Use GitLab Token for License Check

[vrubezhny]

No description provided.

[mickaelistria]

Maybe it's worth also using this change to enable the common license check action, as done in Tycho and m2e: https://github.com/eclipse-tycho/tycho/blob/master/.github/workflows/licensecheck.yml

[vrubezhny]

Sure.
It's just that I'm not sure if the token really works... The dash.iplab.token argument was accepted for sure because the Dash Licence plugin reported on that IPTeam issues are already exist:

[INFO] A review request already exists https://gitlab.eclipse.org/eclipsefdn/emo-team/iplab/-/issues/5062 .
...
[INFO] A review request already exists https://gitlab.eclipse.org/eclipsefdn/emo-team/iplab/-/issues/5063 .

But it never tried to create an issue yet, so I don't know yet if the argument value is really accepted.

[vrubezhny]

What I'm not sure about is secret name I've used... The guide and examples (like https://github.com/eclipse-tycho/tycho/blob/master/.github/workflows/licensecheck.yml) stay on adding a project name to the token (like TYCHO_GITLAB_API_TOKEN, for example), while Frederic states he created GITLAB_API_TOKEN (NOT prefixed with the WWD project name). Probably I'm missing something.

[vrubezhny]

Also, we probably have to add the token usage to NPM dependencies check in #967

[vrubezhny]

@mickaelistria The common license check added like this:

  call-license-check:
    uses: eclipse/dash-licenses/.github/workflows/mavenLicenseCheck.yml@master
    with:
      projectId: tools.wildwebdeveloper
    secrets:
      gitlabAPIToken: ${{ secrets.GITLAB_API_TOKEN }}

finds the same two not resolved artifacts (so, it looks like we're double checking them) but with two differences:

• it fails at the end of the check (because of those two not resolved artifacts)
• it doesn't report on any try to create a review request.

There is require-review input in https://github.com/eclipse/dash-licenses/blob/master/.github/actions/maven-license-check-action/action.yml that is to be used to force a review requesting, but I don't see any usages of this input in https://github.com/eclipse-tycho/tycho/blob/master/.github/workflows/licensecheck.yml ...
On other side, I saw the IPTeam requests created by tycho - was they created by "ommenting with /request-license-review"? Or there was require-review input set in https://github.com/eclipse-tycho/tycho/blob/master/.github/workflows/licensecheck.yml but later removed from the code?

[akurtakov]

Your command is not hooked to anything in licensecheck.yml thus nothign will happen for /request-license-review . It is handled at https://github.com/eclipse/dash-licenses/blob/master/.github/actions/maven-license-check-action/action.yml#L29 so using it will have effect.

[vrubezhny]

Your command is not hooked to anything in licensecheck.yml thus nothign will happen for /request-license-review . It is handled at https://github.com/eclipse/dash-licenses/blob/master/.github/actions/maven-license-check-action/action.yml#L29 so using it will have effect.

@akurtakov aren't we using it when we invoke the following job at https://github.com/eclipse/wildwebdeveloper/pull/977/files#diff-214dc48999f71aa20bbf3110511b812571737db7a5da2e71a94d16c55255c08fR40:

 call-license-check:
    uses: eclipse/dash-licenses/.github/workflows/mavenLicenseCheck.yml@master
    ...

?

[mickaelistria]

so, it looks like we're double checking them

The idea is to replace the custom mvn step by invoking the GitHub workflow. As to /request-license-review, it will most likely only work when the necessary config is merged to master.

[vrubezhny]

so, it looks like we're double checking them

The idea is to replace the custom mvn step by invoking the GitHub workflow. As to /request-license-review, it will most likely only work when the necessary config is merged to master.

So, we should remove the 'build` job as result, right?

How can I make sure that the dependency list generated in the build job equals to the one that is generated in "the GitHub workflow"? I mean, currently they produce quite the same list of not vetted artifacts, but probably the best way would be comparing the generated lists of dependencies to be used by License Check?

[mickaelistria]

So, we should remove the 'build` job as result, right?

Yes, the 'build' job would "only" build and test; and reviewing the license would be another workflow (like it's done in Tycho and m2e). This becomes easier to maintain and review.

How can I make sure that the dependency list generated in the build job equals to the one that is generated in "the GitHub workflow"?

You don't have to make sure of that, but only to trust the GitHub workflow (Which is becoming the standard approach recommended by CBI).

[vrubezhny]

/request-license-review

[vrubezhny]

cc @wildwebdeveloper-bot

[vrubezhny]

/request-license-review

[mickaelistria]

Again "/request-license-review" is not likely to work before the change is merged. A 1st iteration is to make the GitHub workflow use the CBI one; then we'll see if /request-license-review can work with it.

[vrubezhny]

@mickaelistria OK. Then I'm going to merge the change that replaces the build job with the call-license-check that invokes the dash-licenses's mavenLicenseCheck.yml and enables the invocation on issue-comment event