mirror of
https://github.com/Frooodle/Stirling-PDF.git
synced 2026-02-17 13:52:14 +01:00
2d254ef0f6
Bumps [actions/checkout](https://github.com/actions/checkout) from 4.2.2 to 6.0.1. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/actions/checkout/releases">actions/checkout's releases</a>.</em></p> <blockquote> <h2>v6.0.1</h2> <h2>What's Changed</h2> <ul> <li>Update all references from v5 and v4 to v6 by <a href="https://github.com/ericsciple"><code>@ericsciple</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2314">actions/checkout#2314</a></li> <li>Add worktree support for persist-credentials includeIf by <a href="https://github.com/ericsciple"><code>@ericsciple</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2327">actions/checkout#2327</a></li> <li>Clarify v6 README by <a href="https://github.com/ericsciple"><code>@ericsciple</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2328">actions/checkout#2328</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/checkout/compare/v6...v6.0.1">https://github.com/actions/checkout/compare/v6...v6.0.1</a></p> <h2>v6.0.0</h2> <h2>What's Changed</h2> <ul> <li>Update README to include Node.js 24 support details and requirements by <a href="https://github.com/salmanmkc"><code>@salmanmkc</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2248">actions/checkout#2248</a></li> <li>Persist creds to a separate file by <a href="https://github.com/ericsciple"><code>@ericsciple</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2286">actions/checkout#2286</a></li> <li>v6-beta by <a href="https://github.com/ericsciple"><code>@ericsciple</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2298">actions/checkout#2298</a></li> <li>update readme/changelog for v6 by <a href="https://github.com/ericsciple"><code>@ericsciple</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2311">actions/checkout#2311</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/checkout/compare/v5.0.0...v6.0.0">https://github.com/actions/checkout/compare/v5.0.0...v6.0.0</a></p> <h2>v6-beta</h2> <h2>What's Changed</h2> <p>Updated persist-credentials to store the credentials under <code>$RUNNER_TEMP</code> instead of directly in the local git config.</p> <p>This requires a minimum Actions Runner version of <a href="https://github.com/actions/runner/releases/tag/v2.329.0">v2.329.0</a> to access the persisted credentials for <a href="https://docs.github.com/en/actions/tutorials/use-containerized-services/create-a-docker-container-action">Docker container action</a> scenarios.</p> <h2>v5.0.1</h2> <h2>What's Changed</h2> <ul> <li>Port v6 cleanup to v5 by <a href="https://github.com/ericsciple"><code>@ericsciple</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2301">actions/checkout#2301</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/checkout/compare/v5...v5.0.1">https://github.com/actions/checkout/compare/v5...v5.0.1</a></p> <h2>v5.0.0</h2> <h2>What's Changed</h2> <ul> <li>Update actions checkout to use node 24 by <a href="https://github.com/salmanmkc"><code>@salmanmkc</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2226">actions/checkout#2226</a></li> <li>Prepare v5.0.0 release by <a href="https://github.com/salmanmkc"><code>@salmanmkc</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2238">actions/checkout#2238</a></li> </ul> <h2>⚠️ Minimum Compatible Runner Version</h2> <p><strong>v2.327.1</strong><br /> <a href="https://github.com/actions/runner/releases/tag/v2.327.1">Release Notes</a></p> <p>Make sure your runner is updated to this version or newer to use this release.</p> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/checkout/compare/v4...v5.0.0">https://github.com/actions/checkout/compare/v4...v5.0.0</a></p> <h2>v4.3.1</h2> <h2>What's Changed</h2> <ul> <li>Port v6 cleanup to v4 by <a href="https://github.com/ericsciple"><code>@ericsciple</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2305">actions/checkout#2305</a></li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/actions/checkout/blob/main/CHANGELOG.md">actions/checkout's changelog</a>.