Add licensing checks and notice file (#94)

* Adding deny and notice config/templates
* Adding utility bulid commands for notice and licenses
* Fixing qirlib license
* Adding generated notice files
* Adding cargo deny workflow for license checks
* Updating build to use maturin v0.12.12-beta.2 with license/notice support.

.github/workflows/licenses.yml

@@ -0,0 +1,19 @@
+name: licenses
+on: [push, pull_request]
+jobs:
+  cargo-deny:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        checks:
+          - advisories
+          - bans licenses sources
+
+    # Prevent sudden announcement of a new advisory from failing ci:
+    continue-on-error: ${{ matrix.checks == 'advisories' }}
+
+    steps:
+    - uses: actions/checkout@v2
+    - uses: EmbarkStudios/cargo-deny-action@v1
+      with:
+        command: check ${{ matrix.checks }}

deny.toml

@@ -0,0 +1,33 @@
+[bans]
+# Lint level for when multiple versions of the same crate are detected
+multiple-versions = "warn"
+# Lint level for when a crate version requirement is `*`
+wildcards = "warn"
+
+[advisories]
+# The lint level for security vulnerabilities
+vulnerability = "deny"
+# The lint level for unmaintained crates
+unmaintained = "warn"
+
+[licenses]
+unlicensed = "deny"
+copyleft = "deny"
+default = "deny"
+confidence-threshold = 1.0
+
+# List of explicitly allowed licenses
+# See https://spdx.org/licenses/ for list of possible licenses
+# [possible values: any SPDX 3.11 short identifier (+ optional exception)].
+allow = [
+    "Apache-2.0",
+    "Apache-2.0 WITH LLVM-exception",
+    "BSD-3-Clause",
+    "MIT",
+]
+
+[sources.allow-org]
+# github.com organizations to allow git sources for
+github = [
+    "TheDan64",
+]

eng/manylinux.Dockerfile

@@ -9,17 +9,9 @@ ENV PATH /root/.cargo/bin:$PATH
 RUN curl --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y
 
 WORKDIR /tmp
-RUN curl -SsL https://github.com/PyO3/maturin/archive/refs/tags/v0.11.1.tar.gz -o v0.11.1.tar.gz && \
-    tar -xz -f ./v0.11.1.tar.gz
 
-RUN mv ./maturin-0.11.1 /maturin
-
-# Manually update the timestamps as ADD keeps the local timestamps and cargo would then believe the cache is fresh
-RUN touch /maturin/src/lib.rs /maturin/src/main.rs
-
-RUN cargo rustc --bin maturin --manifest-path /maturin/Cargo.toml --release -- -C link-arg=-s \
-    && mv /maturin/target/release/maturin /usr/bin/maturin \
-    && rm -rf /maturin
+# Temporary workaround installing beta for license/notice support
+RUN cargo install maturin --git https://github.com/PyO3/maturin --tag v0.12.12-beta.2
 
 FROM quay.io/pypa/manylinux2014_x86_64
 
@@ -33,7 +25,7 @@ RUN curl --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y \
     && python3 -m pip install --no-cache-dir cffi \
     && mkdir /io
 
-COPY --from=builder /usr/bin/maturin /usr/bin/maturin
+COPY --from=builder /root/.cargo/bin/maturin /usr/bin/maturin
 
 WORKDIR /io
 

eng/psakefile.ps1

@@ -56,6 +56,9 @@ Task cargo-clippy -Depends init {
 }
 
 Task init {
+    if ((Test-CI) -and !$IsLinux) {
+        cargo install maturin --git https://github.com/PyO3/maturin --tag v0.12.12-beta.2
+    }
     Restore-ConfigTomlWithLlvmInfo
     Test-Prerequisites
     Initialize-Environment
@@ -427,3 +430,32 @@ function Create-DocsEnv() {
         deactivate
     }
 }
+
+task check-licenses {
+    # Uses cargo-deny to verify that the linked components
+    # only use approved licenses
+    # https://github.com/EmbarkStudios/cargo-deny
+    Invoke-LoggedCommand -wd $repo.root {
+        cargo deny check licenses
+    }
+}
+
+task update-noticefiles {
+    # use cargo-about to generate a notice files
+    # notice files are only for wheel distributions
+    # as no bundled sources are in the sdist.
+
+    # llvm special license is already in the template
+    # as it is a hidden transitive dependency.
+    # https://github.com/EmbarkStudios/cargo-about
+    $config = Join-Path $repo.root notice.toml
+    $template = Join-Path $repo.root notice.hbs
+    foreach ($project in @($pyqir.parser.dir, $pyqir.generator.dir, $pyqir.evaluator.dir)) {
+        Invoke-LoggedCommand -wd $project {
+            $notice = Join-Path $project NOTICE-WHEEL.txt
+            cargo about generate --config $config --all-features --output-file $notice $template
+            $contents = Get-Content -Raw $notice
+            [System.Web.HttpUtility]::HtmlDecode($contents) | Out-File $notice
+        }
+    }
+}