mirror of
https://github.com/GeWuYou/GFramework.git
synced 2026-03-23 03:04:29 +08:00
b039e3bd6f
- 在 license-compliance 工作流中增加 ZIP 压缩包创建步骤 - 将 NOTICE、第三方许可证列表和 SBOM 验证文件打包为 license-compliance.zip - 更新 GitHub Release 上传配置以包含新的合规打包文件 - 添加详细的注释说明打包内容和用途 - 优化工作流步骤顺序和可读性
118 lines
4.3 KiB
YAML
118 lines
4.3 KiB
YAML
name: License Compliance (Feluda)
|
||
|
||
on:
|
||
push:
|
||
tags:
|
||
- '*'
|
||
|
||
permissions:
|
||
contents: write
|
||
|
||
jobs:
|
||
compliance:
|
||
runs-on: ubuntu-latest
|
||
steps:
|
||
- name: Checkout repository
|
||
uses: actions/checkout@v6
|
||
|
||
# 使用Feluda许可证扫描器检查项目依赖的许可证合规性
|
||
# 配置参数:
|
||
# - project-license: 设置项目许可证为Apache-2.0
|
||
# - fail-on-restrictive: 发现限制性许可证时失败
|
||
# - fail-on-incompatible: 发现不兼容许可证时失败
|
||
# - update-badge: 自动更新许可证徽章
|
||
- name: Feluda License Scanner
|
||
uses: anistark/feluda@v1.11.1
|
||
with:
|
||
project-license: 'Apache-2.0'
|
||
fail-on-restrictive: false
|
||
fail-on-incompatible: false
|
||
update-badge: startsWith(github.ref, 'refs/tags/v')
|
||
- name: Feluda License Scanner Incompatible Licenses
|
||
run: |
|
||
feluda --incompatible
|
||
|
||
# 生成合规性文件(NOTICE / THIRD_PARTY_LICENSES)
|
||
- name: Generate compliance files
|
||
run: |
|
||
echo "1" | feluda generate
|
||
echo "2" | feluda generate
|
||
|
||
# 生成 SBOM(SPDX + CycloneDX)
|
||
- name: Generate SBOM
|
||
run: |
|
||
feluda sbom spdx --output sbom.spdx.json
|
||
feluda sbom cyclonedx --output sbom.cyclonedx.json
|
||
|
||
# 校验 SBOM
|
||
- name: Validate SBOM files
|
||
run: |
|
||
feluda sbom validate sbom.spdx.json --output sbom-spdx-validation.txt
|
||
feluda sbom validate sbom.cyclonedx.json --output sbom-cyclonedx-validation.txt
|
||
|
||
# 上传合规产物到 GitHub Actions 工件存储
|
||
# 此步骤将指定的合规文件打包并上传为工件,供后续流程使用
|
||
# 参数说明:
|
||
# name: 步骤名称,用于标识该操作
|
||
# uses: 指定使用的 GitHub Action,此处为上传工件的官方动作
|
||
# with: 配置上传的具体内容
|
||
# name: 工件名称,用于标识上传的文件集合
|
||
# path: 指定需要上传的文件路径列表(支持多行格式)
|
||
- name: Upload compliance artifacts
|
||
uses: actions/upload-artifact@v6
|
||
with:
|
||
name: license-compliance
|
||
path: |
|
||
NOTICE
|
||
THIRD_PARTY_LICENSES.md
|
||
sbom.spdx.json
|
||
sbom.cyclonedx.json
|
||
sbom-spdx-validation.txt
|
||
sbom-cyclonedx-validation.txt
|
||
|
||
# 将合规文件打包为 ZIP 压缩包
|
||
# 此步骤通过 zip 命令将多个合规文件压缩为一个 ZIP 文件,便于分发或存档
|
||
# 压缩包中包含以下文件:
|
||
# - NOTICE: 项目声明文件
|
||
# - THIRD_PARTY_LICENSES.md: 第三方许可证列表
|
||
# - sbom.spdx.json: SPDX 格式的软件物料清单
|
||
# - sbom.cyclonedx.json: CycloneDX 格式的软件物料清单
|
||
# - sbom-spdx-validation.txt: SPDX 格式验证结果
|
||
# - sbom-cyclonedx-validation.txt: CycloneDX 格式验证结果
|
||
- name: Package compliance bundle
|
||
run: |
|
||
zip license-compliance.zip \
|
||
NOTICE \
|
||
THIRD_PARTY_LICENSES.md \
|
||
sbom.spdx.json \
|
||
sbom.cyclonedx.json \
|
||
sbom-spdx-validation.txt \
|
||
sbom-cyclonedx-validation.txt
|
||
|
||
|
||
|
||
# 将合规产物上传至 GitHub Release
|
||
# 此步骤将指定的合规文件附加到当前标签对应的 GitHub Release 中
|
||
# 参数说明:
|
||
# name: 步骤名称,用于标识该操作
|
||
# uses: 指定使用的 GitHub Action,此处为发布 Release 的第三方动作
|
||
# with: 配置发布的具体信息
|
||
# tag_name: 指定 Release 对应的 Git 标签名
|
||
# files: 指定需要附加到 Release 的文件路径列表(支持多行格式)
|
||
# env: 设置环境变量
|
||
# GITHUB_TOKEN: GitHub 访问令牌,用于授权发布操作
|
||
- name: Upload compliance assets to GitHub Release
|
||
uses: softprops/action-gh-release@v2
|
||
with:
|
||
tag_name: ${{ github.ref_name }}
|
||
files: |
|
||
NOTICE
|
||
THIRD_PARTY_LICENSES.md
|
||
sbom.spdx.json
|
||
sbom.cyclonedx.json
|
||
sbom-spdx-validation.txt
|
||
sbom-cyclonedx-validation.txt
|
||
license-compliance.zip
|
||
env:
|
||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|