</em></p> <blockquote> <h1>Changelog</h1> <h2>v6.0.2</h2> <ul> <li>Fix tag handling: preserve annotations and explicit fetch-tags by <a href="https://github.com/ericsciple"><code>@ericsciple</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2356">actions/checkout#2356</a></li> </ul> <h2>v6.0.1</h2> <ul> <li>Add worktree support for persist-credentials includeIf by <a href="https://github.com/ericsciple"><code>@ericsciple</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2327">actions/checkout#2327</a></li> </ul> <h2>v6.0.0</h2> <ul> <li>Persist creds to a separate file by <a href="https://github.com/ericsciple"><code>@ericsciple</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2286">actions/checkout#2286</a></li> <li>Update README to include Node.js 24 support details and requirements by <a href="https://github.com/salmanmkc"><code>@salmanmkc</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2248">actions/checkout#2248</a></li> </ul> <h2>v5.0.1</h2> <ul> <li>Port v6 cleanup to v5 by <a href="https://github.com/ericsciple"><code>@ericsciple</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2301">actions/checkout#2301</a></li> </ul> <h2>v5.0.0</h2> <ul> <li>Update actions checkout to use node 24 by <a href="https://github.com/salmanmkc"><code>@salmanmkc</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2226">actions/checkout#2226</a></li> </ul> <h2>v4.3.1</h2> <ul> <li>Port v6 cleanup to v4 by <a href="https://github.com/ericsciple"><code>@ericsciple</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2305">actions/checkout#2305</a></li> </ul> <h2>v4.3.0</h2> <ul> <li>docs: update README.md by <a href="https://github.com/motss"><code>@motss</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1971">actions/checkout#1971</a></li> <li>Add internal repos for checking out multiple repositories by <a href="https://github.com/mouismail"><code>@mouismail</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1977">actions/checkout#1977</a></li> <li>Documentation update - add recommended permissions to Readme by <a href="https://github.com/benwells"><code>@benwells</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2043">actions/checkout#2043</a></li> <li>Adjust positioning of user email note and permissions heading by <a href="https://github.com/joshmgross"><code>@joshmgross</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2044">actions/checkout#2044</a></li> <li>Update README.md by <a href="https://github.com/nebuk89"><code>@nebuk89</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2194">actions/checkout#2194</a></li> <li>Update CODEOWNERS for actions by <a href="https://github.com/TingluoHuang"><code>@TingluoHuang</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2224">actions/checkout#2224</a></li> <li>Update package dependencies by <a href="https://github.com/salmanmkc"><code>@salmanmkc</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2236">actions/checkout#2236</a></li> </ul> <h2>v4.2.2</h2> <ul> <li><code>url-helper.ts</code> now leverages well-known environment variables by <a href="https://github.com/jww3"><code>@jww3</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1941">actions/checkout#1941</a></li> <li>Expand unit test coverage for <code>isGhes</code> by <a href="https://github.com/jww3"><code>@jww3</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1946">actions/checkout#1946</a></li> </ul> <h2>v4.2.1</h2> <ul> <li>Check out other refs/* by commit if provided, fall back to ref by <a href="https://github.com/orhantoy"><code>@orhantoy</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1924">actions/checkout#1924</a></li> </ul> <h2>v4.2.0</h2> <ul> <li>Add Ref and Commit outputs by <a href="https://github.com/lucacome"><code>@lucacome</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1180">actions/checkout#1180</a></li> <li>Dependency updates by <a href="https://github.com/dependabot"><code>@dependabot</code></a>- <a href="https://redirect.github.com/actions/checkout/pull/1777">actions/checkout#1777</a>, <a href="https://redirect.github.com/actions/checkout/pull/1872">actions/checkout#1872</a></li> </ul> <h2>v4.1.7</h2> <ul> <li>Bump the minor-npm-dependencies group across 1 directory with 4 updates by <a href="https://github.com/dependabot"><code>@dependabot</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1739">actions/checkout#1739</a></li> <li>Bump actions/checkout from 3 to 4 by <a