OSS: First checks via Eclipse Dash

[nradakovic]

Background

Ensuring compliance with licensing requirements for tools and binaries used in the repository is critical to maintaining legal and operational integrity. To address this, we propose introducing the Eclipse Dash License Tool, which will check the license types of tools and binaries. The tool will be integrated with Bazel for ease of use and added to our CI workflows for automated compliance checks.

Objectives

1. Integrate the dash tool into the Bazel build system.
2. Automate license compliance checks as part of the CI pipeline.
3. Provide visibility into the licenses of all dependencies.
4. Fail builds if non-compliant or unknown licenses are detected.

Acceptance Criteria

• The dash tool is successfully integrated into Bazel and can scan all dependencies pulled by the build system.
  • Python;
  • Rust;
  • Go;
  • Bazel;
• A GitHub Actions workflow is set up to run dash on every push and pull request.
• Non-compliant or unknown licenses cause the CI workflow to fail.
• Documentation is updated with instructions for running dash manually and interpreting its results.

Proposed Steps

• Add dash to the Bazel workspace:
  • Include the dash tool as a dependency in the Bazel setup.
  • Configure a Bazel rule to invoke dash and perform license checks.
• Set up CI workflow:
  • Implement a GitHub Actions workflow that runs the dash tool during CI.
  • Configure the workflow to fail for non-compliant licenses or errors.
• Update documentation:
  • Provide instructions for running dash manually via Bazel.
  • Add details on interpreting the results and resolving license issues.

Resources

• Eclipse Dash License Tool Documentation
• Bazel documentation on creating custom rules
• GitHub Actions Documentation

Impact

By integrating the dash tool into Bazel and the CI pipeline:

• We ensure automated and consistent license compliance checks across the project.
• Risks associated with introducing non-compliant licenses are minimized.
• Developers gain visibility into the licensing of dependencies, supporting informed decision-making.
• The overall quality, maintainability, and legal compliance of the repository are improved.

[ltekieli]

Possible overlap #82

[nradakovic]

To support other language (like Bazel/Starlark or Rust) we need to get access right to ClearlyDefinded service. ClearlyDefined and parent organization, the Open Source Initiative, are on a mission to help Open Source projects thrive by being, well, clearly defined. Lack of clarity around licenses and security vulnerabilities reduces engagement -- that means fewer users, fewer contributors and a smaller community.
The ticket needs to be refined.