diff --git a/.github/workflows/checks.yaml b/.github/workflows/checks.yaml index 90901675..22597a6f 100644 --- a/.github/workflows/checks.yaml +++ b/.github/workflows/checks.yaml @@ -26,13 +26,8 @@ jobs: with: check-latest: true go-version: "1.21" - - name: Dependency Review - uses: actions/dependency-review-action@v3 - with: - base-ref: ${{ github.event.pull_request.base.sha || 'master' }} - deny-licenses: AGPL-1.0, AGPL-3.0, GPL-1.0, GPL-2.0, GPL-3.0, LGPL-2.0, LGPL-2.1, LGPL-3.0, BUSL-1.1 - fail-on-severity: moderate - head-ref: ${{ github.event.pull_request.head.sha || github.ref }} + - name: Dependency Licenses Review + run: make check-dependency-licenses - name: Run govulncheck uses: golang/govulncheck-action@v1 - name: Check for spelling errors @@ -44,7 +39,4 @@ jobs: ignore: importas reporter: github-check - name: Check if source code files have license header - run: | - shopt -s globstar - go install github.com/google/addlicense@latest - addlicense --check -ignore "vendor/**" -- **/*.go + run: make check-license-headers diff --git a/.license-scan-overrides.jsonl b/.license-scan-overrides.jsonl new file mode 100644 index 00000000..637692ba --- /dev/null +++ b/.license-scan-overrides.jsonl @@ -0,0 +1,2 @@ +{"name": "github.com/jpillora/longestcommon", "licenceType": "MIT"} +{"name": "github.com/spdx/tools-golang", "licenceTextOverrideFile": "vendor/github.com/spdx/tools-golang/LICENSE.code"} diff --git a/Makefile b/Makefile index 0d392934..8629f449 100644 --- a/Makefile +++ b/Makefile @@ -49,14 +49,12 @@ null := space := $(null) $(null) comma := , -check: FORCE build-all static-check build/cover.html +check: FORCE static-check build/cover.html build-all @printf "\e[1;32m>> All checks successful.\e[0m\n" -prepare-static-check: FORCE - @if ! hash golangci-lint 2>/dev/null; then printf "\e[1;36m>> Installing golangci-lint (this may take a while)...\e[0m\n"; go install github.com/golangci/golangci-lint/cmd/golangci-lint@latest; fi - -static-check: FORCE prepare-static-check +run-golangci-lint: FORCE @printf "\e[1;36m>> golangci-lint\e[0m\n" + @if ! hash golangci-lint 2>/dev/null; then printf "\e[1;36m>> Installing golangci-lint (this may take a while)...\e[0m\n"; go install github.com/golangci/golangci-lint/cmd/golangci-lint@latest; fi @golangci-lint run build/cover.out: FORCE | build @@ -67,6 +65,8 @@ build/cover.html: build/cover.out @printf "\e[1;36m>> go tool cover > build/cover.html\e[0m\n" @go tool cover -html $< -o $@ +static-check: FORCE run-golangci-lint check-license-headers + build: @mkdir $@ @@ -80,9 +80,21 @@ vendor-compat: FORCE go mod vendor go mod verify -license-headers: FORCE +prepare-addlicense: FORCE @if ! hash addlicense 2>/dev/null; then printf "\e[1;36m>> Installing addlicense...\e[0m\n"; go install github.com/google/addlicense@latest; fi - find * \( -name vendor -type d -prune \) -o \( -name \*.go -exec addlicense -c "SAP SE" -- {} + \) + +license-headers: FORCE prepare-addlicense + @printf "\e[1;36m>> addlicense\e[0m\n" + @addlicense -c "SAP SE" -ignore "vendor/**" -- **/*.go + +check-license-headers: FORCE prepare-addlicense + @printf "\e[1;36m>> addlicense\e[0m\n" + @bash -c 'shopt -s globstar; addlicense --check -ignore "vendor/**" -- **/*.go' + +check-dependency-licenses: FORCE + @printf "\e[1;36m>> go-licence-detector\e[0m\n" + @if ! hash go-licence-detector 2>/dev/null; then printf "\e[1;36m>> Installing go-licence-detector...