Telefonica · javierbrea · Feb 14, 2025 · Feb 4, 2025 · Feb 13, 2025 · Feb 14, 2025
diff --git a/.github/check-license-compliance.config.yml b/.github/check-license-compliance.config.yml
@@ -5,33 +5,42 @@ licenses:
   allowed:
     - Apache-2.0
     - MIT
-    - BSD
+    - X11
+    - BSD-2-Clause
+    - BSD-3-Clause
     - ISC
-    - (MIT AND CC-BY-3.0)
+    - Zlib
+    - Unlicense
+    - 0BSD
+    - BlueOak-1.0.0
+    - WTFPL
+    - CC-BY-3.0
+    - CC-BY-4.0
+    - CC0-1.0
+    - Python-2.0
   warning:
+    - CC-BY-SA-3.0
+    - CC-BY-SA-4.0
+    - LGPL-2.1
+    - LGPL-2.1-only
+    - LGPL-2.1+
+    - LGPL-2.1-or-later
     - LGPL-3.0
-    - LGPL-2.0
+    - LGPL-3.0-only
+    - LGPL-3.0+
+    - LGPL-3.0-or-later
+    - MPL-1.1
     - MPL-2.0
     - EPL-1.0
-    - CC-BY-4.0
-    - Python-2.0
-    - BlueOak-1.0.0
-    - CC BY-SA 4.0
-    - CC-BY-3.0
-    - CC0-1.0
+    - Artistic-2.0 # No problem to use it if we are not modifying the code
   forbidden:
+    - GPL-2.0-only
+    - GPL-2.0-or-later
+    - GPL-3.0-only
+    - GPL-3.0-or-later
     - AGPL-3.0
-    - GPL-2.0
-    - GPL-3.0
-allowWarnings: true
-# Options passed directly to the license-checker package
-licenseCheckerOptions:
-  # Global options are applied to all types of checks
-  global:
-    excludePrivatePackages: true
-    excludePackages: "@cspell/dict-en-common-misspellings@2.0.7"
-  # You can also specify options for each type of check. They extend the global options
-  # warning:
-    # excludePrivatePackages: false
-  # forbidden:
-    # excludePrivatePackages: false
+log: debug
+npm:
+  excludeModules:
+    # The following packages have a license that is not a valid SPDX identifier
+    - "babel-plugin-transform-import-meta@2.2.1" # BSD
diff --git a/.github/check-spdx-headers.config.yml b/.github/check-spdx-headers.config.yml
@@ -16,6 +16,7 @@ rules:
     headers:
       - files:
           - "templates/.github/**/*.yml"
+          - "templates/check-license-compliance-configs/*.yml"
         license:
           - "MIT"
         copyright: "<%= year %> <%= copyrightHolder %>"
@@ -48,6 +49,9 @@ rules:
           - "\\d{4}(\\s-\\s\\d{4})? Telefónica Innovación Digital and contributors"
           - "\\d{4}(\\s-\\s\\d{4})? Telefónica Innovación Digital"
           - "\\d{4}(\\s-\\s\\d{4})? Telefónica"
+    ignore:
+      - "templates/.github/**/*.yml"
+      - "templates/check-license-compliance-configs/*.yml"
 ignore:
   - "**/node_modules/**"
   - "dist/**"

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -83,8 +83,36 @@ jobs:
       # workflow artifact.
       - if: ${{ failure() && steps.diff.outcome == 'failure' }}
         name: Upload Artifact
-        id: upload
+        id: upload-dist
         uses: actions/upload-artifact@v4
         with:
           name: dist
           path: dist/
+
+      # This will fail the workflow if the `dist-action/` directory is different than
+      # expected.
+      - name: Compare Directories
+        id: diff-action
+        run: |
+          if [ ! -d dist-action/ ]; then
+            echo "Expected dist-action/ directory does not exist.  See status below:"
+            ls -la ./
+            exit 1
+          fi
+          if [ "$(git diff --ignore-space-at-eol --text dist-action/ | wc -l)" -gt "0" ]; then
+            echo "Detected uncommitted changes after build. See status below:"
+            git diff --ignore-space-at-eol --text dist-action/
+            exit 1
+          fi
+
+      # If `dist-action/` was different than expected, upload the expected version as a
+      # workflow artifact.
+      - if: ${{ failure() && steps.diff-action.outcome == 'failure' }}
+        name: Upload Artifact
+        id: upload-dist-action
+        uses: actions/upload-artifact@v4
+        with:
+          name: dist-action
+          path: dist-action/
+
+
diff --git a/.github/workflows/open-source-checks.yml b/.github/workflows/open-source-checks.yml
@@ -43,7 +43,7 @@ jobs:
           npm-token: ${{ secrets.NPM_TOKEN_XCUT }}
 
