diff --git a/.github/workflows/auto-tag.yml b/.github/workflows/auto-tag.yml index 996d455..0795fea 100644 --- a/.github/workflows/auto-tag.yml +++ b/.github/workflows/auto-tag.yml @@ -20,7 +20,8 @@ jobs: runs-on: ubuntu-latest permissions: contents: write - + outputs: + tagged: ${{ steps.create_tag.outcome == 'success' }} steps: - name: Checkout code uses: actions/checkout@v6 @@ -29,7 +30,6 @@ jobs: persist-credentials: false - name: Get next version - if: steps.check_skip.outputs.skip_tag == 'false' id: version run: | LATEST_TAG=$(git tag --list "v*" --sort=-v:refname | head -n 1) @@ -40,7 +40,6 @@ jobs: echo "new_tag=v$MAJOR.$MINOR.$PATCH" >> $GITHUB_OUTPUT - name: Create tag - if: steps.check_skip.outputs.skip_tag == 'false' env: PAT: ${{ secrets.PAT_TOKEN }} TAG: ${{ steps.version.outputs.new_tag }} @@ -55,4 +54,10 @@ jobs: fi git tag -a "$TAG" -m "Auto tag $TAG" - git push "https://x-access-token:${PAT}@github.com/${{ github.repository }}.git" "$TAG" \ No newline at end of file + git push "https://x-access-token:${PAT}@github.com/${{ github.repository }}.git" "$TAG" + license-compliance: + needs: auto-tag + if: needs.auto-tag.outputs.tagged == 'true' + uses: ./.github/workflows/license-compliance.yml + permissions: + contents: read \ No newline at end of file diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 85d5a02..7424399 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -79,25 +79,7 @@ jobs: # 恢复.NET本地工具 - name: Restore .NET tools run: dotnet tool restore - - # 使用Feluda许可证扫描器检查项目依赖的许可证合规性 - # 配置参数: - # - project-license: 设置项目许可证为Apache-2.0 - # - fail-on-restrictive: 发现限制性许可证时失败 - # - fail-on-incompatible: 发现不兼容许可证时失败 - # - update-badge: 自动更新许可证徽章 - - name: Feluda License Scanner - uses: anistark/feluda@v1.11.1 - with: - project-license: 'Apache-2.0' - fail-on-restrictive: false - fail-on-incompatible: false - verbose: true - update-badge: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' && contains(github.event.head_commit.message, '[release ci]') }} - - name: Feluda License Scanner Incompatible Licenses - run: | - feluda --incompatible - + # 构建项目,使用Release配置且跳过恢复步骤 - name: Build run: dotnet build -c Release --no-restore diff --git a/.github/workflows/license-compliance.yml b/.github/workflows/license-compliance.yml new file mode 100644 index 0000000..c118fd6 --- /dev/null +++ b/.github/workflows/license-compliance.yml @@ -0,0 +1,69 @@ +name: License Compliance (Feluda) + +on: + workflow_call: + inputs: + upload-artifacts: + required: false + type: boolean + default: true + +permissions: + contents: read + +jobs: + compliance: + runs-on: ubuntu-latest + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + # 使用Feluda许可证扫描器检查项目依赖的许可证合规性 + # 配置参数: + # - project-license: 设置项目许可证为Apache-2.0 + # - fail-on-restrictive: 发现限制性许可证时失败 + # - fail-on-incompatible: 发现不兼容许可证时失败 + # - update-badge: 自动更新许可证徽章 + - name: Feluda License Scanner + uses: anistark/feluda@v1.11.1 + with: + project-license: 'Apache-2.0' + fail-on-restrictive: false + fail-on-incompatible: false + update-badge: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }} + - name: Feluda License Scanner Incompatible Licenses + run: | + feluda --incompatible + + # 生成合规性文件(NOTICE / THIRD_PARTY_LICENSES) + - name: Generate compliance files + run: | + echo "1" | feluda generate + echo "2" | feluda generate + + # 生成 SBOM(SPDX + CycloneDX) + - name: Generate SBOM + run: | + feluda sbom spdx --output sbom.spdx.json + feluda sbom cyclonedx --output sbom.cyclonedx.json + + # 校验 SBOM + - name: Validate SBOM files + run: | + feluda sbom validate sbom.spdx.json --output sbom-spdx-validation.txt + feluda sbom validate sbom.cyclonedx.json --output sbom-cyclonedx-validation.txt + + # 上传合规产物 + - name: Upload compliance artifacts + if: inputs.upload-artifacts + uses: actions/upload-artifact@v4 + with: + name: license-compliance + path: | + NOTICE + THIRD_PARTY_LICENSES.md + sbom.spdx.json + sbom.cyclonedx.json + sbom-spdx-validation.txt + sbom-cyclonedx-validation.txt diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index c164bea..5fffa6c 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -67,26 +67,6 @@ jobs: set -e echo "Packing with version=${{ steps.tag_version.outputs.version }}" dotnet pack -c Release -o ./packages -p:PackageVersion=${{ steps.tag_version.outputs.version }} -p:IncludeSymbols=false - - name: Setup Feluda - uses: anistark/feluda@v1.11.1 - # 生成合规性文件,执行两次feluda generate命令 - - name: Generate compliance files - run: | - echo "1" | feluda generate - echo "2" | feluda generate - - # 生成软件物料清单(SBOM)文件,输出SPDX和CycloneDX两种格式 - - name: Generate SBOM - run: | - feluda sbom spdx --output sbom.spdx.json - feluda sbom cyclonedx --output sbom.cyclonedx.json - - # 验证生成的SBOM文件的有效性,并输出验证结果到文本文件 - - name: Validate SBOM files - run: | - feluda sbom validate sbom.spdx.json --output sbom-spdx-validation.txt - feluda sbom validate sbom.cyclonedx.json --output sbom-cyclonedx-validation.txt - # 上传许可证合规相关的工件文件,包括通知文件、第三方许可证、SBOM文件及验证结果 - name: Upload compliance artifacts uses: actions/upload-artifact@v4 @@ -181,5 +161,7 @@ jobs: THIRD_PARTY_LICENSES.md sbom.spdx.json sbom.cyclonedx.json + sbom-spdx-validation.txt + sbom-cyclonedx-validation.txt env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file