search

fastify / workflows

Reusable workflows for use in the Fastify organization
MIT License
9 stars 6 forks source link

Ensure that blueoak licensed packages are detected #97

Closed Uzlopak closed 7 months ago

Uzlopak commented 11 months ago

Prerequisites

Issue

According to @gurgunday tap is using BlueOak License and the license checked does not detect it as no allowed. We have to investigate on why this fails.

Fdawgs commented 11 months ago

Looks like it did its job here: https://github.com/fastify/fastify-static/actions/runs/6177304982/job/16768155505 But then failed with the likes of: https://github.com/fastify/fastify-sensible/actions/runs/6218443565/job/16874935466

The underlying license-checker seems hit and miss?

Uzlopak commented 11 months ago

Yes. It seems there is a miss if it is a direct dependency?

Fdawgs commented 11 months ago

It's because tap is a dev dependency and the license check in here is only looking at production ones. It caught it in https://github.com/fastify/fastify-static/actions/runs/6177304982/job/16768155505 because @gurgunday was updating a production dependency.

https://github.com/fastify/workflows/blob/3ae0b4bec5551ee1370bd06c7f67a6c8217156cd/.github/workflows/plugins-ci.yml#L66C26-L66C55

Will update it to also catch dev ones.

Fdawgs commented 9 months ago

@Uzlopak may no longer be an issue?

https://github.com/openjs-foundation/cross-project-council/issues/1170#issuecomment-1802733531

mcollina commented 9 months ago

Everything should be ok in 2/3 months or so. There is 60 days grace time, then the OpenJS Board would issue a statement.

Uzlopak commented 9 months ago

@Fdawgs

In a meeting with @rginn regarding some other OpenJS related topic last week I asked her about blueoak. She also said, that it should resolve positive.

jsumners commented 9 months ago

"Should" and "are" are not equivalent. I am keeping an eye on the progress and will keep the task list updated. A major bump in tap after any v5 related release is an internal matter and will not necessitate another new major.

edit: I thought this thread was the v5 prep work thread.

voxpelli commented 9 months ago

Maybe rename this issue as it was initially meant as a big report about blue oak (dev) dependencies not being found by the workflow but now seems to be about tracking Blue Oak's OSI approval 😌

Or maybe there's another issue tracking the OSI-approval? In that case this issue can be closed in favor of that one.

Uzlopak commented 7 months ago

Blue Oak is OSI approved

https://twitter.com/MylesBorins/status/1752018663698321758

rginn commented 7 months ago

The OpenJS Board of Directors still need to vote to approve the Blue Oak license for OpenJS-hosted projects. The vote will take place this week.