From ba756cb60d5f8c6cdc2a9eb2f8f9621cfa1491c2 Mon Sep 17 00:00:00 2001 From: Eduardo Robles Elvira Date: Sun, 21 Nov 2021 08:44:26 +0100 Subject: [PATCH] initial work on the ORT action --- CHANGELOG.md | 14 -- CODEOWNERS | 7 - CONTRIBUTING.md | 138 ----------------- MAINTAINERS.md | 3 +- README.md | 117 +++----------- action.yml | 395 +++++++++++++++++++++++------------------------- 6 files changed, 216 insertions(+), 458 deletions(-) delete mode 100644 CHANGELOG.md delete mode 100644 CODEOWNERS delete mode 100644 CONTRIBUTING.md diff --git a/CHANGELOG.md b/CHANGELOG.md deleted file mode 100644 index aacccbd..0000000 --- a/CHANGELOG.md +++ /dev/null @@ -1,14 +0,0 @@ -# Changelog - -All notable changes to this project will be documented in this file. - -The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/) -and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). - -### Added - -- Use spdx-builder v0.6.0 -- Use ORT version 2021-05-31 - -### Release v0.5.0 -- First version diff --git a/CODEOWNERS b/CODEOWNERS deleted file mode 100644 index 684fc59..0000000 --- a/CODEOWNERS +++ /dev/null @@ -1,7 +0,0 @@ -# These owners will be the default owners for everything in -# the repo. Unless a later match takes precedence, -# they will be requested for review when someone opens a -# pull request. -* @philips-software/github-actions - -# See CODEOWNERS syntax here: https://help.github.com/articles/about-codeowners/#codeowners-syntax diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md deleted file mode 100644 index 1585d00..0000000 --- a/CONTRIBUTING.md +++ /dev/null @@ -1,138 +0,0 @@ -# Contributing to spdx-action - -We'd love for you to contribute to our source code and to make the Forest even better than it is today! Here are the guidelines we'd like you to follow: - - - [Question or Problem?](#question) - - [Issues and Bugs](#issue) - - [Feature Requests](#feature) - - [Submission Guidelines](#submit) - - [Further Info](#info) - -## Got a Question or Problem? - -If you have questions about how to use the Forest, please direct these to the [Slack group / philips-software][slack]. - -[![Slack](https://philips-software-slackin.now.sh/badge.svg)](https://philips-software-slackin.now.sh) - -## Found an Issue? - -If you find a bug in the source code or a mistake in the documentation, you can help us by submitting an issue to our [Github Repository][github]. Even better you can submit a Pull Request with a fix. - -**Please see the [Submission Guidelines](#submit) below.** - -## Want a Feature? - -You can request a new feature by submitting an issue to our [Github Repository][github]. If you would like to implement a new feature then consider what kind of change it is: - -* **Major Changes** that you wish to contribute to the project should be discussed first on our [Slack group][slack] so that we can better coordinate our efforts, prevent duplication of work, and help you to craft the change so that it is successfully accepted into the project. -* **Small Changes** can be crafted and submitted to the [Github Repository][github] as a Pull Request. - - -## Want a Doc Fix? - -If you want to help improve the docs, it's a good idea to let others know what you're working on to minimize duplication of effort. Create a new issue (or comment on a related existing one) to let others know what you're working on. - -For large fixes, please build and test the documentation before submitting the MR to be sure you haven't accidentally introduced any layout or formatting issues. You should also make sure that your commit message starts with "docs" and follows the **[Commit Message Guidelines](#commit)** outlined below. - -## Submission Guidelines - -### Submitting an Issue -Before you submit your issue search the archive, maybe your question was already answered. - -If your issue appears to be a bug, and hasn't been reported, open a new issue. Help us to maximize the effort we can spend fixing issues and adding new features, by not reporting duplicate issues. Providing the following information will increase the chances of your issue being dealt with quickly: - -* **Overview of the Issue** - if an error is being thrown a non-minified stack trace helps -* **Motivation for or Use Case** - explain why this is a bug for you -* **Forest Version(s)** - is it a regression? -* **Reproduce the Error** - try to describe how to reproduce the error -* **Related Issues** - has a similar issue been reported before? -* **Suggest a Fix** - if you can't fix the bug yourself, perhaps you can point to what might be - causing the problem (line of code or commit) - -**If you get help, help others. Good karma rulez!