href="https://github.com/dependabot"><code>@dependabot</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1697">actions/checkout#1697</a></li> <li>Check out other refs/* by commit by <a href="https://github.com/orhantoy"><code>@orhantoy</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1774">actions/checkout#1774</a></li> <li>Pin actions/checkout's own workflows to a known, good, stable version. by <a href="https://github.com/jww3"><code>@jww3</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1776">actions/checkout#1776</a></li> </ul> <h2>v4.1.6</h2> <ul> <li>Check platform to set archive extension appropriately by <a href="https://github.com/cory-miller"><code>@cory-miller</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1732">actions/checkout#1732</a></li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="8e8c483db8"><code>8e8c483</code></a> Clarify v6 README (<a href="https://redirect.github.com/actions/checkout/issues/2328">#2328</a>)</li> <li><a href="033fa0dc0b"><code>033fa0d</code></a> Add worktree support for persist-credentials includeIf (<a href="https://redirect.github.com/actions/checkout/issues/2327">#2327</a>)</li> <li><a href="c2d88d3ecc"><code>c2d88d3</code></a> Update all references from v5 and v4 to v6 (<a href="https://redirect.github.com/actions/checkout/issues/2314">#2314</a>)</li> <li><a href="1af3b93b68"><code>1af3b93</code></a> update readme/changelog for v6 (<a href="https://redirect.github.com/actions/checkout/issues/2311">#2311</a>)</li> <li><a href="71cf2267d8"><code>71cf226</code></a> v6-beta (<a href="https://redirect.github.com/actions/checkout/issues/2298">#2298</a>)</li> <li><a href="069c695914"><code>069c695</code></a> Persist creds to a separate file (<a href="https://redirect.github.com/actions/checkout/issues/2286">#2286</a>)</li> <li><a href="ff7abcd0c3"><code>ff7abcd</code></a> Update README to include Node.js 24 support details and requirements (<a href="https://redirect.github.com/actions/checkout/issues/2248">#2248</a>)</li> <li><a href="08c6903cd8"><code>08c6903</code></a> Prepare v5.0.0 release (<a href="https://redirect.github.com/actions/checkout/issues/2238">#2238</a>)</li> <li><a href="9f265659d3"><code>9f26565</code></a> Update actions checkout to use node 24 (<a href="https://redirect.github.com/actions/checkout/issues/2226">#2226</a>)</li> <li><a href="08eba0b27e"><code>08eba0b</code></a> Prepare release v4.3.0 (<a href="https://redirect.github.com/actions/checkout/issues/2237">#2237</a>)</li> <li>Additional commits viewable in <a href="https://github.com/actions/checkout/compare/v4.2.2...8e8c483db84b4bee98b60c0593521ed34d9990e8">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Ludy <Ludy87@users.noreply.github.com>
519 lines
21 KiB
YAML
519 lines
21 KiB
YAML
name: License Report Workflow
|
||
|
||
on:
|
||
push:
|
||
branches:
|
||
- main
|
||
pull_request:
|
||
branches:
|
||
- main
|
||
|
||
concurrency:
|
||
group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.ref_name || github.ref }}
|
||
cancel-in-progress: true
|
||
|
||
permissions:
|
||
contents: read
|
||
|
||
jobs:
|
||
files-changed:
|
||
name: detect what files changed
|
||
runs-on: ubuntu-latest
|
||
timeout-minutes: 3
|
||
outputs:
|
||
licenses-frontend: ${{ steps.changes.outputs.licenses-frontend }}
|
||
licenses-backend: ${{ steps.changes.outputs.licenses-backend }}
|
||
steps:
|
||
- name: Harden the runner (Audit all outbound calls)
|
||
uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
|
||
with:
|
||
egress-policy: audit
|
||
|
||
- name: Checkout repository
|
||
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
|
||
|
||
- name: Check for file changes
|
||
uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
|
||
id: changes
|
||
with:
|
||
filters: .github/config/.files.yaml
|
||
|
||
generate-frontend-license-report:
|
||
if: needs.files-changed.outputs.licenses-frontend == 'true'
|
||
name: Generate Frontend License Report
|
||
needs: files-changed
|
||
runs-on: ubuntu-latest
|
||
permissions:
|
||
contents: write
|
||
pull-requests: write
|
||
repository-projects: write # Required for enabling automerge
|
||
steps:
|
||
- name: Harden Runner
|
||
uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
|
||
with:
|
||
egress-policy: audit
|
||
|
||
- name: Checkout PR head (default)
|
||
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
