From 6dd00f58d6afd1ddfab3db5326e6fe0c198e3d8b Mon Sep 17 00:00:00 2001 From: Or Shoval Date: Mon, 14 Aug 2023 16:14:17 +0300 Subject: [PATCH] go mod: Allowlist specific hashicorp modules Due to [1] We need to make sure not to use BSL modules. Luckily the current we use have not changed. The ones that are not changed are SDK/API and general Go libraries. "HashiCorp APIs, SDKs, and almost all other libraries will remain MPL 2.0." [1] [2] This commit creates a github action which allowlists them. Any other module of hashicorp will be rejected, and will need to be manually examined if it uses MPL (or other non restrictive license) or BSL. [1] https://www.hashicorp.com/blog/hashicorp-adopts-business-source-license [2] https://github.com/cncf/foundation/issues/617#issuecomment-1675803976 Signed-off-by: Or Shoval --- .../workflows/check_hashicorp_modules.yaml | 52 +++++++++++++++++++ 1 file changed, 52 insertions(+) create mode 100644 .github/workflows/check_hashicorp_modules.yaml diff --git a/.github/workflows/check_hashicorp_modules.yaml b/.github/workflows/check_hashicorp_modules.yaml new file mode 100644 index 000000000..6bb1c39f1 --- /dev/null +++ b/.github/workflows/check_hashicorp_modules.yaml @@ -0,0 +1,52 @@ +name: Check HashiCorp Modules +on: [push, pull_request] +jobs: + check_modules: + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v2 + - name: Run script + run: | + allowed_hashicorp_modules=( + "github.com/hashicorp/consul/api" + "github.com/hashicorp/consul/sdk" + "github.com/hashicorp/errwrap" + "github.com/hashicorp/hcl" + "github.com/hashicorp/logutils" + "github.com/hashicorp/mdns" + "github.com/hashicorp/memberlist" + "github.com/hashicorp/serf" + "github.com/hashicorp/go-cleanhttp" + "github.com/hashicorp/go-immutable-radix" + "github.com/hashicorp/golang-lru" + "github.com/hashicorp/go-msgpack" + "github.com/hashicorp/go-multierror" + "github.com/hashicorp/go.net" + "github.com/hashicorp/go-retryablehttp" + "github.com/hashicorp/go-rootcerts" + "github.com/hashicorp/go-sockaddr" + "github.com/hashicorp/go-syslog" + "github.com/hashicorp/go-uuid" + "github.com/hashicorp/go-version" + ) + + error_found=false + while read -r line; do + module=$(echo "$line" | cut -d ' ' -f 1) + if [[ $module == github.com/hashicorp/* ]]; then + if ! [[ " ${allowed_hashicorp_modules[*]} " == *" $module "* ]]; then + echo "found non allowlisted hashicorp module: $module" + error_found=true + fi + fi + done < go.sum + + if [[ $error_found == true ]]; then + echo "Non allowlisted hashicorp modules found, exiting with an error." + echo "HashiCorp adapted BSL, which we cant use on our projects." + echo "Please review the licensing, and either add it to the list if it isn't BSL," + echo "or use a different library." + exit 1 + fi + echo "All included hashicorp modules are allowlisted"