** - -### Submitting a Merge Request -Before you submit your merge request consider the following guidelines: - -* Make your changes in a new git branch: - - ```shell - git checkout -b my-fix-branch master - ``` - -* Create your patch, **including appropriate test cases**. -* Run the test suite and ensure that all tests pass. -* Add a line in the CHANGELOG.md under Unreleased. This will be used form generating the release notes. -* Commit your changes using a descriptive commit message. - - ```shell - git commit -a - ``` - Note: the optional commit `-a` command line option will automatically "add" and "rm" edited files. - -* Build your changes locally to ensure all the tests pass: -* Push your branch to Github: - - ```shell - git push origin my-fix-branch - ``` - -In Github, send a pull request to original master branch: f.e. `terraform-aws-vpc:master`. -If we suggest changes, then: - -* Make the required updates. -* Re-run the test suite to ensure tests are still passing. -* Commit your changes to your branch (e.g. `my-fix-branch`). -* Push the changes to your Github repository (this will update your Pull Request). - -If the PR gets too outdated we may ask you to rebase and force push to update the PR: - -```shell -git rebase master -i -git push origin my-fix-branch -f -``` - -_WARNING: Squashing or reverting commits and force-pushing thereafter may remove Github comments on code that were previously made by you or others in your commits. Avoid any form of rebasing unless necessary._ - -That's it! Thank you for your contribution! - -#### After your merge request is merged - -After your pull request is merged, you can safely delete your branch and pull the changes -from the main (upstream) repository: - -* Delete the remote branch on Github either through the Github web UI or your local shell as follows: - - ```shell - git push origin --delete my-fix-branch - ``` - -* Check out the master branch: - - ```shell - git checkout master -f - ``` - -* Delete the local branch: - - ```shell - git branch -D my-fix-branch - ``` - -* Update your master with the latest upstream version: - - ```shell - git pull --ff upstream master - ``` - -## Info - -For more info, please reach out to the team on [Slack group / philips-software][slack] in the #forest channel. - -Use the badge to sign-up. - -[![Slack](https://philips-software-slackin.now.sh/badge.svg)](https://philips-software-slackin.now.sh) - -[contribute]: CONTRIBUTING.md -[github]: https://github.com/philips-software/spdx-action/issues -[slack]: https://philips-software.slack.com/home diff --git a/MAINTAINERS.md b/MAINTAINERS.md index dbdeca6..82fce90 100644 --- a/MAINTAINERS.md +++ b/MAINTAINERS.md @@ -1,2 +1 @@ -Jeroen Knoops -Timo van de Put +Eduardo Robles Elvira diff --git a/README.md b/README.md index 8621bbc..62c246a 100644 --- a/README.md +++ b/README.md @@ -1,10 +1,14 @@
-# Get SPDX license overview +# Execute ORT with a Github Action -[![Marketplace](https://img.shields.io/badge/GitHub-Marketplace-green.svg)](https://github.com/marketplace/actions/get-spdx-license-overview) [![Release](https://img.shields.io/github/release/philips-software/spdx-action.svg)](https://github.com/philips-software/spdx-action/releases) +[![Marketplace](https://img.shields.io/badge/GitHub-Marketplace-green.svg)](https://github.com/marketplace/actions/get-spdx-license-overview) [![Release](https://img.shields.io/github/release/edulix/ort-action.svg)](https://github.com/edulix/ort-action/releases) + +This action allows you to run [ORT](https://oss-review-toolkit.org/). The OSS +Review Toolkit (ORT) aims to assist with the tasks that commonly need to be +performed in the context of license compliance checks, especially for (but not +limited to) Free and Open Source Software dependencies. -This action will create a SPDX license overview with ORT and SPDX-builder. > THIS IS AN EXPERIMENTAL ACTION
