Introduce License Finder to CI

.github/workflows/license-frontend.yml

@@ -0,0 +1,111 @@
+name: License Compliance for frontend
+
+# ## Summary
+#
+# This workflow runs the license_finder CLI only when it detects an update to files related to the License Finder.
+# It also updates $LICENSE_REPORT and git commit.
+#
+# When triggered by a PR from a forked repository, $LICENSE_REPORT is not updated.
+# When triggered by a push to the default branch, $LICENSE_REPORT is not updated either.
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+  merge_group:
+
+env:
+  working-directory: frontend
+
+jobs:
+  license_finder:
+    runs-on: ubuntu-latest
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.ref }}
+      cancel-in-progress: true
+    timeout-minutes: 10
+    env:
+      LICENSE_REPORT: docs/packages-license.md
+    steps:
+      - name: Check if running in a fork
+        id: fork-check
+        run: echo "is_fork=${{ github.event.pull_request.head.repo.fork }}" >> "$GITHUB_OUTPUT"
+      - name: Create GitHub App Token for non-fork PRs
+        uses: actions/create-github-app-token@v1
+        if: steps.fork-check.outputs.is_fork != 'true'
+        id: app-token
+        with:
+          app-id: ${{ vars.CI_TRIGGER_APP_ID }}
+          private-key: ${{ secrets.CI_TRIGGER_APP_PRIVATE_KEY }}
+      - name: Checkout code for non-fork PRs
+        if: steps.fork-check.outputs.is_fork != 'true'
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.ref }}
+          token: ${{ steps.app-token.outputs.token }}
+      - name: Checkout code for forked PRs
+        if: steps.fork-check.outputs.is_fork == 'true'
+        uses: actions/checkout@v4
+      # To make the success of this job a prerequisite for merging into the main branch,
+      # set a filter here instead of on: to determine whether or not to proceed to the next step.
+      - name: Cache dependency files
+        uses: actions/cache@v4
+        id: cache
+        with:
+          path: |
+            .github/workflows/license-frontend.yml
+            frontend/config/dependency_decisions.yml
+            frontend/config/license_finder.yml
+            frontend/package.json
+            frontend/pnpm-lock.yaml
+          key: license-frontend-${{ runner.os }}-${{ hashFiles('.github/workflows/license-frontend.yml', 'frontend/config/dependency_decisions.yml', 'frontend/config/license_finder.yml', 'frontend/package.json', 'frontend/pnpm-lock.yaml') }}
+      - name: Determine if files changed
+        id: determine
+        run: |
+          if [ "${{ steps.cache.outputs.cache-hit }}" = 'true' ]; then
+            echo "files_changed=false" >> "$GITHUB_OUTPUT"
+          else
+            echo "files_changed=true" >> "$GITHUB_OUTPUT"
+          fi
+      - uses: ./.github/actions/pnpm-setup
+        if: steps.determine.outputs.files_changed == 'true'
+        with:
+          working-directory: ${{ env.working-directory }}
+      - uses: ruby/setup-ruby@v1
+        if: steps.determine.outputs.files_changed == 'true'
+        with:
+          ruby-version: '3.3'
+      - name: Install License Finder
+        if: steps.determine.outputs.files_changed == 'true'
+        run: gem install -N license_finder
+      - name: Run License Finder
+        if: steps.determine.outputs.files_changed == 'true'
+        run: license_finder
+        working-directory: ${{ env.working-directory }}
+
+      # Commit the License Finder report as docs/packages-license.md
+      - name: Generate license report
+        if: |
+          steps.fork-check.outputs.is_fork != 'true'
+          && steps.determine.outputs.files_changed == 'true'
+          && github.ref_name != github.event.repository.default_branch
+        run: |
+          mkdir -p "$(dirname "$LICENSE_REPORT")"
+          license_finder report --format=markdown | tail -n +2 > "$LICENSE_REPORT"
+        working-directory: ${{ env.working-directory }}
+      - name: Commit license report and push
+        if: |
+          steps.fork-check.outputs.is_fork != 'true'
+          && steps.determine.outputs.files_changed == 'true'
+          && github.ref_name != github.event.repository.default_branch
+        run: |
+          git config user.name 'github-actions[bot]'
+          git config user.email 'github-actions[bot]@users.noreply.github.com'
+          git add "$LICENSE_REPORT"
+          git commit -m "Update $LICENSE_REPORT"
+          git push origin "$BRANCH_NAME"
+        env:
+          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
+          BRANCH_NAME: ${{ github.event.pull_request.head.ref }}
+        working-directory: ${{ env.working-directory }}

