-
Notifications
You must be signed in to change notification settings - Fork 15
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add/licensing action #122
Add/licensing action #122
Conversation
Co-Authored-By: Vikram <93216400+vikrampm1@users.noreply.github.com>
Co-Authored-By: Vikram <93216400+vikrampm1@users.noreply.github.com>
I hope Co-Authored-By: Vikram <93216400+vikrampm1@users.noreply.github.com>
Going to research this a bit more with @vikrampm1 to see what else is needed to get this action working (or alternatively find a different action to help scan dependency licensing). |
Testing repo licensing action in 10up/insert-special-characters#122
Still not able to get this to work, so going to try one other tool but leaving note that if we close this PR that we'll want to revert 10up/.github#20 as no longer needed. |
.github/workflows/licensing.yml
Outdated
# The owner/repo of where the policy is stored | ||
policy: 10up/.github | ||
# The local (within the workspace) or repository | ||
policy-path: blob/trunk/policy.yml |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@jeffpaul This policy path, is there sub folders called "blob/truck"? The tool does not need this and is relative to the base path in the repo.
Example:
- name: Advance Security Compliance Action
uses: GeekMasher/advanced-security-compliance@v1.6.1
with:
# The owner/repo of where the policy is stored
policy: GeekMasher/security-queries
# The local (within the workspace) or repository
policy-path: policies/default.yml
# The branch you want to target
policy-branch: main
Points to this file https://github.com/GeekMasher/security-queries/blob/main/policies/default.yml
.github/workflows/policy.yml
Outdated
@@ -0,0 +1,34 @@ | |||
name: Default Policy |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a policy as code file. Not a GitHub Actions workflow file. You might need to place this in a different dir or use the policy in your 10up/.github
repo
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Moved up a directory level in 6cc130a
Leaving a note here before I head off on vacation that the tweaks I made (thanks for the tips @GeekMasher!) appear to have gotten this action working smoothly, but I think we'll want to remove the policy file from this repo and leverage the one in the 10up/.github repo (since we'll want to run this action across all our projects using the same policy). As such, I'd like us to look at enhancing that policy to match the research I did in listing out the allow or disallow lists in https://github.com/10up/insert-special-characters/pull/157/files for GPL-compatible/-incompatible licenses. |
Note we'll want to select either this PR approach or that in #157, but not both. |
Closing in favor of #157 as it includes a nice action summary and is a verified action creator on GitHub (though otherwise the action stats are similar). |
Description of the Change
Uses https://github.com/marketplace/actions/ghascompliance as a GitHub Action to scan all commits and PRs to
trunk
anddevelop
(admitting we might want to dial some of this back after further testing) to check that any dependent code is licensed as GPL-compatible.Alternate Designs
Cross our fingers and hope that we will catch invalid licensed dependencies on our own
Possible Drawbacks
Until we fine-tune this action, we may get a lot of false positives (but hopefully after some testing this will be relatively quiet until something non-GPL-compatible is mistakenly added in a PR).
Verification Process
Reviewed docs for the GH Action, will see how it performs once this PR is opened and we can view the results of its check.
Checklist:
Changelog Entry
Credits
Props @jeffpaul, @vikrampm1.