feat(nix): validate licenses (#4497)

this will check if the license provided by the user is a valid one. valid list of licenses is generated from nix's source code. closes #4496
2025-10-30 23:58:09 +02:00 · 2023-12-26 08:37:44 -03:00
parent 8586878fdf
commit dda1c708ae
6 changed files with 284 additions and 1 deletions
--- a/.github/workflows/generate.yml
+++ b/.github/workflows/generate.yml
@@ -28,6 +28,7 @@ jobs:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      - run: task docs:generate
      - run: task schema:generate
+      - run: task nix:licenses:generate
      - uses: stefanzweifel/git-auto-commit-action@8756aa072ef5b4a080af5dc8fef36c5d586e521d # v5
        with:
          commit_message: "chore: docs auto-update"
--- a/Taskfile.yml
+++ b/Taskfile.yml
@@ -67,6 +67,13 @@ tasks:
    cmds:
      - task: ci

+  nix:licenses:generate:
+    desc: Generate nix/licenses.go
+    cmds:
+      - ./scripts/gen-nix-licenses.sh
+    generates:
+      - ./internal/pipe/nix/licenses.go
+
  schema:generate:
    desc: Generate JSONSchema
    cmds:
--- a/internal/pipe/nix/licenses.go
+++ b/internal/pipe/nix/licenses.go
@@ -0,0 +1,234 @@
+// AUTO-GENERATED. DO NOT EDIT.
+
+package nix
+
+var validLicenses = []string{
+	"abstyles",
+	"acsl14",
+	"activision",
+	"afl20",
+	"afl21",
+	"afl3",
+	"agpl3Only",
+	"agpl3Plus",
+	"aladdin",
+	"amazonsl",
+	"amd",
+	"aom",
+	"apsl10",
+	"apsl20",
+	"arphicpl",
+	"artistic1",
+	"artistic1-cl8",
+	"artistic2",
+	"asl20",
+	"asl20-llvm",
+	"bitstreamVera",
+	"bitTorrent10",
+	"bitTorrent11",
+	"bola11",
+	"boost",
+	"beerware",
+	"blueOak100",
+	"bsd0",
+	"bsd1",
+	"bsd2",
+	"bsd2Patent",
+	"bsd2WithViews",
+	"bsd3",
+	"bsd3Clear",
+	"bsdOriginal",
+	"bsdOriginalShortened",
+	"bsdOriginalUC",
+	"bsdProtection",
+	"bsl11",
+	"caossl",
+	"cal10",
+	"caldera",
+	"capec",
+	"clArtistic",
+	"cc0",
+	"cc-by-nc-nd-30",
+	"cc-by-nc-nd-40",
+	"cc-by-nc-sa-20",
+	"cc-by-nc-sa-25",
+	"cc-by-nc-sa-30",
+	"cc-by-nc-sa-40",
+	"cc-by-nc-30",
+	"cc-by-nc-40",
+	"cc-by-nd-30",
+	"cc-by-sa-10",
+	"cc-by-sa-20",
+	"cc-by-sa-25",
+	"cc-by-10",
+	"cc-by-30",
+	"cc-by-sa-30",
+	"cc-by-40",
+	"cc-by-sa-40",
+	"cddl",
+	"cecill20",
+	"cecill21",
+	"cecill-b",
+	"cecill-c",
+	"cpal10",
+	"cpl10",
+	"curl",
+	"doc",
+	"drl10",
+	"eapl",
+	"ecl20",
+	"efl10",
+	"efl20",
+	"elastic20",
+	"epl10",
+	"epl20",
+	"epson",
+	"eupl11",
+	"eupl12",
+	"fdl11Only",
+	"fdl11Plus",
