GitHub Action for licence scanner (JS).
This README is intended for Turku.py-meetup Hacktoberfest 2021 workshop instructions. Unfortunately we do not yet take other PRs than the ones created in the workshop.
Software projects typically use multiple third-party software components. Many times it is preferred to avoid introducing such dependencies that have copyleft-style open source licenses. Those require that you distribute the software under the same license you received it. For proprietary projects, this would mean the distribution of the proprietary code as well.
Detecting dependencies' licenses would be cumbersome manually, so it is best to let automated tools do the scanning. The tool is provided with a list of allowed licenses, and it will report errors if it finds such licenses within the software dependencies that are not included in the list.
Running the license scan should happen each time the code is changed. If incompatible dependencies are introduced, the change should not be merged with the main branch. GitHub action would be an ideal way of checking this automatically.
This action is intended to be used in JS/TS projects. The used scanner is js-green-licenses.
The plan is to create the GitHub action to this repository and then use it from another repository hello-react-ts. We will improve the functionality incrementally, and test the changes along the way. Let's release a new version of the action each time a PR is merged so that changes can be tested from the test project.
-
Fork this repository and create a new feature-branch
-
Create a skeleton for Javascript action to your feature-branch. You can use the placeholder texts from the instructions for now:
- Create an action metadata file
- Write the action code
- Commit and push the changes. Note! node_modules-directory is included in the version control on purpose!
- Create PR and ask the maintainer to release a new version of the action once the PR is merged.
You should have added following files to the root of this repository:
action.yml index.js
-
Fork the test repository hello-react-ts and create a new feature-branch
-
Add a new job to the hello-react-ts project test workflow where you test the new GitHub Action you created in step 2.
- Edit the file
test.ymlaccordingly - Commit and push changes. See the logs for your added job in Actions tab and check does the job succeed. (Note: if the maintainer has not released yet the action, it cannot be run.)
- Create PR for the change.
- Edit the file
-
Add actual license checks using js-green-licenses.
- Create new feature-branch for your licence-scan-js-fork.
- Introduce a new depedency to the project:
npm install js-green-licenses - Copy content from this gist:
- Replace contents of
index.js
- Replace contents of
- Commit and push the changes. Note! node_modules-directory is included in the version control on purpose!
- Create PR and ask the maintainer to release a new version of the action once the PR is merged.
-
Update the action version in the test project
- Create new feature-branch for your hello-react-ts-fork.
- Edit the new job that was added in step 4 so that it uses the latest version of the scan action. Commit and push changes, and check the job logs and that the job succeeds.
- Create PR.
-
Continue with further enhancements to the licence-scan-js action:
- Update the action metadata with correct information
- Update README with usage instructions
- Make license list configurable, so that the action user could define the allowed licenses.
- Figure out what are the arguments that the license checker script takes and add support to those to metadata and README.
- Add argument to action that would export all used licenses as a list and store it as an artifact after the workflow is run.
- Checkout the actions toolkit and see if this project would benefit from using that.
- How about adding some GitHub actions to this project? What kind of automated checks/tests would be beneficial for this GitHub Action project?