chore: deprecate fossa in favor of liccheck to validate python licenses (#31515)

2024-12-18 17:03:25 -08:00 · 2024-12-18 17:03:25 -08:00 · 88cde7225e
parent e788b858d0
commit 88cde7225e
3 changed files with 65 additions and 1 deletions
--- a/.asf.yaml
+++ b/.asf.yaml
@ -72,6 +72,7 @@ github:
          - cypress-matrix (3, chrome)
          - cypress-matrix (4, chrome)
          - cypress-matrix (5, chrome)
+          - dependency-review
          - frontend-build
          - pre-commit (current)
          - pre-commit (next)
--- a/.github/workflows/dependency-review.yml
+++ b/.github/workflows/dependency-review.yml
@ -5,7 +5,18 @@
 # Source repository: https://github.com/actions/dependency-review-action
 # Public documentation: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement
 name: "Dependency Review"
-on: [pull_request]
+on:
+  push:
+    branches:
+      - "master"
+      - "[0-9].[0-9]*"
+  pull_request:
+    types: [synchronize, opened, reopened, ready_for_review]
+
+# cancel previous workflow jobs for PRs
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.run_id }}
+  cancel-in-progress: true

 permissions:
  contents: read
@ -33,3 +44,22 @@ jobs:
          # pkg:npm/node-forge@1.3.1
          #   selecting BSD-3-Clause licensing terms for node-forge to ensure compatibility with Apache
          allow-dependencies-licenses: pkg:npm/store2@2.14.2, pkg:npm/applitools/core, pkg:npm/applitools/core-base, pkg:npm/applitools/css-tree, pkg:npm/applitools/ec-client, pkg:npm/applitools/eg-socks5-proxy-server, pkg:npm/applitools/eyes, pkg:npm/applitools/eyes-cypress, pkg:npm/applitools/nml-client, pkg:npm/applitools/tunnel-client, pkg:npm/applitools/utils, pkg:npm/node-forge@1.3.1, pkg:npm/rgbcolor, pkg:npm/jszip@3.10.1
+
+  python-dependency-liccheck:
+    runs-on: ubuntu-22.04
+    steps:
+      - name: "Checkout Repository"
+        uses: actions/checkout@v4
+
+      - name: Setup Python
+        uses: ./.github/actions/setup-backend/
+
+      - name: "Set up liccheck"
+        run: |
+          pip install liccheck
+      - name: "Run liccheck"
+        run: |
+          # run the checks
+          liccheck -R output.txt
+          # Print the report
+          cat output.txt
--- a/pyproject.toml
+++ b/pyproject.toml
@ -360,3 +360,36 @@ docstring-code-format = false
 # This only has an effect when the `docstring-code-format` setting is
 # enabled.
 docstring-code-line-length = "dynamic"
+
+[tool.liccheck]
+requirement_txt_file = "requirements/base.txt"
+authorized_licenses = [
+    "academic free license (afl)",
+    "apache license 2.0",
+    "apache software",
+    "apache software, bsd",
+    "bsd",
+    "isc license (iscl)",
+    "isc license",
+    "mit",
+    "mozilla public license 2.0 (mpl 2.0)",
+    "osi approved",
+    "osi approved",
+    "python software foundation",
+    "the unlicense (unlicense)",
+    "the unlicense",
+]
+[tool.liccheck.authorized_packages]
+# --------------------------------------------------------------
+# These are ok, checked manually
+# Seems ok, might need legal review
+# https://github.com/urschrei/pypolyline/blob/master/LICENSE.md
+polyline = "2"
+# Apache 2.0 https://github.com/hkwi/python-geohash
+python-geohash = "0"
+# --------------------------------------------------------------
+
+# TODO REMOVE THESE DEPS FROM CODEBASE
+func-timeout = "4"  # AGPL
+paramiko = "3"  # GPL
+pyxlsb = "1"  # GPL