@@ -29,23 +33,17 @@ Get SPDX license overview | parameter | description | required | default | | - | - | - | - | -| project | project | `true` | spdx-builder | -| spdx-builder-version | spdx-builder-version | `true` | v0.8.1 | -| mode | Scan mode. Can be 'ort', 'blackduck' or 'tree' | `true` | ort | -| scanner-url | scanner-url (license-scanner) | `false` | | -| bombase-url | bombase-url (in case of mode: 'tree') | `false` | | -| upload-url | upload-url (f.e. BOM-bar) | `false` | | -| ort-version | philipssoftware/ort version (in case of mode: 'ort') | `false` | 2021-05-31 | -| ort-file | Specifies an ort-file to override ORT scanning in this action. (in case of mode: 'ort') | `false` | | -| tree | file with tree input (in case of mode: 'tree') | `false` | | -| format | format input (in case of mode: 'tree') | `false` | | -| blackduck-url | Blackduck url (in case of mode: 'blackduck') | `false` | | -| blackduck-token | Blackduck token (in case of mode: 'blackduck') | `false` | | -| blackduck-project | Blackduck project (in case of mode: 'blackduck') | `false` | | -| blackduck-version | Blackduck version (in case of mode: 'blackduck') | `false` | | -| optional-arguments | Optional arguments like `--tree`, `--release`, `--force` and `--custom` | `false` | | - - +| ort-version | edulix/ort docker hub tag to use. | `false` | `latest` | +| analyze | Set to `false` to disable the execution of the ORT `analyze` ORT Action. | `false` | `true` | +| evaluate | Set to `false` to disable the execution of the ORT `evaluate` ORT Action. | `false` | `true` | +| report | Set to `false` to disable the execution of the ORT `report` ORT Action. | `false` | `true` | +| package-curations-dir | Specifies path relative to the project directory for the curations directory. Used in `analyze` and `evaluate` actions. It's the `--package-curations-dir` option for ORT. | `false` | | +| rules-file | Specifies path relative to the project directory for the rules of the `evaluate` action. It's the `--rules-file` option for ORT. | `false` | | +| license-classifications-file | Specifies path relative to the project directory for the license classifications file of the `evaluate` action. It's the `--license-classifications-file` option for ORT. | `false` | | +| license-classifications-file | List of reporters to run. | `false` | `Excel,StaticHtml,WebApp` | +| analyze-extra-args | List of extra arguments for the `analyze` action. | `false` | | +| evaluate-extra-args | List of extra arguments for the `evaluate` action. | `false` | | +| report-extra-args | List of extra arguments for the `report` action. | `false` | | @@ -54,10 +52,9 @@ Get SPDX license overview | parameter | description | | - | - | -| spdx-file | spdx-license file | -| ort-file | ort-license file | - - +| analyzer-result | output file for the analyze step | +| evaluation-result | output file for the evaluate step | +| report-result-dir | output file for the report step | @@ -71,82 +68,18 @@ This action is an `composite` action. ## GitHub workflow -Make sure you have a proper `.spdx-builder.yml` file in your project. - -### `ORT` mode ```yml - uses: actions/checkout@v2 - uses: actions/setup-java@v1 with: java-version: '11.0.1' - - name: Create spdx-file - id: spdx-builder - uses: philips-software/spdx-action@v0.8.1 - with: - project: my-project - mode: ort - - uses: actions/upload-artifact@v2 - with: - name: licenses - path: ${{ steps.spdx-builder.outputs.spdx-file }} -``` -### `tree` mode -```yml - - uses: actions/checkout@v2 - - uses: actions/setup-java@v1 - with: - java-version: '11.0.1' - - name: Create tree - run: | - npm list --all --production > npm-dependencies.txt - - name: Create spdx-file - id: spdx-builder - uses: philips-software/spdx-action@v0.8.1 - with: - project: my-project - mode: 'tree' - tree: 'npm-dependencies.txt' - format: 'npm' - bombase-url: # Optional - - uses: actions/upload-artifact@v2 - with: - name: licenses - path: ${{ steps.spdx-builder.outputs.spdx-file }} -``` + - name: Analyze licensing + id: ort-action + uses: edulix/ort-action -### `blackduck` mode -```yml - - uses: actions/checkout@v2 - - uses: actions/setup-java@v1 - with: - java-version: '11.0.1' - - name: Create spdx-file - id: spdx-builder - uses: philips-software/spdx-action@v0.8.1 - with: - project: my-project - mode: 'blackduck' - blackduck-url: - blackduck-token: ${{ secrets.BLACKDUCK_TOKEN }} - blackduck-project: - blackduck-version: - uses: actions/upload-artifact@v2 with: name: licenses - path: ${{ steps.spdx-builder.outputs.spdx-file }} -``` - -## Philips Forest - -This module is part of the Philips Forest. - -``` - ___ _ - / __\__ _ __ ___ ___| |_ - / _\/ _ \| '__/ _ \/ __| __| - / / | (_) | | | __/\__ \ |_ - \/ \___/|_| \___||___/\__| - - CI + path: ${{ steps.ort-action.outputs.report-result-dir }} ``` diff --git a/action.yml b/action.yml index 4f643bc..1c0aae2 100644 --- a/action.yml +++ b/action.yml @@ -1,238 +1,223 @@ -name: 'Get SPDX license overview' -description: 'Get SPDX license overview' -author: "Forest Keepers" +name: 'Run ORT to analyze evaluate and report licensing' +description: 'Run ORT to analyze evaluate and report licensing' +author: "nVotes" branding: icon: "activity" color: "green" outputs: - spdx-file: - description: "spdx-license file" - value: ${{ steps.spdx-ort.outputs.spdx-file }} ${{ steps.spdx-tree.outputs.spdx-file }} ${{ steps.spdx-blackduck.outputs.spdx-file }} - ort-file: - description: "ort-license file" - value: ${{ steps.spdx.outputs.ort-file }} + analyzer-result: + description: "output file for the analyze step" + value: ${{ steps.analyze.outputs.analyzer-result }} + evaluation-result: + description: "output file for the evaluate step" + value: ${{ steps.evaluate.outputs.evaluation-result }} + report-result-dir: + description: "output directory for the report step" + value: ${{ steps.report.outputs.report-result-dir }} inputs: - project: - description: "project" - required: true - default: 'spdx-builder' - spdx-builder-version: - description: "spdx-builder-version" - required: true - default: 'v0.8.1' - mode: - description: "Scan mode. Can be 'ort', 'blackduck' or 'tree'" - required: true - default: 'ort' - scanner-url: - description: "scanner-url (license-scanner)" - required: false - bombase-url: - description: "bombase-url (in case of mode: 'tree')" + ort-version: + description: "edulix/ort docker hub tag to use." required: false - upload-url: - description: "upload-url (f.e. BOM-bar)" + default: 'latest' + analyze: + description: > + Set to `false` to disable the execution of the ORT `analyze` + ORT Action. Default: `true`. required: false -# ORT specific inputs - ort-version: - description: "philipssoftware/ort version (in case of mode: 'ort')" + default: true + evaluate: + description: > + Set to `false` to disable the execution of the ORT `evaluate` + ORT Action. Default: `true`. required: false - default: '2021-05-31' - ort-file: - description: "Specifies an ort-file to override ORT scanning in this action. (in case of mode: 'ort')" + default: true + report: + description: > + Set to `false` to disable the execution of the ORT `report` + ORT Action. Default: `true`. required: false -# tree specific inputs - tree: - description: "file with tree input (in case of mode: 'tree')" + default: true + package-curations-dir: + description: >- + Specifies path relative to the project directory for the curations + directory. Used in `analyze` and `evaluate` actions. It's the + `--package-curations-dir` option for ORT. required: false - format: - description: "format input (in case of mode: 'tree')" + rules-file: + description: >- + Specifies path relative to the project directory for the rules of the + `evaluate` action. It's the `--rules-file` option for ORT. required: false -# blackduck specific inputs - blackduck-url: - description: "Blackduck url (in case of mode: 'blackduck')" + license-classifications-file: + description: >- + Specifies path relative to the project directory for the license + classifications file of the `evaluate` action. It's the + `--license-classifications-file` option for ORT. required: false - blackduck-token: - description: "Blackduck token (in case of mode: 'blackduck')" + reporters: + description: >- + List of reporters to run. Default: Excel,StaticHtml,WebApp required: false - blackduck-project: - description: "Blackduck project (in case of mode: 'blackduck')" + default: Excel,StaticHtml,WebApp + analyze-extra-args: + description: List of extra arguments for the `analyze` action. required: false - blackduck-version: - description: "Blackduck version (in case of mode: 'blackduck')" + evaluate-extra-args: + description: List of extra arguments for the `evaluate` action. required: false - optional-arguments: - description: "Optional arguments like `--tree`, `--release`, `--force` and `--custom`" + report-extra-args: + description: List of extra arguments for the `report` action. required: false runs: using: "composite" steps: - - name: Scan with ORT + - name: ORT analyze + id: analyze run: | - [ "${MODE}" != 'ort' ] && { echo "mode is not 'ort' so don't perform this step"; exit 0; } - [ -n "${ORT_FILE}" ] && { echo "We have our own ORT_FILE so we don't need to scan it here"; exit 0; } - # Allow ORT to fail. When one repository can't be found, the rest still makes sense to analyse - echo "--------------------------------------------------------------------" - echo " Running ORT scanner" - echo "--------------------------------------------------------------------" - set +e - docker run -v ${{ github.workspace }}:/project philipssoftware/ort:${{ inputs.ort-version}} --info analyze -f JSON -i /project -o /project/ort - set -e + [ -z "${RUN_ANALYZE}" ] || \ + { echo "analyze is not `true` so don't perform this step"; exit 0; } + echo "-----------------------------------------------------------------" + echo " ORT analyze step" + echo "-----------------------------------------------------------------" + echo " Inputs: " + echo " ANALYZE_EXTRA_ARGS : ${ANALYZE_EXTRA_ARGS} " + echo "-----------------------------------------------------------------" + echo " Set X_EXTRA_ARGS from ANALYZE_EXTRA_ARGS" + echo "-----------------------------------------------------------------" + [ -z "$ANALYZE_EXTRA_ARGS" ] && \ + X_EXTRA_ARGS="" || \ + X_EXTRA_ARGS="${ANALYZE_EXTRA_ARGS}" + echo " X_EXTRA_ARGS: ${X_EXTRA_ARGS}" + echo "-----------------------------------------------------------------" + echo " Running ORT analyze" + echo "-----------------------------------------------------------------" + docker run \ + -v ${{ github.workspace }}:/project \ + edulix/ort:${{ inputs.ort-version }} \ + --info analyze \ + -i /project \ + -o /project/ort \ + ${X_EXTRA_ARGS} + echo "-----------------------------------------------------------------" + echo " Finished!" + echo "-----------------------------------------------------------------" + echo "::set-output name=analyzer-result::ort/analyzer-result.yml" shell: bash env: - ORT_FILE: ${{ inputs.ort-file }} - MODE: ${{ inputs.mode }} - OPTIONAL_ARGUMENTS: ${{ inputs.optional-arguments }} - - name: Create SPDX file with ORT - id: spdx-ort + RUN_ANALYZE: ${{ inputs.analyze }} + ANALYZE_EXTRA_ARGS: ${{ inputs.analyze-extra-args }} + + - name: ORT evaluate + id: evaluate run: | - [ "${MODE}" != 'ort' ] && { echo "mode is not 'ort' so don't perform this step"; exit 0; } - echo "--------------------------------------------------------------------" - echo " Creating SPDX file for ${PROJECT}. " - echo "--------------------------------------------------------------------" + [ -z "${RUN_EVALUATE}" ] || \ + { echo "evaluate is not `true` so don't perform this step"; exit 0; } + echo "-----------------------------------------------------------------" + echo " ORT evaluate step" + echo "-----------------------------------------------------------------" echo " Inputs: " - echo " PROJECT : ${PROJECT} " - echo " SCANNER_URL : ${SCANNER_URL} " - echo " UPLOAD_URL : ${UPLOAD_URL} " - echo " ORT_FILE : ${ORT_FILE} " - echo " OPTIONAL_ARGUMENTS : ${OPTIONAL_ARGUMENTS} " - echo "--------------------------------------------------------------------" - echo "" - echo "--------------------------------------------------------------------" - echo " Downloading spdx-builder" - echo "--------------------------------------------------------------------" - curl -L https://github.com/philips-software/spdx-builder/releases/download/${{ inputs.spdx-builder-version }}/spdx-builder.jar -o spdx-builder.jar - echo "--------------------------------------------------------------------" - echo " Set SCANNER_ARG" - echo "--------------------------------------------------------------------" - [ -z "$SCANNER_URL" ] && SCANNER_ARG="" || SCANNER_ARG="--scanner ${SCANNER_URL}" - echo " SCANNER_ARG: ${SCANNER_ARG}" - echo "--------------------------------------------------------------------" - echo " Set input-file" - echo "--------------------------------------------------------------------" - [ -n "$ORT_FILE" ] && INPUT_FILE=${ORT_FILE} || INPUT_FILE="ort/analyzer-result.json" - echo " INPUT_FILE: ${INPUT_FILE}" - echo "--------------------------------------------------------------------" - echo " Set UPLOAD_ARG" - echo "--------------------------------------------------------------------" - [ -z "$UPLOAD_URL" ] && UPLOAD_ARG="" || UPLOAD_ARG="--upload ${UPLOAD_URL}" - echo " UPLOAD_ARG: ${UPLOAD_ARG}" - echo "--------------------------------------------------------------------" - echo " Set OPTIONAL_ARG" - echo "--------------------------------------------------------------------" - [ -z "$OPTIONAL_ARGUMENTS" ] && OPTIONAL_ARG="" || OPTIONAL_ARG="${OPTIONAL_ARGUMENTS}" - echo " OPTIONAL_ARG: ${OPTIONAL_ARG}" - echo "--------------------------------------------------------------------" - echo " Running SPDX-builder" - echo "--------------------------------------------------------------------" - java -jar spdx-builder.jar ort -c .spdx-builder.yml -o ${PROJECT}.spdx ${INPUT_FILE} ${SCANNER_ARG} ${UPLOAD_ARG} ${OPTIONAL_ARG} - echo "--------------------------------------------------------------------" + echo " PACKAGE_CURATIONS_DIR : ${PACKAGE_CURATIONS_DIR} " + echo " RULES_FILE : ${RULES_FILE} " + echo " LICENSE_CLASSIFICATIONS_FILE : ${LICENSE_CLASSIFICATIONS_FILE} " + echo " EVALUATE_EXTRA_ARGS : ${EVALUATE_EXTRA_ARGS} " + echo "-----------------------------------------------------------------" + echo " Set X_CURATIONS_DIR from PACKAGE_CURATIONS_DIR" + echo "-----------------------------------------------------------------" + [ -z "$PACKAGE_CURATIONS_DIR" ] && \ + X_CURATIONS_DIR="" || \ + X_CURATIONS_DIR="--package-curations-dir '${PACKAGE_CURATIONS_DIR}'" + echo " X_CURATIONS_DIR: ${X_CURATIONS_DIR}" + echo "-----------------------------------------------------------------" + echo " Set X_RULES_FILE from RULES_FILE" + echo "-----------------------------------------------------------------" + [ -z "$RULES_FILE" ] && \ + X_RULES_FILE="" || \ + X_RULES_FILE="--rules-file '${RULES_FILE}'" + echo " X_RULES_FILE: ${X_RULES_FILE}" + echo "-----------------------------------------------------------------" + echo " Set X_LICENSE_CLASS from LICENSE_CLASSIFICATIONS_FILE" + echo "-----------------------------------------------------------------" + [ -z "$LICENSE_CLASSIFICATIONS_FILE" ] && \ + X_LICENSE_CLASS="" || \ + X_LICENSE_CLASS="--license-classifications-file '${LICENSE_CLASSIFICATIONS_FILE}'" + echo " X_LICENSE_CLASS: ${X_LICENSE_CLASS}" + echo "-----------------------------------------------------------------" + echo " Set X_EXTRA_ARGS" + echo "-----------------------------------------------------------------" + [ -z "$EVALUATE_EXTRA_ARGS" ] && \ + X_EXTRA_ARGS="" || \ + X_EXTRA_ARGS="${EVALUATE_EXTRA_ARGS}" + echo " X_EXTRA_ARGS: ${X_EXTRA_ARGS}" + echo "-----------------------------------------------------------------" + docker