|
||
with:
|
||
fetch-depth: 0
|
||
persist-credentials: false
|
||
|
||
- name: Setup GitHub App Bot
|
||
if: (github.event_name == 'push' || (github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == false)) && github.actor != 'dependabot[bot]'
|
||
id: setup-bot
|
||
uses: ./.github/actions/setup-bot
|
||
with:
|
||
app-id: ${{ secrets.GH_APP_ID }}
|
||
private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
|
||
|
||
- name: Checkout BASE branch (safe script)
|
||
if: github.event_name == 'pull_request'
|
||
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
|
||
with:
|
||
ref: ${{ github.event.pull_request.base.sha }}
|
||
path: base
|
||
fetch-depth: 1
|
||
persist-credentials: false
|
||
|
||
- name: Set up Node.js
|
||
uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
|
||
with:
|
||
node-version: "22"
|
||
cache: "npm"
|
||
cache-dependency-path: frontend/package-lock.json
|
||
|
||
- name: Install frontend dependencies
|
||
working-directory: frontend
|
||
env:
|
||
NPM_CONFIG_IGNORE_SCRIPTS: "true"
|
||
run: npm ci --ignore-scripts --audit=false --fund=false
|
||
|
||
- name: Generate frontend license report (internal PR)
|
||
if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == false
|
||
working-directory: frontend
|
||
env:
|
||
PR_IS_FORK: "false"
|
||
run: npm run generate-licenses
|
||
|
||
- name: Generate frontend license report (fork PRs, pinned)
|
||
if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == true
|
||
env:
|
||
NPM_CONFIG_IGNORE_SCRIPTS: "true"
|
||
working-directory: frontend
|
||
run: |
|
||
mkdir -p src/assets
|
||
npx --yes license-report --only=prod --output=json > src/assets/3rdPartyLicenses.json
|
||
|
||
- name: Postprocess with project script (BASE version)
|
||
if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == true
|
||
env:
|
||
PR_IS_FORK: "true"
|
||
run: |
|
||
node base/frontend/scripts/generate-licenses.js \
|
||
--input frontend/src/assets/3rdPartyLicenses.json
|
||
|
||
- name: Copy postprocessed artifacts back (fork PRs)
|
||
if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == true
|
||
run: |
|
||
mkdir -p frontend/src/assets
|
||
if [ -f "base/frontend/src/assets/3rdPartyLicenses.json" ]; then
|
||
cp base/frontend/src/assets/3rdPartyLicenses.json frontend/src/assets/3rdPartyLicenses.json
|
||
fi
|
||
if [ -f "base/frontend/src/assets/license-warnings.json" ]; then
|
||
cp base/frontend/src/assets/license-warnings.json frontend/src/assets/license-warnings.json
|
||
fi
|
||
|
||
- name: Check for license warnings
|
||
run: |
|
||
if [ -f "frontend/src/assets/license-warnings.json" ]; then
|
||
echo "LICENSE_WARNINGS_EXIST=true" >> $GITHUB_ENV
|
||
else
|
||
echo "LICENSE_WARNINGS_EXIST=false" >> $GITHUB_ENV
|
||
fi
|
||
|
||
# PR Event: Check licenses and comment on PR
|
||
- name: Delete previous license check comments
|
||
if: (github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == false) && github.actor != 'dependabot[bot]'
|
||
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
|
||
with:
|
||
github-token: ${{ steps.setup-bot.outputs.token }}
|
||
script: |
|
||
const { owner, repo } = context.repo;
|
||
const prNumber = context.issue.number;
|
||
|
||
// Get all comments on the PR
|
||
const { data: comments } = await github.rest.issues.listComments({
|
||
owner,
|
||
repo,
|
||
issue_number: prNumber,
|
||
per_page: 100
|
||
});
|
||
|
||
// Filter for license check comments
|
||
const licenseComments = comments.filter(comment =>
|
||
comment.body.includes('## ✅ Frontend License Check Passed') ||
|
||
comment.body.includes('## ❌ Frontend License Check Failed')
|
||
);
|
||
|
||
// Delete old license check comments
|
||
for (const comment of licenseComments) {
|
||
console.log(`Deleting old license check comment: ${comment.id}`);
|
||
await github.rest.issues.deleteComment({
|
||
owner,
|
||
repo,
|
||
comment_id: comment.id
|
||
});
|
||
}
|
||
|
||
- name: Summarize results (fork PRs)
|
||
if: (github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == true) || github.actor == 'dependabot[bot]'
|
||
run: |
|
||
{
|
||
echo "## Frontend License Check"
|
||
echo ""
|
||
if [ "${LICENSE_WARNINGS_EXIST}" = "true" ]; then
|
||
echo "❌ **Failed** – incompatible or unknown licenses found."
