Add FINOS licensing actions and release cleanup

Author: dschwartz-ftadvisory

.github/workflows/cve-scanning.yml

@@ -0,0 +1,44 @@
+name: CVE Scanning for Maven
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - master
+    paths:
+      - 'pom.xml'
+      - 'allow-list.xml'
+      - '.github/workflows/cve-scanning.yml'
+  pull_request:
+    paths:
+      - 'pom.xml'
+      - 'allow-list.xml'
+      - '.github/workflows/cve-scanning.yml'
+
+jobs:
+  depcheck:
+
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v3
+    - uses: ./.github/actions/maven-build
+      with:
+        run-tests: false
+    - name: CVE scanning
+      uses: dependency-check/[email protected]
+      env:
+        JAVA_HOME: /opt/jdk
+      with:
+        project: 'Rune Python Runtime'
+        path: '.'
+        format: 'HTML'
+        out: 'reports'
+        args: >
+          --suppression allow-list.xml
+          --failOnCVSS 7
+    - name: Upload results
+      uses: actions/upload-artifact@v4
+      with:
+        name: CVE Scan Report ${{ strategy.job-index }}
+        path: ${{github.workspace}}/reports

.github/workflows/license-scanning.yml

@@ -0,0 +1,51 @@
+name: License Scanning for Maven
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - master
+    paths:
+      - 'pom.xml'
+      - '.github/workflows/license-scanning.yml'
+  pull_request:
+    paths:
+      - 'pom.xml'
+      - '.github/workflows/license-scanning.yml'
+
+env:
+  ALLOW_LICENSES: "'The Apache Software License, Version 2.0' and licenses/license/name!='BSD' and licenses/license/name!='BSD-style license' and licenses/license/name!='Apache License, Version 2.0'"
+  REPORT_PATH: "target/generated-resources/licenses.xml"
+
+jobs:
+  scan:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        module-folder: ["./", "./examples", "./rosetta-source"]
+    steps:
+    - uses: actions/checkout@v3
+    - name: Install XQ
+      run: pip install xq
+    - uses: ./.github/actions/maven-build
+      with:
+        run-tests: false
+    - name: License XML report
+      run: mvn org.codehaus.mojo:license-maven-plugin:2.0.0:download-licenses
+    - name: Validate XML report
+      run: |
+        LICENSE_REPORT=`xq "//dependency[licenses/license/name!=${{ env.ALLOW_LICENSES }}]" ./${{ env.REPORT_PATH }}`
+        LINES_FOUND=`echo $LICENSE_REPORT | wc -l`
+        echo "License issues found ..."
+        if [ $LINES_FOUND -gt 1 ]; then echo $LICENSE_REPORT ; exit -1; fi
+      working-directory: ${{ matrix.module-folder }}
+    - name: Upload license reports
+      uses: actions/upload-artifact@v4
+      with:
+        name: license-reports-${{ strategy.job-index }}
+        path: '**/dependencies.html'
+    - name: Upload license XML reports
+      uses: actions/upload-artifact@v4
+      with:
+        name: license-xml-report-${{ strategy.job-index }}
+        path: '**/${{ env.REPORT_PATH }}'

LICENSE.spdx

@@ -3,5 +3,5 @@ DataLicense: CC0-1.0
 Creator: CLOUDRISK Limited and FT Advisory LLC
 PackageName: Rune Python Runtime
 PackageOriginator: CLOUDRISK Limited and FT Advisory LLC
-PackageHomePage: https://github.com/finos/{project slug}
+PackageHomePage: https://github.com/finos/rune-python-runtime
 PackageLicenseDeclared: Apache-2.0