run \ + -v ${{ github.workspace }}:/project \ + edulix/ort:${{ inputs.ort-version }} \ + --info evaluate \ + -i /project/ort/analyzer-result.yml \ + -o /project/ort \ + ${X_CURATIONS_DIR} \ + ${X_RULES_FILE} \ + ${X_LICENSE_CLASS} \ + ${X_EXTRA_ARGS} + echo "-----------------------------------------------------------------" echo "Finished!" - echo "--------------------------------------------------------------------" - echo "::set-output name=spdx-file::${PROJECT}.spdx" - echo "::set-output name=ort-file::${INPUT_FILE}" - env: - PROJECT: ${{ inputs.project }} - SCANNER_URL: ${{ inputs.scanner-url }} - ORT_FILE: ${{ inputs.ort-file }} - UPLOAD_URL: ${{ inputs.upload-url }} - MODE: ${{ inputs.mode }} - OPTIONAL_ARGUMENTS: ${{ inputs.optional-arguments }} + echo "-----------------------------------------------------------------" + echo "::set-output name=evaluation-result::ort/evaluation-result.yml" + shell: bash - - name: Create SPDX file with tree - id: spdx-tree - run: | - [ "${MODE}" != 'tree' ] && { echo "mode is not 'tree' so don't perform this step"; exit 0; } - echo "--------------------------------------------------------------------" - echo " Creating SPDX file for ${PROJECT} based on tree import." - echo "--------------------------------------------------------------------" - echo " Inputs: " - echo " PROJECT : ${PROJECT} " - echo " BOMBASE_URL : ${BOMBASE_URL} " - echo " UPLOAD_URL : ${UPLOAD_URL} " - echo " TREE : ${TREE} " - echo " FORMAT : ${FORMAT} " - echo " OPTIONAL_ARGUMENTS : ${OPTIONAL_ARGUMENTS} " - echo "--------------------------------------------------------------------" - echo "" - echo "--------------------------------------------------------------------" - echo " Downloading spdx-builder" - echo "--------------------------------------------------------------------" - curl -L https://github.com/philips-software/spdx-builder/releases/download/${{ inputs.spdx-builder-version }}/spdx-builder.jar -o spdx-builder.jar - echo "--------------------------------------------------------------------" - echo " Set BOMBASE_ARG" - echo "--------------------------------------------------------------------" - [ -z "$BOMBASE_URL" ] && BOMBASE_ARG="" || BOMBASE_ARG="--bombase ${BOMBASE_URL}" - echo " BOMBASE_ARG: ${BOMBASE_ARG}" - echo "--------------------------------------------------------------------" - echo " Set UPLOAD_ARG" - echo "--------------------------------------------------------------------" - [ -z "$UPLOAD_URL" ] && UPLOAD_ARG="" || UPLOAD_ARG="--upload ${UPLOAD_URL}" - echo " UPLOAD_ARG: ${UPLOAD_ARG}" - echo "--------------------------------------------------------------------" - echo " Set OPTIONAL_ARG" - echo "--------------------------------------------------------------------" - [ -z "$OPTIONAL_ARGUMENTS" ] && OPTIONAL_ARG="" || OPTIONAL_ARG="${OPTIONAL_ARGUMENTS}" - echo " OPTIONAL_ARG: ${OPTIONAL_ARG}" - echo "--------------------------------------------------------------------" - echo " Running SPDX-builder" - echo "--------------------------------------------------------------------" - cat "${TREE}" | java -jar spdx-builder.jar tree -f ${FORMAT} -c .spdx-builder.yml -o ${PROJECT}.spdx ${BOMBASE_ARG} ${UPLOAD_ARG} ${OPTIONAL_ARG} - echo "--------------------------------------------------------------------" - echo "Finished!" - echo "--------------------------------------------------------------------" - echo "::set-output name=spdx-file::${PROJECT}.spdx" env: - PROJECT: ${{ inputs.project }} - BOMBASE_URL: ${{ inputs.bombase-url }} - TREE: ${{ inputs.tree }} - FORMAT: ${{ inputs.format }} - UPLOAD_URL: ${{ inputs.upload-url }} - MODE: ${{ inputs.mode }} - OPTIONAL_ARGUMENTS: ${{ inputs.optional-arguments }} - shell: bash - - name: Create SPDX file with blackduck - id: spdx-blackduck + RUN_EVAULATE: ${{ inputs.evaluate }} + PACKAGE_CURATIONS_DIR: ${{ input.package-curations-dir }} + RULES_FILE: ${{ inputs.rules-file }} + LICENSE_CLASSIFICATIONS_FILE: ${{ inputs.license-classifications-file }} + EVALUATE_EXTRA_ARGS: ${{ inputs.evaluate-extra-args }} + + - name: