-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathaction.yml
More file actions
161 lines (138 loc) · 5.67 KB
/
action.yml
File metadata and controls
161 lines (138 loc) · 5.67 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
name: 'licscan'
description: 'Scan a project for dependency licenses, enforce policy, and post a PR comment with the report'
author: 'codelake Technologies LLC'
branding:
icon: 'shield'
color: 'green'
inputs:
path:
description: 'Project directory to scan'
required: false
default: '.'
version:
description: 'licscan version to install (e.g. v0.11.0, or "latest")'
required: false
default: 'latest'
format:
description: 'Output format printed to the workflow log (table, json, html, cyclonedx, spdx, markdown). The markdown report is always produced separately for the PR comment + workflow artefact regardless of this setting.'
required: false
default: 'table'
fail-on-violation:
description: 'Fail the workflow on a policy deny verdict (CI mode). Set to "false" to scan-and-report only.'
required: false
default: 'true'
pr-comment:
description: 'When running on a pull_request event, post the markdown report as a PR comment.'
required: false
default: 'true'
cra:
description: 'Also emit EU CRA evidence (PDF + CycloneDX JSON) into the cra-output directory'
required: false
default: 'false'
cra-output:
description: 'Output directory for --cra artefacts (relative to the workspace)'
required: false
default: 'licscan-cra-evidence'
upload-artifact:
description: 'Upload the markdown report (plus CRA artefacts when --cra) as a workflow artifact'
required: false
default: 'true'
install-base-url:
description: 'Override the install endpoint (defaults to https://install.codelake.dev). Useful for staging / self-hosted mirrors.'
required: false
default: 'https://install.codelake.dev'
outputs:
report-path:
description: 'Path to the generated markdown report'
value: ${{ steps.scan.outputs.report-path }}
total:
description: 'Total dependencies scanned'
value: ${{ steps.scan.outputs.total }}
denied:
description: 'Number of dependencies denied by policy'
value: ${{ steps.scan.outputs.denied }}
warned:
description: 'Number of dependencies in the warn list'
value: ${{ steps.scan.outputs.warned }}
runs:
using: 'composite'
steps:
- name: Install licscan
shell: bash
env:
LICSCAN_VERSION: ${{ inputs.version }}
LICSCAN_BASE_URL: ${{ inputs.install-base-url }}
LICSCAN_INSTALL_DIR: ${{ runner.temp }}/licscan-bin
run: |
set -euo pipefail
mkdir -p "$LICSCAN_INSTALL_DIR"
echo "$LICSCAN_INSTALL_DIR" >> "$GITHUB_PATH"
curl -fsSL "${LICSCAN_BASE_URL}/licscan/install.sh" | sh
"${LICSCAN_INSTALL_DIR}/licscan" --version
- name: Run scan
id: scan
shell: bash
env:
LICSCAN_PATH: ${{ inputs.path }}
LICSCAN_FORMAT: ${{ inputs.format }}
LICSCAN_FAIL_ON_VIOLATION: ${{ inputs.fail-on-violation }}
LICSCAN_CRA: ${{ inputs.cra }}
LICSCAN_CRA_OUTPUT: ${{ inputs.cra-output }}
run: |
set -euo pipefail
REPORT_PATH="${RUNNER_TEMP}/licscan-report.md"
# Always render the markdown report alongside any other format
# the user asked for in the log. The artifact + PR comment use
# the markdown file; the workflow-log output uses --format.
licscan scan "$LICSCAN_PATH" --format markdown > "$REPORT_PATH"
echo "report-path=${REPORT_PATH}" >> "$GITHUB_OUTPUT"
# Echo the chosen format to the workflow log too. If the user
# chose markdown, this is the same as the report; otherwise
# they see e.g. the table or JSON output inline.
if [ "$LICSCAN_FORMAT" != "markdown" ]; then
licscan scan "$LICSCAN_PATH" --format "$LICSCAN_FORMAT" || true
else
cat "$REPORT_PATH"
fi
# JSON pass to extract structured counts for the action outputs.
JSON_OUT=$(licscan scan "$LICSCAN_PATH" --format json)
TOTAL=$(printf '%s' "$JSON_OUT" | jq -r '.dependencies | length')
DENIED=$(printf '%s' "$JSON_OUT" | jq -r '[.dependencies[] | select(.verdict == "deny")] | length')
WARNED=$(printf '%s' "$JSON_OUT" | jq -r '[.dependencies[] | select(.verdict == "warn")] | length')
echo "total=${TOTAL}" >> "$GITHUB_OUTPUT"
echo "denied=${DENIED}" >> "$GITHUB_OUTPUT"
echo "warned=${WARNED}" >> "$GITHUB_OUTPUT"
# Optionally emit CRA evidence (PDF + CycloneDX) into cra-output.
if [ "$LICSCAN_CRA" = "true" ]; then
licscan scan "$LICSCAN_PATH" --cra --output "$LICSCAN_CRA_OUTPUT"
fi
# CI gate: re-run with --ci so the deterministic exit code
# reflects the policy. We don't use this pass for output to
# avoid double-reporting in the log.
if [ "$LICSCAN_FAIL_ON_VIOLATION" = "true" ]; then
licscan scan "$LICSCAN_PATH" --ci --format json > /dev/null
fi
- name: Post PR comment
if: ${{ inputs.pr-comment == 'true' && github.event_name == 'pull_request' }}
shell: bash
env:
GH_TOKEN: ${{ github.token }}
PR_NUMBER: ${{ github.event.pull_request.number }}
REPORT_PATH: ${{ steps.scan.outputs.report-path }}
run: |
set -euo pipefail
if [ ! -f "$REPORT_PATH" ]; then
echo "::warning::report file not found at $REPORT_PATH — skipping PR comment"
exit 0
fi
gh pr comment "$PR_NUMBER" --body-file "$REPORT_PATH"
- name: Upload report artifact
if: ${{ inputs.upload-artifact == 'true' }}
uses: actions/upload-artifact@v4
with:
name: licscan-report
path: |
${{ steps.scan.outputs.report-path }}
${{ inputs.cra-output }}/
if-no-files-found: ignore
retention-days: 90