chore(deps): bump peter-evans/create-pull-request from 8.1.0 to 8.1.1 #3900
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| on: | |
| push: | |
| branches: | |
| - main | |
| pull_request: | |
| paths-ignore: | |
| - '.claude/**' | |
| name: License scan | |
| jobs: | |
| license: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - name: Setup Go | |
| uses: actions/setup-go@v6 | |
| with: | |
| go-version-file: go.mod | |
| - name: Install Go deps | |
| run: go mod download | |
| - name: Install Syft | |
| run: curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sudo sh -s -- -b /usr/local/bin | |
| - name: Generate SBOM | |
| run: | | |
| syft scan dir:. \ | |
| --exclude './.github/**' \ | |
| --exclude './package-lock.json' \ | |
| --exclude './bin/scan-images/package-lock.json' \ | |
| -o spdx-json > sbom.spdx.json | |
| - name: Create licence report artifact | |
| run: | | |
| jq -r ' | |
| ["PACKAGE", "VERSION", "LICENSE"], | |
| ["-------", "-------", "-------"], | |
| (.packages[] | [ | |
| .name, | |
| (.versionInfo // ""), | |
| (.licenseDeclared // "NOASSERTION") | |
| ]) | @tsv | |
| ' sbom.spdx.json | column -t -s $'\t' | tee license-report.txt | |
| - name: Upload licence report artifact | |
| uses: actions/upload-artifact@v7 | |
| with: | |
| name: license-report | |
| path: license-report.txt | |
| - name: Check for unknown licenses | |
| run: | | |
| UNKNOWN=$(jq -r ' | |
| [.packages[] | select( | |
| (.licenseDeclared == "NOASSERTION") or | |
| (.licenseDeclared == "") or | |
| (.licenseDeclared == null) | |
| ) | .name] | unique | .[] | |
| ' sbom.spdx.json) | |
| if [ -n "$UNKNOWN" ]; then | |
| echo "::warning::Unknown licenses found for the following packages:" | |
| echo "$UNKNOWN" | |
| fi | |
| - name: Check for forbidden licenses and fail | |
| run: | | |
| # Forbidden licenses: strong copyleft and restrictive (CRITICAL,HIGH severity) | |
| # GPL (not LGPL), AGPL, SSPL, EUPL, CC restrictive variants, WTFPL, and other copyleft | |
| # OR expressions: only flagged if ALL alternatives are forbidden | |
| FORBIDDEN='(^|[^L])GPL-[1-3]\.0|AGPL-|SSPL-|EUPL-|CC-BY-(NC|ND|SA)-|WTFPL|Commons-Clause|OSL-|QPL-|Sleepycat|NPL-|^BCL$' | |
| VIOLATIONS=$(jq -r --arg forbidden "$FORBIDDEN" ' | |
| def check: if contains(" OR ") then | |
| [split(" OR ")[] | gsub("[()]";"")] | all(test($forbidden)) | |
| else test($forbidden) end; | |
| [.packages[] | select( | |
| .licenseDeclared != null and | |
| .licenseDeclared != "NOASSERTION" and | |
| .licenseDeclared != "" and | |
| (.licenseDeclared | check) | |
| ) | "\(.name): \(.licenseDeclared)"] | unique | .[] | |
| ' sbom.spdx.json) | |
| if [ -n "$VIOLATIONS" ]; then | |
| echo "::error::Forbidden licenses (strong copyleft) detected:" | |
| echo "$VIOLATIONS" | |
| exit 1 | |
| fi | |
| echo "No forbidden licenses found." |