|
||
if [ -f "frontend/src/assets/license-warnings.json" ]; then
|
||
echo ""
|
||
echo "### Warnings"
|
||
jq -r '.warnings[] | "- \(.message)"' frontend/src/assets/license-warnings.json || true
|
||
fi
|
||
else
|
||
echo "✅ **Passed** – no license warnings detected."
|
||
fi
|
||
echo ""
|
||
echo "_Note: This is a fork PR. PR comments are disabled; use this summary._"
|
||
} >> "$GITHUB_STEP_SUMMARY"
|
||
|
||
- name: Comment on PR - License Check Results
|
||
if: (github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == false) && github.actor != 'dependabot[bot]'
|
||
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
|
||
with:
|
||
github-token: ${{ steps.setup-bot.outputs.token }}
|
||
script: |
|
||
const { owner, repo } = context.repo;
|
||
const prNumber = context.issue.number;
|
||
const hasWarnings = process.env.LICENSE_WARNINGS_EXIST === 'true';
|
||
|
||
let commentBody;
|
||
|
||
if (hasWarnings) {
|
||
// Read warnings file to get specific issues
|
||
const fs = require('fs');
|
||
let warningDetails = '';
|
||
try {
|
||
const warnings = JSON.parse(fs.readFileSync('frontend/src/assets/license-warnings.json', 'utf8'));
|
||
warningDetails = warnings.warnings.map(w => `- ${w.message}`).join('\n');
|
||
} catch (e) {
|
||
warningDetails = 'Unable to read warning details';
|
||
}
|
||
|
||
commentBody = `## ❌ Frontend License Check Failed
|
||
|
||
The frontend license check has detected compatibility warnings that require review:
|
||
|
||
${warningDetails}
|
||
|
||
**Action Required:** Please review these licenses to ensure they are acceptable for your use case before merging.
|
||
|
||
_This check will fail the PR until license issues are resolved._`;
|
||
} else {
|
||
commentBody = `## ✅ Frontend License Check Passed
|
||
|
||
All frontend licenses have been validated and no compatibility warnings were detected.
|
||
|
||
The frontend license report has been updated successfully.`;
|
||
}
|
||
|
||
await github.rest.issues.createComment({
|
||
owner,
|
||
repo,
|
||
issue_number: prNumber,
|
||
body: commentBody
|
||
});
|
||
|
||
- name: Fail workflow if license warnings exist (PR only)
|
||
if: github.event_name == 'pull_request' && env.LICENSE_WARNINGS_EXIST == 'true'
|
||
run: |
|
||
echo "❌ License warnings detected. Failing the workflow."
|
||
exit 1
|
||
|
||
# Push Event: Commit license files and create PR
|
||
- name: Commit changes (Push only)
|
||
if: github.event_name == 'push'
|
||
run: |
|
||
git add frontend/src/assets/3rdPartyLicenses.json
|
||
# Note: Do NOT commit license-warnings.json - it's only for PR review
|
||
git diff --staged --quiet || echo "CHANGES_DETECTED=true" >> $GITHUB_ENV
|
||
|
||
- name: Prepare PR body (Push only)
|
||
if: github.event_name == 'push'
|
||
run: |
|
||
PR_BODY="Auto-generated by ${{ steps.setup-bot.outputs.app-slug }}[bot]
|
||
|
||
This PR updates the frontend license report based on changes to package.json dependencies."