       - name: Check License Compliance
-        uses: Telefonica/check-license-compliance/.github/actions/check-and-comment@v1
+        uses: Telefonica/check-license-compliance/.github/actions/check-and-comment@v3.0.0-beta.1
         with:
           config-file: .github/check-license-compliance.config.yml
         env:

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -11,6 +11,22 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 #### Deprecated
 #### Removed
 
+## [1.1.0] - 2025-02-13
+
+### Added
+
+* feat: Upgrade `check-license-compliance` to v3. Now it supports checking licenses from NPM, Maven, Python and Go dependencies. Update the action configuration accordingly
+* feat: Generate different `check-license-compliance` configurations based on the license type
+* feat: Add `check-license-compliance` options commented out to configuration file, so it is easier to understand what can be configured
+
+### Changed
+
+* chore: Bump `check-spdx-headers` action to version v1
+
+### Fixed
+
+* fix: Fix typo in "0BSD" license
+
 ## [1.0.1] - 2025-01-21
 
 ### Changed

diff --git a/README.md b/README.md
@@ -8,7 +8,7 @@ In detail, it includes:
 
 * A __CLI for scaffolding open source projects__ with the standard files, including workflows for license compliance and integrity checks, community guidelines, and more. Read the [CLI section](#nodejs-cli) below for more information.
 * A __Github workflow__ automating the process of initializing a project with the standard files, by simply creating a new repository from this template and running the workflow. Read the [Repository template section](#repository-template) below for more information.
-* A __Github action__ enabling to check the scaffolding of open source projects, ensuring that some relevant files are not removed after project creation. Read the [Github action section](#github-action-for-checking-the-opensource-resources) below for more information.
+* A __Github action__ enabling to check the scaffolding of open source projects, ensuring that some relevant files are not removed after creating the project. Read the [Github action section](#github-action-for-checking-the-opensource-resources) below for more information.
 
 ## Table of Contents
 
@@ -141,7 +141,7 @@ Once you initialize an open source project using this scaffold, it will include
     * Includes a check to ensure that the contributor has read the Code of Conduct.
 * __A Github Workflow with open source checks__: It is executed on every pull request and pushes to the main branch, and checks the following:
     * [__License Integrity check__](#license-integrity-check): Checks that all files in the project are rightly licensed. That is, it checks that all files have the expected license header according to the license chosen for the project and a given configuration.
-    * [__License compliance check__](#license-compliance-check): Checks that the dependencies of the project are licensed under a license that is compatible with a given configuration. The configuration by default is the one defined in the [Practical Guide to Open Source Software at Telefónica](#preface), but can be customized.
+    * [__License compliance check__](#license-compliance-check): Checks that the dependencies of the project are licensed under a license that is compatible with a given configuration. The configuration by default is the one defined in the [Practical Guide to Open Source Software at Telefónica](#preface) for the chosen project's license, but can be customized.
     * [__Open source resources check__](#opensource-resources-check): Checks that the project still contains the files that have been created by this scaffold, ensuring that the project always remains compliant with the open source guidelines.
 * [__A Github Workflow for automatic CLA signing__](#automatic-contributing-license-agreement): It automates the process of signing the CLA, by creating a comment in the pull request asking contributors who have not signed CLA to sign. It fails the pull request status check with a failure if the contributor has not signed the CLA.
 * __Changelog file__: A changelog file to keep track of the changes in the project. It is based on the [Keep a Changelog](https://keepachangelog.com/en/1.0.0/) format.
@@ -192,10 +192,7 @@ We want to ensure that the software we build is in compliance with our [licensin
 
 This means that we are not incorporating third party software in the project under a license that is not compatible with the license selected for the overall project, or that is not compatible with the company's open source licensing guidelines.
 
-For such purpose, this scaffold includes a job in the "Open Source Checks" workflow. This job uses the [Telefonica/check-license-compliance github action](https://github.com/Telefonica/check-license-compliance). The configuration of the action is defined in the `.github/check-license-compliance.config.yml` file. It is filled automatically with the [inputs](#inputs) provided when creating the scaffold, but it can be also customized manually to fit better your project's needs.
-
-> [!WARNING]
-> The check is language dependent, and, for the moment, it only supports Node.js dependencies. You should comment it out if your project is not a Node.js project, and read the suggestions below to implement you or own check depending on the language of your project.
+For such purpose, this scaffold includes a job in the "Open Source Checks" workflow. This job uses the [Telefonica/check-license-compliance github action](https://github.com/Telefonica/check-license-compliance). The configuration of the action is defined in the `.github/check-license-compliance.config.yml` file. It is filled automatically based on the license provided when creating the scaffold, but it can be also customized manually to fit better your project's needs.
 