frontend/config/dependency_decisions.yml

@@ -0,0 +1,79 @@
+---
+- - :permit
+  - MIT
+  - :who: OSPO @masutaka
+    :why: Compatible with Apache-2.0 license. See https://opensource.org/license/MIT
+    :versions: []
+    :when: 2024-11-22 08:47:26.167960000 Z
+- - :permit
+  - Apache 2.0
+  - :who: OSPO @masutaka
+    :why: Compatible with Apache-2.0 license. See https://opensource.org/license/apache-2-0
+    :versions: []
+    :when: 2024-11-22 08:49:11.117254000 Z
+- - :permit
+  - ISC
+  - :who: OSPO @masutaka
+    :why: Compatible with Apache-2.0 license. See https://opensource.org/license/isc-license-txt
+    :versions: []
+    :when: 2024-11-22 08:51:11.110071000 Z
+- - :permit
+  - BSD 0-Clause
+  - :who: OSPO @masutaka
+    :why: Compatible with Apache-2.0 license. See https://opensource.org/license/0BSD
+    :versions: []
+    :when: 2024-11-28 07:37:37.471617000 Z
+- - :permit
+  - BSD 2-Clause
+  - :who: OSPO @masutaka
+    :why: Compatible with Apache-2.0 license. See https://opensource.org/license/BSD-2-Clause
+    :versions: []
+    :when: 2024-11-28 07:38:25.201366000 Z
+- - :permit
+  - BSD 3-Clause
+  - :who: OSPO @masutaka
+    :why: Compatible with Apache-2.0 license. See https://opensource.org/license/BSD-3-Clause
+    :versions: []
+    :when: 2024-11-28 07:39:06.925601000 Z
+- - :permit
+  - BlueOak-1.0.0
+  - :who: OSPO @masutaka
+    :why: Compatible with Apache-2.0 license. See https://opensource.org/license/blue-oak-model-license
+    :versions: []
+    :when: 2024-11-28 07:42:02.017807000 Z
+- - :permit
+  - The Unlicense
+  - :who: OSPO @masutaka
+    :why: Compatible with Apache-2.0 license. See https://opensource.org/license/Unlicense
+    :versions: []
+    :when: 2024-11-28 07:44:45.338620000 Z
+- - :permit
+  - CC-BY-4.0
+  - :who: OSPO @masutaka
+    :why: Compatible with Apache-2.0 license. See https://creativecommons.org/licenses/by/4.0/
+    :versions: []
+    :when: 2024-11-28 07:45:51.500569000 Z
+- - :approve
+  - argparse
+  - :who: OSPO @masutaka
+    :why: Python 2.0 license is compatible with Apache-2.0. But License Finder does
+      not support the name "Python-2.0". See https://github.com/pivotal/LicenseFinder/pull/1053
+    :versions:
+    - 2.0.1
+    :when: 2024-11-28 08:54:56.971593000 Z
+- - :approve
+  - jsonify
+  - :who: OSPO @masutaka
+    :why: Public Domain is compatible with Apache-2.0. But it is not a software license.
+      See https://github.com/liam-hq/liam/issues/111
+    :versions:
+    - 0.0.1
+    :when: 2024-11-29 03:35:11.884802000 Z
+- - :approve
+  - libpg-query
+  - :who: OSPO @masutaka
+    :why: Its license is MIT, but it is mis-detected as a "LICENSE IN LICENSE" license.
+      See https://github.com/launchql/libpg-query-node/pull/85
+    :versions:
+    - 13.3.2
+    :when: 2024-11-29 04:34:33.688831000 Z

frontend/config/license_finder.yml

@@ -0,0 +1,4 @@
+---
+decisions_file: 'config/dependency_decisions.yml'
+enabled_package_managers:
+  - pnpm