|
||
|
||
if [ "${{ env.LICENSE_WARNINGS_EXIST }}" = "true" ]; then
|
||
PR_BODY="$PR_BODY
|
||
|
||
## ⚠️ License Compatibility Warnings
|
||
|
||
The following licenses may require review for corporate compatibility:
|
||
|
||
$(cat frontend/src/assets/license-warnings.json | jq -r '.warnings[].message')
|
||
|
||
Please review these licenses to ensure they are acceptable for your use case."
|
||
fi
|
||
|
||
echo "PR_BODY<<EOF" >> $GITHUB_ENV
|
||
echo "$PR_BODY" >> $GITHUB_ENV
|
||
echo "EOF" >> $GITHUB_ENV
|
||
|
||
- name: Create Pull Request (Push only)
|
||
id: cpr
|
||
if: github.event_name == 'push' && env.CHANGES_DETECTED == 'true'
|
||
uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
|
||
with:
|
||
token: ${{ steps.setup-bot.outputs.token }}
|
||
commit-message: "Update Frontend 3rd Party Licenses"
|
||
committer: ${{ steps.setup-bot.outputs.committer }}
|
||
author: ${{ steps.setup-bot.outputs.committer }}
|
||
signoff: true
|
||
branch: update-frontend-3rd-party-licenses
|
||
base: main
|
||
title: "Update Frontend 3rd Party Licenses"
|
||
body: ${{ env.PR_BODY }}
|
||
labels: Licenses,github-actions,frontend
|
||
draft: false
|
||
delete-branch: true
|
||
sign-commits: true
|
||
|
||
- name: Enable Pull Request Automerge (Push only)
|
||
if: github.event_name == 'push' && steps.cpr.outputs.pull-request-operation == 'created' && env.LICENSE_WARNINGS_EXIST == 'false'
|
||
run: gh pr merge --squash --auto "${{ steps.cpr.outputs.pull-request-number }}"
|
||
env:
|
||
GH_TOKEN: ${{ steps.setup-bot.outputs.token }}
|
||
|
||
- name: Add review required label (Push only)
|
||
if: github.event_name == 'push' && steps.cpr.outputs.pull-request-operation == 'created' && env.LICENSE_WARNINGS_EXIST == 'true'
|
||
run: gh pr edit "${{ steps.cpr.outputs.pull-request-number }}" --add-label "license-review-required"
|
||
env:
|
||
GH_TOKEN: ${{ steps.setup-bot.outputs.token }}
|
||
|
||
generate-backend-license-report:
|
||
if: needs.files-changed.outputs.licenses-backend == 'true'
|
||
needs: files-changed
|
||
name: Generate Backend License Report
|
||
runs-on: ubuntu-latest
|
||
permissions:
|
||
contents: write
|
||
pull-requests: write
|
||
repository-projects: write # Required for enabling automerge
|
||
steps:
|
||
- name: Harden Runner
|
||
uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
|
||
with:
|
||
egress-policy: audit
|
||
|
||
- name: Checkout repository
|
||
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
|
||
with:
|
||
fetch-depth: 0
|
||
persist-credentials: false
|
||
|
||
- name: Setup GitHub App Bot
|
||
if: (github.event_name == 'push' || (github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == false)) && github.actor != 'dependabot[bot]'
|
||
id: setup-bot
|
||
uses: ./.github/actions/setup-bot
|
||
with:
|
||
app-id: ${{ secrets.GH_APP_ID }}
|
||
private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
|
||
|
||
- name: Set up JDK 21
|
||
uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 # v5.0.0
|
||
with:
|
||
java-version: "21"
|
||
distribution: "temurin"
|
||
|
||
- name: Setup Gradle
|
||
uses: gradle/actions/setup-gradle@4d9f0ba0025fe599b4ebab900eb7f3a1d93ef4c2 # v5.0.0
|
||
with:
|
||
gradle-version: 8.14
|
||
|
||
- name: Check licenses and generate report
|
||
id: license-check
|
||
run: |
|
||
./gradlew checkLicense generateLicenseReport || echo "LICENSE_CHECK_FAILED=true" >> $GITHUB_ENV
|
||
env:
|
||
MAVEN_USER: ${{ secrets.MAVEN_USER }}
|
||
MAVEN_PASSWORD: ${{ secrets.MAVEN_PASSWORD }}
|
||
MAVEN_PUBLIC_URL: ${{ secrets.MAVEN_PUBLIC_URL }}
|
||
DISABLE_ADDITIONAL_FEATURES: false
|
||
STIRLING_PDF_DESKTOP_UI: true
|
||
