feat: Add dependency license scanning with licensed #21
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Check dependency licenses | |
| on: | |
| pull_request: | |
| permissions: | |
| contents: read | |
| jobs: | |
| check-dependency-licenses: | |
| runs-on: ubuntu-24.04-arm | |
| env: | |
| PYTHON_VERSION: "3.13" | |
| TASKFILE_VERSION: "v3.44.0" | |
| TASKFILE_PATH: "/home/runner/go/bin" | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Set up Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: ${{ env.PYTHON_VERSION }} | |
| - name: Set up Ruby | |
| uses: ruby/setup-ruby@v1 | |
| with: | |
| ruby-version: '3.3' | |
| - name: Install system dependencies | |
| run: sudo apt-get install -y -qq portaudio19-dev libzbar0 | |
| - name: Install Taskfile | |
| run: which task || curl -sSfL https://taskfile.dev/install.sh | sh -s -- -b ${{ env.TASKFILE_PATH }} ${{ env.TASKFILE_VERSION }} | |
| - name: Check dependency licenses (licensed status) | |
| id: licensed | |
| run: | | |
| export PATH="${{ env.TASKFILE_PATH }}:$PATH" | |
| task license:deps 2>&1 | tee licensed_status.log || true | |
| - name: Annotate and summarize errors | |
| if: always() | |
| run: | | |
| actual_errors_file=$(mktemp) | |
| awk ' | |
| function flush() { | |
| if (block != "") { | |
| print block >> output_file | |
| print "" >> output_file | |
| block = "" | |
| } | |
| } | |
| /^Errors:$/ { in_errors = 1; next } | |
| in_errors && /^\* / { flush(); block = $0; next } | |
| in_errors && /^[[:space:]]+/ { | |
| if (block != "") { | |
| block = block "\n" $0 | |
| } | |
| next | |
| } | |
| in_errors && /^$/ { flush(); next } | |
| in_errors { flush(); in_errors = 0 } | |
| END { flush() } | |
| ' output_file="$actual_errors_file" licensed_status.log | |
| if [ -s "$actual_errors_file" ]; then | |
| echo "::error::Dependency license cache is out of date. Run 'task license:deps' locally, then review the changes, commit, and push the updated files." | |
| echo "### Licensed Summary" >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| echo "The following dependency license issues require review:" >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| awk ' | |
| BEGIN { RS=""; ORS="\n\n" } | |
| NF { print "```text\n" $0 "\n```" } | |
| ' "$actual_errors_file" >> $GITHUB_STEP_SUMMARY | |
| # GitHub workflow commands need escaped newlines, otherwise only the | |
| # first line is attached to the annotation and the rest is plain log output. | |
| awk ' | |
| function escape(text, escaped) { | |
| escaped = text | |
| gsub(/%/, "%25", escaped) | |
| gsub(/\r/, "%0D", escaped) | |
| gsub(/\n/, "%0A", escaped) | |
| return escaped | |
| } | |
| function flush() { | |
| if (block != "") { | |
| print "::error::" escape(block) | |
| block = "" | |
| } | |
| } | |
| /^\* / { flush(); block = $0; next } | |
| /^[[:space:]]+/ { | |
| if (block != "") { | |
| block = block "\n" $0 | |
| } | |
| next | |
| } | |
| /^$/ { flush(); next } | |
| END { flush() } | |
| ' "$actual_errors_file" | |
| exit 1 | |
| else | |
| echo "✅ Dependency license status: OK" >> $GITHUB_STEP_SUMMARY | |
| fi |