Eclipse Theia contributors: Intellectual Property (IP) guide
Warning: construction zone!
- Eclipse Theia Intellectual Property (IP) guide
(1): Eclipse Foundation project handbook
(2): Eclipse Foundation IP Team issue tracker
We have integrated Eclipse Foundation tool dash-licenses in the main Theia repository. We run the license check workflow every time a PR is created or updated and every time a PR is merged. See further below for details about the integration.
Main file: scripts/check_3pp_licenses.js
Node.js script check_3pp_licenses.js is where the meat of the integration is.
If needed it fetches a recent dash-licenses in the form of a Java jar file. It then runs dash-licenses in auto-review mode when possible [*]. In that mode, for any 3PP that doesn't pass the check, an individual ticket is automatically opened, for the EF IP Team to review that dependency. The review is in big part automated, and can often be resolved in minutes.
[*]:An Eclipse Foundation Gitlab token is necessary. We have one stored as a repository secret, but it can only be used when the PR originates from someone who has write-access to the repos, IoW a committer.
yarn script(package.json) :
"license:check": "node scripts/check_3pp_licenses.js",
"license:check:review": "node scripts/check_3pp_licenses.js --review",While dash-licenses is generally reliable, there are instances where it will provide results that are known to be wrong or probably wrong by the project team. E.g. a 3PP will be flagged as not being authorized when it is ("workswith" exception), is a good reason to ignore a result.
In the Theia repo root, we have file dependency-check-baseline.json. Add an entry to this file, when you want a specific 3PP failing the check be ignored.
Here's what it looked like v1.36.0:
{
"npm/npmjs/-/eslint-plugin-deprecation/1.2.1": "Approved as 'works-with': https://dev.eclipse.org/ipzilla/show_bug.cgi?id=22573",
"npm/npmjs/-/jschardet/2.3.0": "Approved for Eclipse Theia: https://dev.eclipse.org/ipzilla/show_bug.cgi?id=22481",
"npm/npmjs/-/jsdom/11.12.0": "Approved as 'works-with': https://dev.eclipse.org/ipzilla/show_bug.cgi?id=23640https://dev.eclipse.org/ipzilla/show_bug.cgi?id=23640",
"npm/npmjs/-/lzma-native/8.0.6": "Approved as 'works-with': https://gitlab.eclipse.org/eclipsefdn/emo-team/iplab/-/issues/1850",
"npm/npmjs/-/playwright-core/1.22.2": "Approved as 'works-with': https://gitlab.eclipse.org/eclipsefdn/emo-team/iplab/-/issues/2734",
"npm/npmjs/@octokit/openapi-types/12.11.0": "Under review: https://gitlab.eclipse.org/eclipsefdn/emo-team/iplab/-/issues/7693",
"npm/npmjs/@octokit/openapi-types/16.0.0": "Under review: https://gitlab.eclipse.org/eclipsefdn/emo-team/iplab/-/issues/7694"
}
If you want to benefit from automated creation of IP Check tickets when dash-licenses flags a 3PP for further scrutiny, an environment variable named DASH_LICENSES_PAT must be set
# automatically open IP check tickets on Eclipse Foundation Gitlab
# requires a valid token be set
theia$ yarn license:check:review
# without a token, we can still run and report suspicious 3PPs
theia$ yarn license:checkThe 3PP license check runs in CI through the license-check workflow
It runs every time a PR is created or updated and every time a PR is merged in the master branch. If dash-licenses runs without finding dependencies that require more scrutiny (considering some that may be filtered by configuration), the workflow will end in success. Else it will show as a failed CI step, on the Pull Request page.
Here's the step in the workflow where dash-licenses is run
- name: Run dash-licenses
if: matrix.tests != 'skip'
shell: bash
run: |
yarn license:check:review || ( sleep 15m && yarn license:check:review )
env:
DASH_LICENSES_PAT: ${{ secrets.DASH_LICENSES_PAT }}In case of failure, a second attempt is made after a pause of 15 minutes. The hope is that the delay will be long enough for the IP Ticket(s) for the suspiciously licensed 3PPs, to be automatically approved. On the second try, dash-licenses might then find only approved 3PPs, resulting in a successful workflow run.
See the built-ins repo wiki for the details.