|
||
- name: Check for license compatibility issues
|
||
run: |
|
||
if [ -f build/reports/dependency-license/dependencies-without-allowed-license.json ] && \
|
||
jq '.dependenciesWithoutAllowedLicenses | length > 0' build/reports/dependency-license/dependencies-without-allowed-license.json | grep -q true; then
|
||
echo "LICENSE_WARNINGS_EXIST=true" >> $GITHUB_ENV
|
||
else
|
||
echo "LICENSE_WARNINGS_EXIST=false" >> $GITHUB_ENV
|
||
fi
|
||
if: always()
|
||
|
||
- name: Upload artifact on license issues
|
||
if: env.LICENSE_WARNINGS_EXIST == 'true'
|
||
uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
|
||
with:
|
||
name: backend-dependencies-without-allowed-license.json
|
||
path: build/reports/dependency-license/dependencies-without-allowed-license.json
|
||
|
||
- name: Move license file
|
||
if: env.LICENSE_CHECK_FAILED != 'true' && env.LICENSE_WARNINGS_EXIST == 'false'
|
||
run: |
|
||
mkdir -p app/core/src/main/resources/static
|
||
cp build/reports/dependency-license/index.json app/core/src/main/resources/static/3rdPartyLicenses.json
|
||
|
||
- name: Delete previous backend license check comments
|
||
if: (github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == false) && github.actor != 'dependabot[bot]'
|
||
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
|
||
with:
|
||
github-token: ${{ steps.setup-bot.outputs.token }}
|
||
script: |
|
||
const { owner, repo } = context.repo;
|
||
const prNumber = context.issue.number;
|
||
|
||
const { data: comments } = await github.rest.issues.listComments({
|
||
owner,
|
||
repo,
|
||
issue_number: prNumber,
|
||
per_page: 100
|
||
});
|
||
|
||
const backendLicenseComments = comments.filter(comment =>
|
||
comment.body.includes('## ✅ Backend License Check Passed') ||
|
||
comment.body.includes('## ❌ Backend License Check Failed')
|
||
);
|
||
|
||
for (const comment of backendLicenseComments) {
|
||
console.log(`Deleting old backend license comment: ${comment.id}`);
|
||
await github.rest.issues.deleteComment({
|
||
owner,
|
||
repo,
|
||
comment_id: comment.id
|
||
});
|
||
}
|
||
|
||
- name: Comment on PR - Backend License Check Results
|
||
if: (github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == false) && github.actor != 'dependabot[bot]'
|
||
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
|
||
with:
|
||
github-token: ${{ steps.setup-bot.outputs.token }}
|
||
script: |
|
||
const hasWarnings = process.env.LICENSE_WARNINGS_EXIST === 'true';
|
||
const fs = require('fs');
|
||
let warningDetails = '';
|
||
|
||
if (hasWarnings) {
|
||
try {
|
||
const warningsFile = 'build/reports/dependency-license/dependencies-without-allowed-license.json';
|
||
if (fs.existsSync(warningsFile)) {
|
||
const data = JSON.parse(fs.readFileSync(warningsFile, 'utf8'));
|
||
if (data.length > 0) {
|
||
warningDetails = data.map(dep => `- **${dep.moduleName}@${dep.moduleVersion}** – ${dep.moduleLicenses.map(l => l.licenseName).join(', ')}`).join('\n');
|
||
}
|
||
}
|
||
} catch (e) {
|
||
warningDetails = 'Unable to parse warning details.';
|
||
}
|
||
}
|
||
|
||
let commentBody;
|
||
if (hasWarnings) {
|
||
commentBody = `## ❌ Backend License Check Failed
|
||
|
||
The backend license check has detected dependencies with incompatible or unallowed licenses:
|
||
|
||
${warningDetails || 'See uploaded artifact for details.'}
|
||
|
||
**Action Required:** Please review these licenses and resolve before merging.
|
||
|
||
_This check will fail the PR until license issues are resolved._`;
|
||
} else {
|
||
commentBody = `## ✅ Backend License Check Passed
|
||
|
||
All backend dependencies have valid and allowed licenses.