 Please review the [licensing guidance](https://telefonicacorp.sharepoint.com/:w:/s/PatentOffice.TMEHI/EV1Yvq2kUhhCgy5FG-lryaYBWLwIRewSMZXsbZJeQ5uhlg?e=Mdrdwh&wdLOR=cCBDCEA92-4CAC-CF4A-BF60-44FC3F909578) when configuring the license compliance check. In case of doubt, please contact the Intellectual Property team, to the email address indicated in such document.
 
@@ -204,53 +201,6 @@ Please review the [licensing guidance](https://telefonicacorp.sharepoint.com/:w:
 > [!TIP]
 > In repositories with [GitHub Advanced Security enabled](https://docs.github.com/en/get-started/learning-about-github/about-github-advanced-security), you may use the [Github's dependency-review-action](https://github.com/actions/dependency-review-action) instead of the [Telefonica/check-license-compliance github action](https://github.com/Telefonica/check-license-compliance). In such case, modify the `.github/workflows/open-source-checks.yml` to change the action used in the `check-license-compliance` job.
 
-### Checking other languages than Node.js
-
-As mentioned above, the [Telefonica/check-license-compliance github action](https://github.com/Telefonica/check-license-compliance) for the moment only supports Node.js dependencies. If your project is not a Node.js project, you should comment it out and implement your own check depending on the language of your project.
-
-Here you have some suggestions about how to implement the check for some common languages until they are supported by our Github action:
-
-<details>
-  <summary>See code snippets</summary>
-
-### Java
-
-Run this to get the dependency license list.
-
-```bash
-mvn org.codehaus.mojo:license-maven-plugin:aggregate-third-party-report
-```
-
-When this is done, the result will be in ./target/site/aggregate-third-party-report.html.
-
-### Python
-
-```bash
-pip3 install --user pylic
-cd path/to/repo
-touch pyproject.toml
-pylic check
-```
-
-### Go
-
-```bash
-go install github.com/google/go-licenses@latest
-go-licenses check . --allowed_licenses=MIT,ISC,BSD-3-Clause,Apache-2.0,BSD-2-Clause,0BSD,CC-BY-4.0
-```
-
-### PHP
-
-```bash
-composer require dominikb/composer-license-checker
-composer exec composer-license-checker -- check
-```
-
-> [!INFO]
-> These snippets are from the [eBay's open source program docs](https://opensource.ebay.com/contributing/approval/tooling/). Check the original source for more information.
-
-</details>
-
 ## Next steps
 
 Once you have used the scaffolding tools to create the resources, you should follow these steps to finalize the setup of your project:
@@ -259,8 +209,6 @@ Once you have used the scaffolding tools to create the resources, you should fol
 2. __Remember to configure the repository rules__: Remember to configure the branch protection rules to require the different checks in PRs, including the CLA signing check and the open source resources checks. Read the [Configuring the repository section](#configuring-the-repository) for more information.
 3. __Configure the License integrity check__: The scaffold creates a basic configuration for the license integrity check, but you should review it and adapt it to your project. Read the [License Integrity check](#license-integrity-check) section for more information.
 4. __Configure the License compliance check__: The repository creates a basic configuration for the license compliance check, but you should review it and adapt it to your project. Read the [License Compliance check](#license-compliance-check) section for more information.
-    * Remember to modify the `.github/workflows/open-source-checks.yml` file to install the dependencies needed to run the check for your project's language in the `check-license-compliance` job. _(You'll find a TODO comment in the file indicating where to do it.)_
-    * If your project is not a Node.js project, you should comment out the `check-license-compliance` job in the `.github/workflows/open-source-checks.yml` file and implement your own check depending on the language of your project.
 5. __Finish the README file__: The scaffold creates for you a `README.md` file with some basic information about the project and license, but you should fill it with the information about the project, how to install it, how to use it, etc. But remember to __always keep the "Contributing" and "License" sections__.
 6. __Finish the CONTRIBUTING file__: You should do the same with the `CONTRIBUTING.md` file. You should __fill the "Getting Started" section__ with the steps that a contributor should follow to start contributing to the project, and __add as many sections as needed to explain the contribution process__. But you should __always keep the rest of sections__ about the licensing of new files, code of conduct and the CLA.
 

