|
||
The frontend license report has been updated successfully.`;
|
||
}
|
||
|
||
await github.rest.issues.createComment({
|
||
owner,
|
||
repo,
|
||
issue_number: prNumber,
|
||
body: commentBody
|
||
});
|
||
|
||
- name: Fail workflow if license warnings exist (PR only)
|
||
if: github.event_name == 'pull_request' && env.LICENSE_WARNINGS_EXIST == 'true'
|
||
run: |
|
||
echo "❌ License warnings detected. Failing the workflow."
|
||
exit 1
|
||
|
||
# Push Event: Commit license files and create PR
|
||
- name: Commit changes (Push only)
|
||
if: github.event_name == 'push'
|
||
run: |
|
||
git add frontend/src/assets/3rdPartyLicenses.json
|
||
# Note: Do NOT commit license-warnings.json - it's only for PR review
|
||
git diff --staged --quiet || echo "CHANGES_DETECTED=true" >> $GITHUB_ENV
|
||
|
||
- name: Prepare PR body (Push only)
|
||
if: github.event_name == 'push'
|
||
run: |
|
||
PR_BODY="Auto-generated by ${{ steps.setup-bot.outputs.app-slug }}[bot]
|
||
|
||
This PR updates the frontend license report based on changes to package.json dependencies."
|
||
|
||
if [ "${{ env.LICENSE_WARNINGS_EXIST }}" = "true" ]; then
|
||
PR_BODY="$PR_BODY
|
||
|
||
## ⚠️ License Compatibility Warnings
|
||
|
||
The following licenses may require review for corporate compatibility:
|
||
|
||
$(cat frontend/src/assets/license-warnings.json | jq -r '.warnings[].message')
|
||
|
||
Please review these licenses to ensure they are acceptable for your use case."
|
||
fi
|
||
|
||
echo "PR_BODY<<EOF" >> $GITHUB_ENV
|
||
echo "$PR_BODY" >> $GITHUB_ENV
|
||
echo "EOF" >> $GITHUB_ENV
|
||
|
||
- name: Create Pull Request (Push only)
|
||
id: cpr
|
||
if: github.event_name == 'push' && env.CHANGES_DETECTED == 'true'
|
||
uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
|
||
with:
|
||
token: ${{ steps.setup-bot.outputs.token }}
|
||
commit-message: "Update Frontend 3rd Party Licenses"
|
||
committer: ${{ steps.setup-bot.outputs.committer }}
|
||
author: ${{ steps.setup-bot.outputs.committer }}
|
||
signoff: true
|
||
branch: update-frontend-3rd-party-licenses
|
||
base: main
|
||
title: "Update Frontend 3rd Party Licenses"
|
||
body: ${{ env.PR_BODY }}
|
||
labels: Licenses,github-actions,frontend
|
||
draft: false
|
||
delete-branch: true
|
||
sign-commits: true
|
||
|
||
- name: Enable Pull Request Automerge (Push only)
|
||
if: github.event_name == 'push' && steps.cpr.outputs.pull-request-operation == 'created' && env.LICENSE_WARNINGS_EXIST == 'false'
|
||
run: gh pr merge --squash --auto "${{ steps.cpr.outputs.pull-request-number }}"
|
||
env:
|
||
GH_TOKEN: ${{ steps.setup-bot.outputs.token }}
|
||
|
||
- name: Add review required label (Push only)
|
||
if: github.event_name == 'push' && steps.cpr.outputs.pull-request-operation == 'created' && env.LICENSE_WARNINGS_EXIST == 'true'
|
||
run: gh pr edit "${{ steps.cpr.outputs.pull-request-number }}" --add-label "license-review-required"
|
||
env:
|
||
GH_TOKEN: ${{ steps.setup-bot.outputs.token }}
|
||
|
||
generate-backend-license-report:
|
||
if: needs.files-changed.outputs.licenses-backend == 'true'
|
||
needs: files-changed
|
||
name: Generate Backend License Report
|
||
runs-on: ubuntu-latest
|
||
permissions:
|
||
contents: write
|
||
pull-requests: write
|
||
repository-projects: write # Required for enabling automerge
|
||
steps:
|
||
- name: Harden Runner
|
||
uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
|
||
with:
|
||
egress-policy: audit
|
||
|
||
- name: Checkout repository
|
||
uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
|
||
with:
|
||
fetch-depth: 0
|
||
persist-credentials: false
|
||
|
||
- name: Setup GitHub App Bot
|
||
if: (github.event_name == 'push' || (github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == false)) && github.actor != 'dependabot[bot]'
|
||
id: setup-bot
|
||
uses: ./.github/actions/setup-bot
|
||
with:
|
||
app-id: ${{ secrets.GH_APP_ID }}
|
||
private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
|
||
|
||
- name: Set up JDK 21
|
||
uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 # v5.0.0
|
||
with:
|
||
java-version: "21"
|
||
distribution: "temurin"
|
||
|
||
- name: Check licenses and generate report
|
||
id: license-check
|
||
run: |
|
||
./gradlew clean checkLicense generateLicenseReport || echo "LICENSE_CHECK_FAILED=true" >> $GITHUB_ENV
|
||
env:
|
||
DISABLE_ADDITIONAL_FEATURES: false
|
||
STIRLING_PDF_DESKTOP_UI: true
|
||
|
||
- name: Check for license compatibility issues
|
||
run: |
|
||
if [ -f build/reports/dependency-license/dependencies-without-allowed-license.json ] && \
|
||
jq '.dependenciesWithoutAllowedLicenses | length > 0' build/reports/dependency-license/dependencies-without-allowed-license.json | grep -q true; then
|
||
echo "LICENSE_WARNINGS_EXIST=true" >> $GITHUB_ENV
|
||
else
|
||
echo "LICENSE_WARNINGS_EXIST=false" >> $GITHUB_ENV
|
||
fi
|
||
if: always()
|
||
|
||
- name: Upload artifact on license issues
|
||
if: env.LICENSE_WARNINGS_EXIST == 'true'
|
||
uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
|
||
with:
|
||
name: backend-dependencies-without-allowed-license.json
|
||
path: build/reports/dependency-license/dependencies-without-allowed-license.json
|
||
|
||
- name: Move license file
|
||
if: env.LICENSE_CHECK_FAILED != 'true' && env.LICENSE_WARNINGS_EXIST == 'false'
|
||
run: |
|
||
mkdir -p app/core/src/main/resources/static
|
||
cp build/reports/dependency-license/index.json app/core/src/main/resources/static/3rdPartyLicenses.json
|
||
|
||
- name: Delete previous backend license check comments
|
||
if: (github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == false) && github.actor != 'dependabot[bot]'
|
||
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
|
||
with:
|
||
github-token: ${{ steps.setup-bot.outputs.token }}
|
||
script: |
|
||
const { owner, repo } = context.repo;
|
||
const prNumber = context.issue.number;
|
||
|
||
const { data: comments } = await github.rest.issues.listComments({
|
||
owner,
|
||
repo,
|
||
issue_number: prNumber,
|
||
per_page: 100
|
||
});
|
||
|
||
const backendLicenseComments = comments.filter(comment =>
|
||
comment.body.includes('## ✅ Backend License Check Passed') ||
|
||
comment.body.includes('## ❌ Backend License Check Failed')
|
||
);
|
||
|
||
for (const comment of backendLicenseComments) {
|
||
console.log(`Deleting old backend license comment: ${comment.id}`);
|
||
await github.rest.issues.deleteComment({
|
||
owner,
|
||
repo,
|
||
comment_id: comment.id
|
||
});
|
||
}
|
||
|
||
- name: Comment on PR - Backend License Check Results
|
||
if: (github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == false) && github.actor != 'dependabot[bot]'
|
||
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
|
||
with:
|
||
github-token: ${{ steps.setup-bot.outputs.token }}
|
||
script: |
|
||
const hasWarnings = process.env.LICENSE_WARNINGS_EXIST === 'true';
|
||
const fs = require('fs');
|
||
let warningDetails = '';
|
||
|
||
if (hasWarnings) {
|
||
try {
|
||
const warningsFile = 'build/reports/dependency-license/dependencies-without-allowed-license.json';
|
||
if (fs.existsSync(warningsFile)) {
|
||
const data = JSON.parse(fs.readFileSync(warningsFile, 'utf8'));
|
||
if (data.length > 0) {
|
||
warningDetails = data.map(dep => `- **${dep.moduleName}@${dep.moduleVersion}** – ${dep.moduleLicenses.map(l => l.licenseName).join(', ')}`).join('\n');
|
||
}
|
||
}
|
||
} catch (e) {
|
||
warningDetails = 'Unable to parse warning details.';
|
||
}
|
||
}
|
||
|
||
let commentBody;
|
||
if (hasWarnings) {
|
||
commentBody = `## ❌ Backend License Check Failed
|
||
|
||
The backend license check has detected dependencies with incompatible or unallowed licenses:
|
||
|
||
${warningDetails || 'See uploaded artifact for details.'}
|
||
|
||
**Action Required:** Please review these licenses and resolve before merging.
|
||
|
||
_This check will fail the PR until license issues are resolved._`;
|
||
} else {
|
||
commentBody = `## ✅ Backend License Check Passed
|
||
|
||
All backend dependencies have valid and allowed licenses.
