From f9b6a6aa84111c9d3ac0380c49e536c2d6da843e Mon Sep 17 00:00:00 2001
From: Sebastian Thomschke <sebthom@users.noreply.github.com>
Date: Sat, 18 May 2024 16:08:01 +0200
Subject: [PATCH] Add license check job

---
 .github/workflows/licensecheck.yml | 138 +++++++++++++++++++++++++++++
 1 file changed, 138 insertions(+)
 create mode 100644 .github/workflows/licensecheck.yml

diff --git a/.github/workflows/licensecheck.yml b/.github/workflows/licensecheck.yml
new file mode 100644
index 000000000..830a1aa08
--- /dev/null
+++ b/.github/workflows/licensecheck.yml
@@ -0,0 +1,138 @@
+# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions
+name: License check
+
+on:
+  push:
+    branches-ignore:  # build all branches except:
+    - 'dependabot/**'  # prevent GHA triggered twice (once for commit to the branch and once for opening/syncing the PR)
+    tags-ignore:  # don't build tags
+    - '**'
+  pull_request:
+  workflow_dispatch:
+    # https://github.blog/changelog/2020-07-06-github-actions-manual-triggers-with-workflow_dispatch/
+    inputs:
+      dash-iplab-token:
+        description: "Gitlab Personal Access Token (https://gitlab.eclipse.org/-/profile/personal_access_tokens) with 'api'' scope for Automatic IP Team Review Requests via org.eclipse.dash:license-tool-plugin, see https://github.com/eclipse/dash-licenses#automatic-ip-team-review-requests"
+        default: ""
+        type: string
+
+
+defaults:
+  run:
+    shell: bash
+
+
+env:
+  JAVA_VERSION: 17
+
+
+jobs:
+
+  ###########################################################
+  license_check:
+  ###########################################################
+
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: "Show: GitHub context"
+      env:
+        GITHUB_CONTEXT: ${{ toJSON(github) }}
+      run: echo $GITHUB_CONTEXT
+
+
+    - name: "Show: environment variables"
+      run: env | sort
+
+
+    - name: Git Checkout
+      uses: actions/checkout@v4  # https://github.com/actions/checkout
+
+
+    - name: "Install: JDK ${{ env.JAVA_VERSION }} ☕"
+      uses: actions/setup-java@v4  # https://github.com/actions/setup-java
+      with:
+        distribution: temurin
+        java-version: ${{ env.JAVA_VERSION }}
+
+
+    - name: "Cache: Local Maven Repository"
+      uses: actions/cache/restore@v4
+      with:
+        # Excluded sub directory not working https://github.com/actions/toolkit/issues/713
+        path: |
+          ~/.m2/repository/*
+          !~/.m2/repository/.cache/tycho
+          !~/.m2/repository/.meta/p2-artifacts.properties
+          !~/.m2/repository/p2
+          !~/.m2/repository/*SNAPSHOT*
+        key: ${{ runner.os }}-${{ runner.arch }}-repo-mvn-${{ hashFiles('**/pom.xml') }}
+
+
+    - name: "Cache: Local Tycho Repository"
+      uses: actions/cache/restore@v4
+      with:
+        path: |
+          ~/.m2/repository/.cache/tycho
+          ~/.m2/repository/.meta/p2-artifacts.properties
+          ~/.m2/repository/p2
+        key: ${{ runner.os }}-${{ runner.arch }}-repo-tycho-${{ hashFiles('target-platforms/target-platform-latest/target-platform-latest.target') }}
+
+
+    - name: "Install: Maven"
+      uses: stCarolas/setup-maven@v5  # https://github.com/stCarolas/setup-maven
+      with:
+        maven-version: 3.9.6
+
+
+    - name: Dash License check  # see https://github.com/eclipse/dash-licenses
+      env:
+        DASH_IPLAB_TOKEN: "${{ inputs.dash-iplab-token }}"
+      run: |
+        set -eu
+
+        MAVEN_OPTS="${MAVEN_OPTS:-}"
+        if [[ "${{ runner.os }}" == "Windows" ]]; then
+          MAVEN_OPTS+=" -Djava.security.egd=file:/dev/urandom" # https://www.baeldung.com/java-security-egd#bd-testing-the-effect-of-javasecurityegd
+        else
+          MAVEN_OPTS+=" -Djava.security.egd=file:/dev/./urandom" # https://stackoverflow.com/questions/58991966/what-java-security-egd-option-is-for/59097932#59097932
+        fi
+        MAVEN_OPTS+=" -Dorg.slf4j.simpleLogger.showDateTime=true -Dorg.slf4j.simpleLogger.dateTimeFormat=HH:mm:ss,SSS" # https://stackoverflow.com/questions/5120470/how-to-time-the-different-stages-of-maven-execution/49494561#49494561
+        MAVEN_OPTS+=" -Xmx1024m -Djava.awt.headless=true -Djava.net.preferIPv4Stack=true -Dhttps.protocols=TLSv1.3,TLSv1.2"
+        export MAVEN_OPTS
+        echo "MAVEN_OPTS: $MAVEN_OPTS"
+
+        if [[ ${ACT:-} == "true" ]]; then # when running locally using nektos/act
+           maven_args="-Djgit.dirtyWorkingTree=warning"
+        else
+           maven_args="--no-transfer-progress"
+        fi
+
+        # "excludeArtifactIds" parameter is to prevent builds from failing with:
+        # License information could not be automatically verified for the following content:
+        # p2/orbit/p2.p2.installable.unit/org.eclipse.rcp_root/4.24.0.v20220607-0700
+        # p2/orbit/p2.eclipse.plugin/org.eclipse.ui.tests.harness/1.10.0.v20230220-1021
+        # This content is either not correctly mapped by the system, or requires review.
+        # Error: Dependency license check failed. Some dependencies need to be vetted. 
+
+        mvn \
+          --errors \
+          --update-snapshots \
+          --batch-mode \
+          --show-version \
+          -Dtycho.disableP2Mirrors=true \
+          $maven_args \
+          org.eclipse.dash:license-tool-plugin:license-check \
+          -Dtycho.target.eager=true \
+          -Ddash.projectId=technology.lsp4e \
+          -Ddash.iplab.token="$DASH_IPLAB_TOKEN" \
+          -Ddash.fail=true \
+          -Ddash.summary=DEPENDENCIES \
+          -DexcludeArtifactIds=\
+        org.eclipse.rcp_root,\
+        org.eclipse.ui.tests.harness
+
+
+    - name: Dash Summary
+      if: always()
+      run: cat DEPENDENCIES