Skip to content

Commit

Permalink
feat(ci): check for unaccepted licenses
Browse files Browse the repository at this point in the history
  • Loading branch information
marvinWolff committed Sep 19, 2024
1 parent 1600354 commit c9cade4
Show file tree
Hide file tree
Showing 2 changed files with 103 additions and 0 deletions.
71 changes: 71 additions & 0 deletions .github/scripts/scan-for-licenses.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,71 @@
#!/usr/bin/env bash

[[ "$RUNNER_DEBUG" == 1 ]] && set -x
[[ -o xtrace ]] && export RUNNER_DEBUG=1

set -eu
set -o pipefail

WHITELIST=(
"AGPL-3.0" # We're not writing software 🤷
"CC-BY-SA-3.0"
"CPL-1.0"
"GPL-1.0"
"GPL-2.0"
"GPL-2.0-with-autoconf-exception"
"GPL-2.0-with-bison-exception"
"GPL-3.0"
"GPL-3.0-with-autoconf-exception"
"LGPL-2.0"
"LGPL-2.1"
"LGPL-3.0"
"MPL-1.1"
"MPL-2.0"
"Ruby"
"Sleepycat"
"WTFPL"
)

# shellcheck disable=SC2016
licenseConversionJq='map({Image: (.Metadata.RepoTags // .Metadata.RepoDigests)[0], License: (.Results[] | .Licenses[]? | .Name)} as $licenseInfo | $licenseInfo+{PackageOrPath: (.Results[] | .Licenses[]? | select(.Name == $licenseInfo.License) | if .PkgName != "" then .PkgName else .FilePath end)}) | group_by(.License) | map({(.[0].License): (map(del(.License)) | group_by(.Image) | map({(.[0].Image): map(.PackageOrPath) | unique}) | add) }) | add'
function scanLicenses() {
local chart="${1?}"
local licenseMap
local unacceptedLicenses=()
local unacceptedLicense
licenseMap="$(yq -r '.annotations["artifacthub.io/images"]' "$chart/Chart.yaml" | yq -r '.[] | .image' |
parallel -k trivy image {} --severity HIGH,CRITICAL,MEDIUM -f json --scanners license --license-full --quiet |
jq -s -r "$licenseConversionJq")"
mapfile -t unacceptedLicenses < <(<<<"$licenseMap" jq -r --argjson acceptedLicenses "[\"$(echo -n "${WHITELIST[@]}" | tr " " \\n |
paste -sd '@' | sed 's#@#","#g')\"]" '(keys-$acceptedLicenses)[]')
if [[ "${#unacceptedLicenses[@]}" -gt 0 ]]; then
echo "found ${#unacceptedLicenses[@]} untrusted images in '$chart', please fix;" >&2
for unacceptedLicense in "${unacceptedLicenses[@]}"; do
echo "license $unacceptedLicense has not been accepted and is used in the following images:" >&2
for image in $(<<<"$licenseMap" jq -r --arg unacceptedLicense "$unacceptedLicense" '.[$unacceptedLicense] | keys[]'); do
echo " > $image:" >&2
for packageOrFile in $(<<<"$licenseMap" jq -r --arg unacceptedLicense "$unacceptedLicense" --arg image "$image" '.[$unacceptedLicense][$image][]'); do
echo " - $packageOrFile" >&2
done
done
done
return 1
fi
}

if [[ "$#" == 1 && -d "$1" ]]; then
scanLicenses "$1"
else
result=0
for chart in charts/*; do
[[ -d "$chart" ]] || continue

if ! scanLicenses "$chart"; then
result=1
fi
done
exit "$result"
fi



32 changes: 32 additions & 0 deletions .github/workflows/check-licenses.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
name: Lint Helm Charts

on:
pull_request:
types:
- opened
- edited
- reopened
- synchronize
paths:
- charts/**
merge_group:
types:
- checks_requested

jobs:
getAllCharts:
uses: ./.github/workflows/get-all-charts.yaml
with:
showLibraryCharts: false
check-licenses:
name: check licenses
runs-on: ubuntu-latest
needs: getAllCharts
strategy:
fail-fast: false
matrix:
chart: ${{ fromJson(needs.getAllCharts.outputs.charts) }}
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
- run: pip install yq
- run: ./.github/scrips/scan-for-licenses.sh ${{ matrix.chart }}

0 comments on commit c9cade4

Please sign in to comment.