Merge pull request #51 from CDiezRodriguez/feat/add-Dash-License

feat: Add Dependencies-Check workflow

Author: matbmoser

.github/workflows/dependencies-backend.yml

@@ -0,0 +1,117 @@
+###############################################################
+# Copyright (c) 2025 Contributors to the Eclipse Foundation
+#
+# See the NOTICE file(s) distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Apache License, Version 2.0 which is available at
+# https://www.apache.org/licenses/LICENSE-2.0.
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+###############################################################
+
+name: "Eclipse DASH IP Check"
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - ichub-backend/requirements.txt
+      - DEPENDENCIES_ICHUB-BACKEND
+      - .github/workflows/dependencies-backend.yml
+  pull_request:
+    branches: [main]
+    paths:
+      - ichub-backend/requirements.txt
+      - DEPENDENCIES_ICHUB-BACKEND
+      - .github/workflows/dependencies-backend.yml
+  workflow_dispatch:
+
+jobs:
+  check-dependencies-backend:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        folder: [ichub-backend]
+
+    steps:
+
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Set up JDK 21
+        uses: actions/setup-java@3a4f6e1af504cf6a31855fa899c6aa5355ba6c12 # v4.7.0
+        with:
+          distribution: 'temurin'
+          java-version: '21'
+    
+      - name: Set up Python
+        uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
+        with:
+            python-version: '3.10'
+
+      - name: Create and activate virtual environment
+        run: |
+          python -m venv ${{ matrix.folder }}/venv
+          source ${{ matrix.folder }}/venv/bin/activate
+          echo "VIRTUAL_ENV=${{ matrix.folder }}/venv" >> $GITHUB_ENV
+          echo "PATH=${{ matrix.folder }}/venv/bin:$PATH" >> $GITHUB_ENV
+
+      - name: Install dependencies in isolated environment
+        run: |
+          source ${{ matrix.folder }}/venv/bin/activate
+          if [ -f ${{ matrix.folder }}/requirements.txt ]; then
+            pip install -r ${{ matrix.folder }}/requirements.txt
+          else
+            echo "No requirements.txt found in ${{ matrix.folder }}, skipping..."
+          fi
+
+      - name: List packages
+        run: |
+            source ${{ matrix.folder }}/venv/bin/activate
+            pip list --format=freeze | grep -Pv "^(pip|setuptools|wheel|virtualenv|distlib|pkg_resources)" | awk -F'==' '{print "pypi/pypi/-/" $1 "/" $2}' | awk '!seen[$0]++' > ${{ matrix.folder }}/PACKAGE
+
+      - name: Generate Dependencies file
+        run: |
+            curl -L --output ./org.eclipse.dash.licenses-1.1.1.jar 'https://repo.eclipse.org/service/local/artifact/maven/redirect?r=dash-licenses&g=org.eclipse.dash&a=org.eclipse.dash.licenses&v=LATEST'
+            
+            if [[ "${{ matrix.folder }}" == "ichub-backend" ]]; then
+                DEP_FILE="DEPENDENCIES_ICHUB-BACKEND"
+            fi
+
+            echo "DEP_FILE=$DEP_FILE" >> $GITHUB_ENV
+
+            java -jar ./org.eclipse.dash.licenses-1.1.1.jar ${{ matrix.folder }}/PACKAGE -project automotive.tractusx -summary $DEP_FILE || true
+
+      - name: Check if dependencies were changed
+        id: dependencies-changed
+        run: |
+            if git diff --exit-code $DEP_FILE; then
+                echo "changed=false" >> $GITHUB_OUTPUT
+            else
+                echo "changed=true" >> $GITHUB_OUTPUT
+                echo "Change the $DEP_FILE with this new dependencies"
+                cat $DEP_FILE
+                exit 1
+            fi
+
+      - name: Check for restricted dependencies
+        run: |
+            restricted=$(grep 'restricted' $DEP_FILE || true)
+            if [[ -n "$restricted" ]]; then
+                echo "The following dependencies are restricted: $restricted"
+                exit 1
+            fi
+
+      - name: Upload $DEP_FILE file
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        with:
+            path: $DEP_FILE
+

.github/workflows/verify.yml

@@ -57,23 +57,3 @@ jobs:
                     eval $cmd;
                     exit 1;
                 fi
-
-    Review-Allowed-Licenses:
-        runs-on: ubuntu-latest
-        continue-on-error: false
-        if: github.event_name == 'pull_request' || github.event_name == 'pull_request_target'
-        steps:
-        - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        - name: 'Check Allowed Licenses'
-          uses: actions/dependency-review-action@3b139cfc5fae8b618d3eae3675e383bb1769c019 # v4.5.0
-          with:
-            fail-on-severity: critical
-          # Representation of this list: https://www.eclipse.org/legal/licenses.php#
-          # Expressed with the help of the following IDs: https://spdx.org/licenses/
-            allow-licenses: >-
-              Adobe-Glyph, Apache-1.0, Apache-1.1, Apache-2.0, Artistic-2.0, BSD-2-Clause, BSD-3-Clause,
-              BSD-4-Clause, 0BSD, BSL-1.0, CDDL-1.0, CDDL-1.1, CPL-1.0, CC-BY-3.0, CC-BY-4.0, CC-BY-2.5,
-              CC-BY-SA-3.0, CC-BY-SA-4.0, CC0-1.0, EPL-1.0, EPL-2.0, FTL, GFDL-1.3-only, IPL-1.0, ISC,
-              MIT, MIT-0, MPL-1.1, MPL-2.0, NTP, OpenSSL, PHP-3.01, PostgreSQL, OFL-1.1, Unlicense,
-              Unicode-DFS-2015, Unicode-DFS-2016, Unicode-TOU, UPL-1.0, W3C-20150513, W3C-19980720, W3C,
-              WTFPL, X11, Zlib, ZPL-2.1, AGPL-3.0

