-
Notifications
You must be signed in to change notification settings - Fork 113
44 lines (39 loc) · 1.62 KB
/
verify-dependabot-clearly-defined.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
name: Dependabot Verify ClearlyDefined
on:
pull_request:
paths: ['eng/dependabot/**']
permissions:
pull-requests: read
jobs:
dependabotVerify:
if: ${{ github.actor == 'dependabot[bot]' }}
runs-on: ubuntu-latest
steps:
- name: Fetch Dependabot metadata
id: metadata
uses: dependabot/fetch-metadata@dbb049abf0d677abbd7f7eee0375145b417fdd34
- name: Check ClearlyDefined
if: ${{steps.metadata.outputs.package-ecosystem == 'nuget'}}
run: |
set -e
blockPr=""
while read -r dependency; do
url="https://api.clearlydefined.io/definitions/nuget/nuget/-/$dependency"
echo "Checking $dependency at $url"
license=$(curl -sX GET "$url" -H "accept: */*" | jq -r '.licensed.declared')
if [ "$license" == "null" ]; then
echo "--> Not harvested, submitting request."
curl -sX POST "https://api.clearlydefined.io/harvest" -H "accept: */*" -H "Content-Type: application/json" -d "[{\"tool\":\"package\",\"coordinates\":\"nuget/nuget/-/$dependency\"}]"
echo
if [[ "$dependency" == Microsoft.* ]] || [[ "$dependency" == Azure.* ]] || [[ "$dependency" == System.* ]]; then
echo "--> 1P dependency"
else
echo "--> 3P dependency"
blockPr="true"
fi
fi
done <<< $(echo '${{steps.metadata.outputs.updated-dependencies-json}}' | jq -r '.[] | .dependencyName + "/" + .newVersion')
if [ "$blockPr" == "true" ]; then
echo "Blocking PR"
exit 1
fi