diff --git a/dist-action/index.js b/dist-action/index.js
@@ -42954,7 +42954,7 @@ const RESOURCES = [
     {
         name: "Check license compliance config",
         path: ".github/check-license-compliance.config.yml",
-        origin: "templates/.github/check-license-compliance.config.yml",
+        origin: "templates/check-license-compliance-configs/<%= license %>.yml",
     },
     {
         name: "Check SPDX headers config",

diff --git a/dist-action/index.js.map b/dist-action/index.js.map
diff --git a/docs/assets/check-license-compliance.png b/docs/assets/check-license-compliance.png
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@tid-xcut/opensource-scaffold",
-  "version": "1.0.1",
+  "version": "1.1.0",
   "type": "module",
   "description": "Scaffolding for open source projects. A CLI tool to create open source repositories tools and resources",
   "packageManager": "pnpm@9.4.0",

diff --git a/src/Resources.ts b/src/Resources.ts
@@ -60,7 +60,7 @@ export const RESOURCES: Resource[] = [
   {
     name: "Check license compliance config",
     path: ".github/check-license-compliance.config.yml",
-    origin: "templates/.github/check-license-compliance.config.yml",
+    origin: "templates/check-license-compliance-configs/<%= license %>.yml",
   },
   {
     name: "Check SPDX headers config",

diff --git a/templates/.github/check-license-compliance.config.yml b/templates/.github/check-license-compliance.config.yml
diff --git a/templates/.github/workflows/open-source-checks.yml b/templates/.github/workflows/open-source-checks.yml
@@ -37,10 +37,8 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
-      # TODO: Add step to install dependencies here
-
       - name: Check License Compliance
-        uses: Telefonica/check-license-compliance/.github/actions/check-and-comment@v1
+        uses: Telefonica/check-license-compliance/.github/actions/check-and-comment@v3.0.0-beta.1
         with:
           config-file: .github/check-license-compliance.config.yml
         env:

diff --git a/templates/check-license-compliance-configs/AGPL-3.0-only.yml b/templates/check-license-compliance-configs/AGPL-3.0-only.yml
@@ -0,0 +1,64 @@
+# SPDX-FileCopyrightText: <%= year %> <%= copyrightHolder %>
+# SPDX-License-Identifier: MIT
+
+# Configuration for the check-license-compliance action. Further info at https://github.com/Telefonica/check-license-compliance
+
+licenses:
+  allowed:
+    - Apache-2.0
+    - MIT
+    - X11
+    - BSD-2-Clause
+    - BSD-3-Clause
+    - ISC
+    - Zlib
+    - Unlicense
+    - 0BSD
+    - BlueOak-1.0.0
+    - WTFPL
+    - CC-BY-3.0
+    - CC-BY-4.0
+    - CC-BY-SA-3.0
+    - CC-BY-SA-4.0
+    - CC0-1.0
+    - MPL-2.0
+    - LGPL-2.1
+    - LGPL-2.1-only
+    - LGPL-2.1+
+    - LGPL-2.1-or-later
+    - LGPL-3.0
+    - LGPL-3.0-only
+    - LGPL-3.0+
+    - LGPL-3.0-or-later
+    - GPL-2.0-or-later
+    - GPL-3.0-only
+    - GPL-3.0-or-later
+    - AGPL-3.0
+  forbidden:
+    - MPL-1.1
+    - EPL-1.0
+    - Python-2.0
+    - GPL-2.0-only
+# production: true # Whether to check production dependencies or not
+# development: true # Whether to check development dependencies or not
+# onlyDirect: false # Whether to check only direct dependencies or not
+# npm: # Configuration for npm dependencies
+#   includeFiles: # Files to include in the check
+#     - "**/package.json"
+#   excludeFiles: # Files to exclude from the check
+#     - "**/node_modules/**"
+#   developmentFiles: # Dependencies in these files are considered development dependencies
+#     - "**/my-dev-package/package.json"
+#   modules: # Only check these modules
+#     - "foo-module@1.0.0"
+#   excludeModules: # Exclude these modules from the check
+#     - "bar-module@1.0.0"
+#   extraModules: # Add these extra modules to the check
+#     - "baz-module@1.0.0"
+# python: # Configuration for python dependencies, similar to npm, plus extra options
+#   recursiveRequirements: true # Whether to check requirements recursively, including -r files
+# maven: {} # Configuration for maven dependencies, similar to npm
+# go: {} # Configuration for go dependencies, similar to npm
+# reporter: text # Reporter to use (text, json, markdown)
+# failOnNotValid: true # Whether to fail the action if a dependency is forbidden
+# log: info # Log level (silly, debug, verbose, info, warn, error)