chore: add dependency license verification (#752)

alharris-at · web-flow · commit 83b4fd501fcd · 2023-11-09T14:09:35.000-08:00
* chore: add dependency license verification

* fix: remove incorrect error message in license check

* fix: update to use codegen repo codebuild paths:

* fix: use correct cache load name
diff --git a/.codebuild/e2e_workflow.yml b/.codebuild/e2e_workflow.yml
@@ -36,6 +36,12 @@ batch:
         compute-type: BUILD_GENERAL1_MEDIUM
       depend-on:
         - build_linux
+    - identifier: verify_dependency_licenses_extract
+      buildspec: .codebuild/verify_dependency_licenses_extract.yml
+      env:
+        compute-type: BUILD_GENERAL1_MEDIUM
+      depend-on:
+        - build_linux
     - identifier: publish_to_local_registry
       buildspec: .codebuild/publish_to_local_registry.yml
       env:
diff --git a/.codebuild/e2e_workflow_base.yml b/.codebuild/e2e_workflow_base.yml
@@ -36,6 +36,12 @@ batch:
         compute-type: BUILD_GENERAL1_MEDIUM
       depend-on:
         - build_linux
+    - identifier: verify_dependency_licenses_extract
+      buildspec: .codebuild/verify_dependency_licenses_extract.yml
+      env:
+        compute-type: BUILD_GENERAL1_MEDIUM
+      depend-on:
+        - build_linux
     - identifier: publish_to_local_registry
       buildspec: .codebuild/publish_to_local_registry.yml
       env:
diff --git a/.codebuild/pr_workflow.yml b/.codebuild/pr_workflow.yml
@@ -34,3 +34,9 @@ batch:
       buildspec: .codebuild/verify_api_extract.yml
       depend-on:
         - build_linux
+    - identifier: verify_dependency_licenses_extract
+      buildspec: .codebuild/verify_dependency_licenses_extract.yml
+      env:
+        compute-type: BUILD_GENERAL1_MEDIUM
+      depend-on:
+        - build_linux
diff --git a/.codebuild/release_workflow.yml b/.codebuild/release_workflow.yml
@@ -30,6 +30,12 @@ batch:
       buildspec: .codebuild/verify_api_extract.yml
       depend-on:
         - build_linux
+    - identifier: verify_dependency_licenses_extract
+      buildspec: .codebuild/verify_dependency_licenses_extract.yml
+      env:
+        compute-type: BUILD_GENERAL1_MEDIUM
+      depend-on:
+        - build_linux
     - identifier: deploy
       buildspec: .codebuild/deploy.yml
       depend-on:
diff --git a/.codebuild/verify_dependency_licenses_extract.yml b/.codebuild/verify_dependency_licenses_extract.yml
@@ -0,0 +1,7 @@
+version: 0.2
+env:
+  shell: bash
+phases:
+  build:
+    commands:
+      - source ./shared-scripts.sh && _verifyDependencyLicensesExtract
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -4,8 +4,10 @@
 # API approval - public surface and dependencies.
 **/API.md @aws-amplify/amplify-data-admins
 
-# Changes to CI/CD scripts/buildspecs need admin approval
+# Dependency Licensing approval
+dependency_licenses.txt @aws-amplify/amplify-data-admins
 
+# Changes to CI/CD scripts/buildspecs need admin approval
 /scripts/ @aws-amplify/amplify-data-admins
 /shared-scripts.sh @aws-amplify/amplify-data-admins
 /.codebuild/ @aws-amplify/amplify-data-admins
diff --git a/dependency_licenses.txt b/dependency_licenses.txt
diff --git a/package.json b/package.json
@@ -42,7 +42,9 @@
     "split-e2e-tests": "yarn ts-node ./scripts/split-e2e-tests.ts && git add .codebuild/e2e_workflow.yml",
     "view-test-artifacts": "yarn authenticate-e2e-profile && yarn ts-node ./scripts/view-test-artifacts.ts",
     "cloud-e2e-debug": "source scripts/cloud-utils.sh && cloudE2EDebug",
-    "authenticate-e2e-profile": "source scripts/cloud-utils.sh && authenticateWithE2EProfile"
+    "authenticate-e2e-profile": "source scripts/cloud-utils.sh && authenticateWithE2EProfile",
+    "extract-dependency-licenses": "./scripts/extract-dependency-licenses.sh",
+    "verify-dependency-licenses-extract": "yarn extract-dependency-licenses && ./scripts/verify-dependency-licenses.sh"
   },
   "bugs": {
     "url": "https://github.com/aws-amplify/amplify-codegen/issues"
@@ -58,7 +60,7 @@
     "hooks": {
       "commit-msg": "commitlint -E HUSKY_GIT_PARAMS",
       "pre-push": "npm run lint && npm run test-changed",
-      "pre-commit": "yarn split-e2e-tests"
+      "pre-commit": "yarn split-e2e-tests && yarn extract-dependency-licenses"
     }
   },
   "author": "Amazon Web Services",
diff --git a/scripts/extract-dependency-licenses.sh b/scripts/extract-dependency-licenses.sh
@@ -0,0 +1,16 @@
+#!/bin/bash
+
+yarn licenses generate-disclaimer \
+    --ignore-platform \
+    --ignore-engines \
+    --ignore-optional \
+    --silent \
+    --no-progress \
+    --frozen-lockfile > dependency_licenses_temp.txt
+
+sed \
+    -e '/WORKSPACE AGGREGATOR/d' \
+    -e '/workspace-aggregator/d' \
+    dependency_licenses_temp.txt > dependency_licenses.txt
+
+rm dependency_licenses_temp.txt
diff --git a/scripts/verify-dependency-licenses.sh b/scripts/verify-dependency-licenses.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+
+change_dependency_licenses=$(git status | grep dependency_licenses.txt | wc -l)
+
+if [[ change_dependency_licenses -gt 0 ]]; then
+  echo "Detected license change. Please run 'yarn extract-dependency-licenses' and add dependency_licenses.txt file changes to the change set."
+  exit 1;
+fi
diff --git a/shared-scripts.sh b/shared-scripts.sh
@@ -160,6 +160,12 @@ function _verifyAPIExtract {
   yarn verify-api-extract
 }
 
+function _verifyDependencyLicensesExtract {
+  echo "Verify Dependency Licenses Extract"
+  loadCacheFromLinuxBuildJob
+  yarn verify-dependency-licenses-extract
+}
+
 function _lint {
   echo "Lint"
   loadCacheFromLinuxBuildJob
