Eclipse Theia contributors: Intellectual Property (IP) guide
Warning: construction zone!
(1): Eclipse Foundation project handbook
(2): Eclipse Foundation IP Team issue tracker
We have integrated Eclipse Foundation tool dash-licenses in the main Theia repository. We run the license check workflow every time a PR is created or updated and every time a PR is merged. See further below for details about the integration.
Main file: scripts/check_3pp_licenses.js
Node.js script check_3pp_licenses.js is where the meat of the integration is.
If needed it fetches a recent dash-licenses in the form of a Java jar file. It then runs dash-licenses in auto-review mode when possible [*]. In that mode, for any 3PP that doesn't pass the check, an individual ticket is automatically opened, for the EF IP Team to review that dependency. The review is in big part automated, and can often be resolved in minutes.
[*]:An Eclipse Foundation Gitlab token is necessary. We have one stored as a repository secret, but it can only be used when the PR originates from someone who has write-access to the repos, IoW a committer.
yarn script(package.json) :
"license:check": "node scripts/check_3pp_licenses.js",
"license:check:review": "node scripts/check_3pp_licenses.js --review",While dash-licenses is generally reliable, there are instances where it will provide results that are known to be wrong or probably wrong by the project team. E.g. a 3PP will be flagged as not being authorized when it is ("workswith" exception), is a good reason to ignore a result.
In the Theia repo root, we have file dependency-check-baseline.json.
Here's what it looked like v1.36.0:
{
"npm/npmjs/-/eslint-plugin-deprecation/1.2.1": "Approved as 'works-with': https://dev.eclipse.org/ipzilla/show_bug.cgi?id=22573",
"npm/npmjs/-/jschardet/2.3.0": "Approved for Eclipse Theia: https://dev.eclipse.org/ipzilla/show_bug.cgi?id=22481",
"npm/npmjs/-/jsdom/11.12.0": "Approved as 'works-with': https://dev.eclipse.org/ipzilla/show_bug.cgi?id=23640https://dev.eclipse.org/ipzilla/show_bug.cgi?id=23640",
"npm/npmjs/-/lzma-native/8.0.6": "Approved as 'works-with': https://gitlab.eclipse.org/eclipsefdn/emo-team/iplab/-/issues/1850",
"npm/npmjs/-/playwright-core/1.22.2": "Approved as 'works-with': https://gitlab.eclipse.org/eclipsefdn/emo-team/iplab/-/issues/2734",
"npm/npmjs/@octokit/openapi-types/12.11.0": "Under review: https://gitlab.eclipse.org/eclipsefdn/emo-team/iplab/-/issues/7693",
"npm/npmjs/@octokit/openapi-types/16.0.0": "Under review: https://gitlab.eclipse.org/eclipsefdn/emo-team/iplab/-/issues/7694"
}
If you want to benefit from automated creation of IP Check tickets when dash-licenses flags a 3PP for further scrutiny, an environment variable named DASH_LICENSES_PAT must be set
# automatically open IP check tickets on Eclipse Foundation Gitlab
# requires a valid token be set
theia$ yarn license:check:review
# without a token, we can still run and report suspicious 3PPs
theia$ yarn license:checkAutomatically used in CI through the license-check workflow :
- name: Run dash-licenses
if: matrix.tests != 'skip'
shell: bash
run: |
yarn license:check:review || ( sleep 15m && yarn license:check:review )
env:
DASH_LICENSES_PAT: ${{ secrets.DASH_LICENSES_PAT }}See the built-ins repo wiki for the details.