From e2e132eebb556ebaecb7e0b67aceb3c2b286ee05 Mon Sep 17 00:00:00 2001
From: Marc Dumais <marc.dumais@ericsson.com>
Date: Fri, 19 Jan 2024 11:12:44 -0500
Subject: [PATCH] Add 3PP license check as part of PR CI

The license check can be triggered locally:
  yarn license:check

For automatic opening of IP tickets for suspicious depedencies, set an
Eclipse Foundation gitlab token as environment variable "DASH_TOKEN" and
run the alternate pacakge.json script. e.g.:
  export DASH_TOKEN="<your token>"
  yarn license:check:reviewAdd 3PP license check as part of PR CI

Closes #268

Signed-off-by: Marc Dumais <marc.dumais@ericsson.com>
---
 .github/workflows/license-check-workflow.yml | 52 ++++++++++++++++++++
 .gitignore                                   |  1 +
 configs/license-check-config.json            |  8 +++
 package.json                                 |  5 +-
 yarn.lock                                    |  5 ++
 5 files changed, 70 insertions(+), 1 deletion(-)
 create mode 100644 .github/workflows/license-check-workflow.yml
 create mode 100644 configs/license-check-config.json

diff --git a/.github/workflows/license-check-workflow.yml b/.github/workflows/license-check-workflow.yml
new file mode 100644
index 0000000..da95658
--- /dev/null
+++ b/.github/workflows/license-check-workflow.yml
@@ -0,0 +1,52 @@
+name: 3PP License Check
+
+on:
+  push:
+    branches:
+      - master
+  workflow_dispatch:
+  pull_request:
+    branches:
+      - master
+  schedule:
+    - cron: '0 4 * * *' # Runs every day at 4am: https://docs.github.com/en/actions/reference/events-that-trigger-workflows#scheduled-events-schedule
+
+jobs:
+
+  License-check:
+    name: 3PP License Check using dash-licenses
+
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-latest]
+        node: [18]
+        java: [11]
+
+    runs-on: ${{ matrix.os }}
+    timeout-minutes: 20
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 2
+
+      - name: Use Node.js ${{ matrix.node }}
+        uses: actions/setup-node@v3
+        with:
+          node-version: ${{ matrix.node }}
+
+      - name: Use Java ${{ matrix.java }}
+        uses: actions/setup-java@v3
+        with:
+          distribution: 'adopt'
+          java-version: ${{ matrix.java }}
+
+      - name: Run dash-licenses
+        shell: bash
+        run: |
+          yarn --frozen-lockfile --ignore-scripts
+          yarn license:check
+        env:
+          DASH_TOKEN: ${{ secrets.DASH_LICENSES_PAT }}
diff --git a/.gitignore b/.gitignore
index 6b2c111..c3aed74 100644
--- a/.gitignore
+++ b/.gitignore
@@ -4,3 +4,4 @@ bundle.js
 coverage
 lib
 node_modules
+license-check-summary.txt*
diff --git a/configs/license-check-config.json b/configs/license-check-config.json
new file mode 100644
index 0000000..04bb8a2
--- /dev/null
+++ b/configs/license-check-config.json
@@ -0,0 +1,8 @@
+{
+    "project": "ecd.cdt-cloud",
+    "review": false,
+    "inputFile": "yarn.lock",
+    "batch": 50,
+    "timeout": 200,
+    "summary": "license-check-summary.txt"
+}
diff --git a/package.json b/package.json
index 3513973..714bf96 100644
--- a/package.json
+++ b/package.json
@@ -9,7 +9,9 @@
         "start": "lerna run start",
         "test": "lerna run test --",
         "publish:latest": "lerna publish --registry=https://registry.npmjs.org/ --exact --no-git-tag-version --no-push",
-        "publish:next": "lerna publish --registry=https://registry.npmjs.org/ --exact --canary minor --preid=next.$(date -u '+%Y%m%d%H%M%S').$(git rev-parse --short HEAD) --dist-tag=next --no-git-tag-version --no-push --yes"
+        "publish:next": "lerna publish --registry=https://registry.npmjs.org/ --exact --canary minor --preid=next.$(date -u '+%Y%m%d%H%M%S').$(git rev-parse --short HEAD) --dist-tag=next --no-git-tag-version --no-push --yes",
+        "license:check": "npx dash-licenses-wrapper  --configFile=./configs/license-check-config.json",
+        "license:check:review": "npx dash-licenses-wrapper  --configFile=./configs/license-check-config.json --review"
     },
     "keywords": [
         "gantt",
@@ -26,6 +28,7 @@
     },
     "homepage": "https://github.com/theia-ide/timeline-chart",
     "devDependencies": {
+        "@eclipse-dash/nodejs-wrapper": "^0.0.1",
         "lerna": "^7.0.0",
         "typescript": "^5.2.2"
     },
diff --git a/yarn.lock b/yarn.lock
index 6880de9..d1f8c9b 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -319,6 +319,11 @@
   resolved "https://registry.npmjs.org/@discoveryjs/json-ext/-/json-ext-0.5.7.tgz#1d572bfbbe14b7704e0ba0f39b74815b84870d70"
   integrity sha512-dBVuXR082gk3jsFp7Rd/JI4kytwGHecnCoTtXFb7DB6CNHp4rg5k1bhg0nWdLGLnOV71lmDzGQaLMy8iPLY0pw==
 
+"@eclipse-dash/nodejs-wrapper@^0.0.1":
+  version "0.0.1"
+  resolved "https://registry.yarnpkg.com/@eclipse-dash/nodejs-wrapper/-/nodejs-wrapper-0.0.1.tgz#f2629671cf090a84c4d69a8fec42f198e583d103"
+  integrity sha512-Rkk8O8hEVi/+LC/co7ly1zGLVwCNJG3yPbalsz1FHAqk6WZyEaWNf29EX6jz4vTfR5wpv2xAfF2yokKuStiOdA==
+
 "@hutson/parse-repository-url@^3.0.0":
   version "3.0.2"
   resolved "https://registry.npmjs.org/@hutson/parse-repository-url/-/parse-repository-url-3.0.2.tgz#98c23c950a3d9b6c8f0daed06da6c3af06981340"