DEPENDENCIES_ICHUB-BACKEND

@@ -5,18 +5,18 @@ pypi/pypi/-/Pygments/2.19.1, , approved, #19382
 pypi/pypi/-/SQLAlchemy/2.0.38, MIT AND LGPL-2.0-only AND BSD-3-Clause AND LGPL-2.0-or-later, approved, #19392
 pypi/pypi/-/annotated-types/0.7.0, MIT, approved, clearlydefined
 pypi/pypi/-/anyio/4.8.0, MIT, approved, #19384
-pypi/pypi/-/certifi/2020.6.20, MPL-2.0, approved, clearlydefined
+pypi/pypi/-/certifi/2023.7.22, MPL-2.0, approved, #19826
 pypi/pypi/-/cffi/1.17.1, MIT, approved, #19388
 pypi/pypi/-/charset-normalizer/3.4.1, MIT AND (LGPL-2.1-only AND MIT) AND LGPL-2.1-only AND CC-BY-SA-3.0, approved, #19391
 pypi/pypi/-/click/8.1.8, BSD-2-Clause AND BSD-3-Clause, approved, clearlydefined
-pypi/pypi/-/cryptography/3.4.8, (Apache-2.0 OR BSD-3-Clause) AND (Apache-2.0 AND BSD-3-Clause) AND PSF-2.0, approved, #19386
+pypi/pypi/-/cryptography/44.0.1, Apache-2.0 AND BSD-3-Clause AND Apache-2.0 AND BSD-3-Clause AND (BSD-3-Clause AND MIT), approved, #19520
 pypi/pypi/-/deprecation/2.1.0, Apache-2.0 AND BSD-3-Clause AND MIT, approved, #7823
 pypi/pypi/-/dnspython/2.7.0, ISC, approved, #19394
 pypi/pypi/-/email_validator/2.2.0, Unlicense, approved, #19387
 pypi/pypi/-/exceptiongroup/1.2.2, MIT AND PSF-2.0, approved, #12076
 pypi/pypi/-/fastapi-cli/0.0.7, MIT, approved, clearlydefined
 pypi/pypi/-/fastapi-keycloak-middleware/1.1.0, MIT, approved, clearlydefined
-pypi/pypi/-/fastapi/0.111.1, MIT AND Apache-2.0, approved, #14863
+pypi/pypi/-/fastapi/0.115.7, MIT, approved, #19828
 pypi/pypi/-/greenlet/3.1.1, MIT AND PSF-2.0, approved, #19389
 pypi/pypi/-/h11/0.14.0, MIT AND BSD-3-Clause, approved, #13077
 pypi/pypi/-/httpcore/0.16.3, BSD-2-Clause AND BSD-3-Clause, approved, clearlydefined
@@ -45,11 +45,11 @@ pypi/pypi/-/rich/13.9.4, MIT, approved, clearlydefined
 pypi/pypi/-/shellingham/1.5.4, ISC AND BSD-3-Clause, approved, #19381
 pypi/pypi/-/sniffio/1.3.1, Apache-2.0 OR (Apache-2.0 AND MIT), approved, clearlydefined
 pypi/pypi/-/sqlmodel/0.0.22, MIT, approved, clearlydefined
-pypi/pypi/-/starlette/0.37.2, BSD-2-Clause AND BSD-3-Clause, approved, clearlydefined
+pypi/pypi/-/starlette/0.40.0, BSD-2-Clause AND BSD-3-Clause, approved, clearlydefined
 pypi/pypi/-/tomli/2.0.1, MIT, approved, #7824
 pypi/pypi/-/typer/0.15.1, MIT, approved, clearlydefined
 pypi/pypi/-/typing_extensions/4.12.2, Python-2.0, approved, #19383
-pypi/pypi/-/urllib3/1.26.5, MIT AND LicenseRef-Python AND Apache-2.0, approved, #7995
+pypi/pypi/-/urllib3/2.3.0, MIT AND Python-2.0 AND MPL-2.0, approved, #19863
 pypi/pypi/-/uvicorn/0.30.3, BSD-2-Clause AND BSD-3-Clause, approved, clearlydefined
 pypi/pypi/-/uvloop/0.21.0, , approved, #19385
 pypi/pypi/-/watchfiles/1.0.4, MIT, approved, clearlydefined

ichub-backend/requirements.txt

@@ -5,18 +5,18 @@ Pygments==2.19.1
 SQLAlchemy==2.0.38
 annotated-types==0.7.0
 anyio==4.8.0
-certifi==2020.6.20
+certifi==2023.7.22
 cffi==1.17.1
 charset-normalizer==3.4.1
 click==8.1.8
-cryptography==3.4.8
+cryptography==44.0.1
 deprecation==2.1.0
 dnspython==2.7.0
 email_validator==2.2.0
 exceptiongroup==1.2.2
 fastapi-cli==0.0.7
 fastapi-keycloak-middleware==1.1.0
-fastapi==0.111.1
+fastapi==0.115.7
 greenlet==3.1.1
 h11==0.14.0
 httpcore==0.16.3
@@ -45,11 +45,11 @@ rich==13.9.4
 shellingham==1.5.4
 sniffio==1.3.1
 sqlmodel==0.0.22
-starlette==0.37.2
+starlette==0.40.0
 tomli==2.0.1
 typer==0.15.1
 typing_extensions==4.12.2
-urllib3==1.26.5
+urllib3==2.3.0
 uvicorn==0.30.3
 uvloop==0.21.0
 watchfiles==1.0.4