\e[0m\n"; go install go.elastic.co/go-licence-detector@latest; fi + @go list -m -mod=mod -json all | go-licence-detector -includeIndirect -rules .license-scan-rules.json -overrides .license-scan-overrides.jsonl clean: FORCE git clean -dxf build @@ -104,25 +116,28 @@ help: FORCE @printf " make \e[36m\e[0m\n" @printf "\n" @printf "\e[1mGeneral\e[0m\n" - @printf " \e[36mvars\e[0m Display values of relevant Makefile variables.\n" - @printf " \e[36mhelp\e[0m Display this help.\n" + @printf " \e[36mvars\e[0m Display values of relevant Makefile variables.\n" + @printf " \e[36mhelp\e[0m Display this help.\n" @printf "\n" @printf "\e[1mBuild\e[0m\n" - @printf " \e[36mbuild-all\e[0m Build all binaries.\n" - @printf " \e[36mbuild/limesctl\e[0m Build limesctl.\n" - @printf " \e[36minstall\e[0m Install all binaries. This option understands the conventional 'DESTDIR' and 'PREFIX' environment variables for choosing install locations.\n" + @printf " \e[36mbuild-all\e[0m Build all binaries.\n" + @printf " \e[36mbuild/limesctl\e[0m Build limesctl.\n" + @printf " \e[36minstall\e[0m Install all binaries. This option understands the conventional 'DESTDIR' and 'PREFIX' environment variables for choosing install locations.\n" @printf "\n" @printf "\e[1mTest\e[0m\n" - @printf " \e[36mcheck\e[0m Run the test suite (unit tests and golangci-lint).\n" - @printf " \e[36mprepare-static-check\e[0m Install golangci-lint. This is used in CI, you should probably install golangci-lint using your package manager.\n" - @printf " \e[36mstatic-check\e[0m Run golangci-lint.\n" - @printf " \e[36mbuild/cover.out\e[0m Run tests and generate coverage report.\n" - @printf " \e[36mbuild/cover.html\e[0m Generate an HTML file with source code annotations from the coverage report.\n" + @printf " \e[36mcheck\e[0m Run the test suite (unit tests and golangci-lint).\n" + @printf " \e[36mrun-golangci-lint\e[0m Install and run golangci-lint. Installing is used in CI, but you should probably install golangci-lint using your package manager.\n" + @printf " \e[36mbuild/cover.out\e[0m Run tests and generate coverage report.\n" + @printf " \e[36mbuild/cover.html\e[0m Generate an HTML file with source code annotations from the coverage report.\n" + @printf " \e[36mstatic-check\e[0m Run static code checks\n" @printf "\n" @printf "\e[1mDevelopment\e[0m\n" - @printf " \e[36mvendor\e[0m Run go mod tidy, go mod verify, and go mod vendor.\n" - @printf " \e[36mvendor-compat\e[0m Same as 'make vendor' but go mod tidy will use '-compat' flag with the Go version from go.mod file as value.\n" - @printf " \e[36mlicense-headers\e[0m Add license headers to all .go files excluding the vendor directory.\n" - @printf " \e[36mclean\e[0m Run git clean.\n" + @printf " \e[36mvendor\e[0m Run go mod tidy, go mod verify, and go mod vendor.\n" + @printf " \e[36mvendor-compat\e[0m Same as 'make vendor' but go mod tidy will use '-compat' flag with the Go version from go.mod file as value.\n" + @printf " \e[36mprepare-addlicense\e[0m Install addlicense\n" + @printf " \e[36mlicense-headers\e[0m Add license headers to all .go files excluding the vendor directory.\n" + @printf " \e[36mcheck-license-headers\e[0m Check license headers in all .go files excluding the vendor directory.\n" + @printf " \e[36mcheck-dependency-licenses\e[0m Check all dependency licenses using go-licence-detector.\n" + @printf " \e[36mclean\e[0m Run git clean.\n" .PHONY: FORCE