From 88cde7225e056423b760c497b797e200e40f0999 Mon Sep 17 00:00:00 2001 From: Maxime Beauchemin Date: Wed, 18 Dec 2024 17:03:25 -0800 Subject: [PATCH] chore: deprecate fossa in favor of liccheck to validate python licenses (#31515) --- .asf.yaml | 1 + .github/workflows/dependency-review.yml | 32 +++++++++++++++++++++++- pyproject.toml | 33 +++++++++++++++++++++++++ 3 files changed, 65 insertions(+), 1 deletion(-) diff --git a/.asf.yaml b/.asf.yaml index 0b7ec5a5b..9fdad3908 100644 --- a/.asf.yaml +++ b/.asf.yaml @@ -72,6 +72,7 @@ github: - cypress-matrix (3, chrome) - cypress-matrix (4, chrome) - cypress-matrix (5, chrome) + - dependency-review - frontend-build - pre-commit (current) - pre-commit (next) diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 08771876b..ca6f374bd 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -5,7 +5,18 @@ # Source repository: https://github.com/actions/dependency-review-action # Public documentation: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement name: "Dependency Review" -on: [pull_request] +on: + push: + branches: + - "master" + - "[0-9].[0-9]*" + pull_request: + types: [synchronize, opened, reopened, ready_for_review] + +# cancel previous workflow jobs for PRs +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.run_id }} + cancel-in-progress: true permissions: contents: read @@ -33,3 +44,22 @@ jobs: # pkg:npm/node-forge@1.3.1 # selecting BSD-3-Clause licensing terms for node-forge to ensure compatibility with Apache allow-dependencies-licenses: pkg:npm/store2@2.14.2, pkg:npm/applitools/core, pkg:npm/applitools/core-base, pkg:npm/applitools/css-tree, pkg:npm/applitools/ec-client, pkg:npm/applitools/eg-socks5-proxy-server, pkg:npm/applitools/eyes, pkg:npm/applitools/eyes-cypress, pkg:npm/applitools/nml-client, pkg:npm/applitools/tunnel-client, pkg:npm/applitools/utils, pkg:npm/node-forge@1.3.1, pkg:npm/rgbcolor, pkg:npm/jszip@3.10.1 + + python-dependency-liccheck: + runs-on: ubuntu-22.04 + steps: + - name: "Checkout Repository" + uses: actions/checkout@v4 + + - name: Setup Python + uses: ./.github/actions/setup-backend/ + + - name: "Set up liccheck" + run: | + pip install liccheck + - name: "Run liccheck" + run: | + # run the checks + liccheck -R output.txt + # Print the report + cat output.txt diff --git a/pyproject.toml b/pyproject.toml index 448002b5f..176caaf9e 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -360,3 +360,36 @@ docstring-code-format = false # This only has an effect when the `docstring-code-format` setting is # enabled. docstring-code-line-length = "dynamic" + +[tool.liccheck] +requirement_txt_file = "requirements/base.txt" +authorized_licenses = [ + "academic free license (afl)", + "apache license 2.0", + "apache software", + "apache software, bsd", + "bsd", + "isc license (iscl)", + "isc license", + "mit", + "mozilla public license 2.0 (mpl 2.0)", + "osi approved", + "osi approved", + "python software foundation", + "the unlicense (unlicense)", + "the unlicense", +] +[tool.liccheck.authorized_packages] +# -------------------------------------------------------------- +# These are ok, checked manually +# Seems ok, might need legal review +# https://github.com/urschrei/pypolyline/blob/master/LICENSE.md +polyline = "2" +# Apache 2.0 https://github.com/hkwi/python-geohash +python-geohash = "0" +# -------------------------------------------------------------- + +# TODO REMOVE THESE DEPS FROM CODEBASE +func-timeout = "4" # AGPL +paramiko = "3" # GPL +pyxlsb = "1" # GPL