|
||
|
||
The backend license report has been updated successfully.`;
|
||
}
|
||
|
||
await github.rest.issues.createComment({
|
||
owner: context.repo.owner,
|
||
repo: context.repo.repo,
|
||
issue_number: context.issue.number,
|
||
body: commentBody
|
||
});
|
||
|
||
- name: Fail workflow if license warnings exist (PR only)
|
||
if: github.event_name == 'pull_request' && env.LICENSE_WARNINGS_EXIST == 'true'
|
||
run: |
|
||
echo "❌ Backend license warnings detected. Failing the workflow."
|
||
exit 1
|
||
|
||
- name: Commit changes (push only)
|
||
if: github.event_name == 'push' && env.LICENSE_WARNINGS_EXIST == 'false'
|
||
run: |
|
||
git config user.name "${{ steps.setup-bot.outputs.committer }}"
|
||
git config user.email "${{ steps.setup-bot.outputs.committer-email || 'bot@github.com' }}"
|
||
git add app/core/src/main/resources/static/3rdPartyLicenses.json
|
||
git diff --staged --quiet || echo "CHANGES_DETECTED=true" >> $GITHUB_ENV
|
||
|
||
- name: Prepare PR body (push only)
|
||
if: github.event_name == 'push' && env.CHANGES_DETECTED == 'true'
|
||
run: |
|
||
PR_BODY="Auto-generated by ${{ steps.setup-bot.outputs.app-slug }}[bot]
|
||
|
||
This PR updates the backend license report based on dependency changes."
|
||
|
||
if [ "${{ env.LICENSE_WARNINGS_EXIST }}" = "true" ]; then
|
||
PR_BODY="$PR_BODY
|
||
|
||
## ⚠️ License Compatibility Warnings
|
||
|
||
Incompatible licenses detected – manual review required before merge."
|
||
fi
|
||
echo "PR_BODY<<EOF" >> $GITHUB_ENV
|
||
echo "$PR_BODY" >> $GITHUB_ENV
|
||
echo "EOF" >> $GITHUB_ENV
|
||
|
||
- name: Create Pull Request (push only)
|
||
if: github.event_name == 'push' && env.CHANGES_DETECTED == 'true'
|
||
id: cpr
|
||
uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
|
||
with:
|
||
token: ${{ steps.setup-bot.outputs.token }}
|
||
commit-message: "Update Backend 3rd Party Licenses"
|
||
committer: ${{ steps.setup-bot.outputs.committer }}
|
||
author: ${{ steps.setup-bot.outputs.committer }}
|
||
signoff: true
|
||
branch: update-backend-3rd-party-licenses
|
||
base: main
|
||
title: "Update Backend 3rd Party Licenses"
|
||
body: ${{ env.PR_BODY }}
|
||
labels: Licenses,github-actions,backend
|
||
delete-branch: true
|
||
sign-commits: true
|
||
|
||
- name: Enable Pull Request Automerge (push only, no warnings)
|
||
if: github.event_name == 'push' && steps.cpr.outputs.pull-request-operation == 'created' && env.LICENSE_WARNINGS_EXIST == 'false'
|
||
run: gh pr merge --squash --auto "${{ steps.cpr.outputs.pull-request-number }}"
|
||
env:
|
||
GH_TOKEN: ${{ steps.setup-bot.outputs.token }}
|
||
|
||
- name: Add review required label (push only, with warnings)
|
||
if: github.event_name == 'push' && steps.cpr.outputs.pull-request-operation == 'created' && env.LICENSE_WARNINGS_EXIST == 'true'
|
||
run: gh pr edit "${{ steps.cpr.outputs.pull-request-number }}" --add-label "license-review-required"
|
||
env:
|
||
GH_TOKEN: ${{ steps.setup-bot.outputs.token }}
|