|
||
|
||
The backend license report has been updated successfully.`;
|
||
}
|
||
|
||
await github.rest.issues.createComment({
|
||
owner: context.repo.owner,
|
||
repo: context.repo.repo,
|
||
issue_number: context.issue.number,
|
||
body: commentBody
|
||
});
|
||
|
||
- name: Fail workflow if license warnings exist (PR only)
|
||
if: github.event_name == 'pull_request' && env.LICENSE_WARNINGS_EXIST == 'true'
|
||
run: |
|
||
echo "❌ Backend license warnings detected. Failing the workflow."
|
||
exit 1
|
||
|
||
- name: Commit changes (push only)
|
||
if: github.event_name == 'push' && env.LICENSE_WARNINGS_EXIST == 'false'
|
||
run: |
|
||
git config user.name "${{ steps.setup-bot.outputs.committer }}"
|
||
git config user.email "${{ steps.setup-bot.outputs.committer-email || 'bot@github.com' }}"
|
||
git add app/core/src/main/resources/static/3rdPartyLicenses.json
|
||
git diff --staged --quiet || echo "CHANGES_DETECTED=true" >> $GITHUB_ENV
|
||
|
||
- name: Prepare PR body (push only)
|
||
if: github.event_name == 'push' && env.CHANGES_DETECTED == 'true'
|
||
run: |
|
||
PR_BODY="Auto-generated by ${{ steps.setup-bot.outputs.app-slug }}[bot]
|
||
|
||
This PR updates the backend license report based on dependency changes."
|
||
|
||
if [ "${{ env.LICENSE_WARNINGS_EXIST }}" = "true" ]; then
|
||
PR_BODY="$PR_BODY
|
||
|
||
## ⚠️ License Compatibility Warnings
|
||
|
||
Incompatible licenses detected – manual review required before merge."
|
||
fi
|
||
echo "PR_BODY<<EOF" >> $GITHUB_ENV
|
||
echo "$PR_BODY" >> $GITHUB_ENV
|
||
echo "EOF" >> $GITHUB_ENV
|
||
|
||
- name: Create Pull Request (push only)
|
||
if: github.event_name == 'push' && env.CHANGES_DETECTED == 'true'
|
||
id: cpr
|
||
uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
|
||
with:
|
||
token: ${{ steps.setup-bot.outputs.token }}
|
||
commit-message: "Update Backend 3rd Party Licenses"
|
||
committer: ${{ steps.setup-bot.outputs.committer }}
|
||
author: ${{ steps.setup-bot.outputs.committer }}
|
||
signoff: true
|
||
branch: update-backend-3rd-party-licenses
|
||
base: main
|
||
title: "Update Backend 3rd Party Licenses"
|
||
body: ${{ env.PR_BODY }}
|
||
labels: Licenses,github-actions,backend
|
||
delete-branch: true
|
||
sign-commits: true
|
||
|
||
- name: Enable Pull Request Automerge (push only, no warnings)
|
||
if: github.event_name == 'push' && steps.cpr.outputs.pull-request-operation == 'created' && env.LICENSE_WARNINGS_EXIST == 'false'
|
||
run: gh pr merge --squash --auto "${{ steps.cpr.outputs.pull-request-number }}"
|
||
env:
|
||
GH_TOKEN: ${{ steps.setup-bot.outputs.token }}
|
||
|
||
- name: Add review required label (push only, with warnings)
|
||
if: github.event_name == 'push' && steps.cpr.outputs.pull-request-operation == 'created' && env.LICENSE_WARNINGS_EXIST == 'true'
|
||
run: gh pr edit "${{ steps.cpr.outputs.pull-request-number }}" --add-label "license-review-required"
|
||
env:
|
||
GH_TOKEN: ${{ steps.setup-bot.outputs.token }}
|