ORT report + id: report run: | - [ "${MODE}" != 'blackduck' ] && { echo "mode is not 'blackduck' so don't perform this step"; exit 0; } - echo "--------------------------------------------------------------------" - echo " Creating SPDX file for ${PROJECT} based on blackduck import." - echo "--------------------------------------------------------------------" + [ -z "${RUN_REPORT}" ] || \ + { echo "report is not `true` so don't perform this step"; exit 0; } + echo "-----------------------------------------------------------------" + echo " ORT report step" + echo "-----------------------------------------------------------------" echo " Inputs: " - echo " PROJECT : ${PROJECT} " - echo " BLACKDUCK_PROJECT : ${BLACKUCK_PROJECT} " - echo " BLACKDUCK_VERSION : ${BLACKUCK_VERSION} " - echo " BLACKDUCK_URL : ${BLACKUCK_URL} " - echo " BLACKDUCK_TOKEN : ${BLACKUCK_TOKEN} " - echo " OPTIONAL_ARGUMENTS : ${OPTIONAL_ARGUMENTS} " - echo "--------------------------------------------------------------------" - echo "" - echo "--------------------------------------------------------------------" - echo " Downloading spdx-builder" - echo "--------------------------------------------------------------------" - curl -L https://github.com/philips-software/spdx-builder/releases/download/${{ inputs.spdx-builder-version }}/spdx-builder.jar -o spdx-builder.jar - echo "--------------------------------------------------------------------" - echo " Set OPTIONAL_ARG" - echo "--------------------------------------------------------------------" - [ -z "$OPTIONAL_ARGUMENTS" ] && OPTIONAL_ARG="" || OPTIONAL_ARG="${OPTIONAL_ARGUMENTS}" - echo " OPTIONAL_ARG: ${OPTIONAL_ARG}" - echo "--------------------------------------------------------------------" - echo " Running SPDX-builder" - echo "--------------------------------------------------------------------" - java -jar spdx-builder.jar blackduck -o ${PROJECT}.spdx --url ${BLACKDUCK_URL} --token ${BLACKDUCK_TOKEN} ${BLACKDUCK_PROJECT} ${BLACKDUCK_VERSION} ${OPTIONAL_ARG} - echo "--------------------------------------------------------------------" - echo "Finished!" - echo "--------------------------------------------------------------------" - echo "::set-output name=spdx-file::${PROJECT}.spdx" - env: - PROJECT: ${{ inputs.project }} - MODE: ${{ inputs.mode }} - BLACKDUCK_PROJECT: ${{ inputs.blackduck-project }} - BLACKDUCK_VERSION: ${{ inputs.blackduck-version }} - BLACKDUCK_URL: ${{ inputs.blackduck-url }} - BLACKDUCK_TOKEN: ${{ inputs.blackduck-token }} - OPTIONAL_ARGUMENTS: ${{ inputs.optional-arguments }} + echo " REPORTERS : ${REPORTERS} " + echo " REPORT_EXTRA_ARGS : ${REPORT_EXTRA_ARGS} " + echo "-----------------------------------------------------------------" + echo " Set X_REPORTERS from REPORTERS" + echo "-----------------------------------------------------------------" + [ -z "$REPORTERS" ] && \ + X_REPORTERS="" || \ + X_REPORTERS="${REPORTERS}" + echo " X_REPORTERS: ${X_REPORTERS}" + echo "-----------------------------------------------------------------" + echo " Set X_EXTRA_ARGS from REPORT_EXTRA_ARGS" + echo "-----------------------------------------------------------------" + [ -z "$REPORT_EXTRA_ARGS" ] && \ + X_EXTRA_ARGS="" || \ + X_EXTRA_ARGS="${REPORT_EXTRA_ARGS}" + echo " X_EXTRA_ARGS: ${X_EXTRA_ARGS}" + echo "-----------------------------------------------------------------" + echo " Running ORT report" + echo "-----------------------------------------------------------------" + docker run \ + -v ${{ github.workspace }}:/project \ + edulix/ort:${{ inputs.ort-version }} \ + --info report \ + -i /project/ort/evaluation-result.yml \ + -o /project/ort \ + -f ${X_REPORTERS} \ + ${X_EXTRA_ARGS} + echo "-----------------------------------------------------------------" + echo " Finished!" + echo "-----------------------------------------------------------------" + echo "::set-output name=report-result-dir::ort/" shell: bash + env: + RUN_REPORT: ${{ inputs.report }} + REPORTERS: ${{ inputs.reporters }} + REPORT_EXTRA_ARGS: ${{ inputs.report-extra-args }} +