+	"fdl12Only",
+	"fdl12Plus",
+	"fdl13Only",
+	"fdl13Plus",
+	"ffsl",
+	"fraunhofer-fdk",
+	"free",
+	"ftl",
+	"g4sl",
+	"geogebra",
+	"generaluser",
+	"gfl",
+	"gfsl",
+	"gpl1Only",
+	"gpl1Plus",
+	"gpl2Only",
+	"gpl2Classpath",
+	"gpl2ClasspathPlus",
+	"gpl2Oss",
+	"gpl2Plus",
+	"gpl3Only",
+	"gpl3Plus",
+	"gpl3ClasspathPlus",
+	"hpnd",
+	"hpndSellVariant",
+	"iasl",
+	"ijg",
+	"imagemagick",
+	"imlib2",
+	"info-zip",
+	"inria-compcert",
+	"inria-icesl",
+	"inria-zelus",
+	"ipa",
+	"ipl10",
+	"isc",
+	"databricks",
+	"databricks-dbx",
+	"fair",
+	"fairsource09",
+	"hl3",
+	"issl",
+	"knuth",
+	"lal12",
+	"lal13",
+	"lens",
+	"lgpl2Only",
+	"lgpl2Plus",
+	"lgpl21Only",
+	"lgpl21Plus",
+	"lgpl3Only",
+	"lgpl3Plus",
+	"lgpllr",
+	"libpng",
+	"libpng2",
+	"libssh2",
+	"libtiff",
+	"llgpl21",
+	"lppl1",
+	"lppl12",
+	"lppl13a",
+	"lppl13c",
+	"lpl-102",
+	"miros",
+	"mit",
+	"mit-feh",
+	"mitAdvertising",
+	"mit0",
+	"mpl10",
+	"mpl11",
+	"mpl20",
+	"mspl",
+	"mulan-psl2",
+	"nasa13",
+	"ncsa",
+	"ncul1",
+	"nlpl",
+	"nposl3",
+	"nvidiaCuda",
+	"nvidiaCudaRedist",
+	"obsidian",
+	"ocamlLgplLinkingException",
+	"ocamlpro_nc",
+	"odbl",
+	"ofl",
+	"oml",
+	"openldap",
+	"openssl",
+	"opubl",
+	"osl2",
+	"osl21",
+	"osl3",
+	"parity70",
+	"php301",
+	"postgresql",
+	"postman",
+	"psfl",
+	"publicDomain",
+	"purdueBsd",
+	"prosperity30",
+	"qhull",
+	"qpl",
+	"qwt",
+	"ruby",
+	"sendmail",
+	"sgi-b-20",
+	"sgmlug",
+	"sleepycat",
+	"smail",
+	"sspl",
+	"stk",
+	"sudo",
+	"sustainableUse",
+	"tsl",
+	"tcltk",
+	"ucd",
+	"ufl",
+	"unfree",
+	"unfreeRedistributable",
+	"unfreeRedistributableFirmware",
+	"unicode-dfs-2015",
+	"unicode-dfs-2016",
+	"unlicense",
+	"upl",
+	"vim",
+	"virtualbox-puel",
+	"vol-sl",
+	"vsl10",
+	"watcom",
+	"w3c",
+	"wadalab",
+	"wtfpl",
+	"wxWindows",
+	"x11",
+	"xfig",
+	"zlib",
+	"zpl20",
+	"zpl21",
+	"agpl3",
+	"gpl2",
+	"gpl3",
+	"lgpl2",
+	"lgpl21",
+	"lgpl3",
+}
--- a/internal/pipe/nix/nix.go
+++ b/internal/pipe/nix/nix.go
@@ -9,6 +9,7 @@ import (
 	"os/exec"
 	"path"
 	"path/filepath"
+	"slices"
 	"sort"
 	"strings"
 	"text/template"
@@ -43,6 +44,7 @@ var (
 	errNoRepoName     = pipe.Skip("repository name is not set")
 	errSkipUpload     = pipe.Skip("nix.skip_upload is set")
 	errSkipUploadAuto = pipe.Skip("nix.skip_upload is set to 'auto', and current version is a pre-release")
+	errInvalidLicense = errors.New("nix.license is invalid")
 )

 // NewBuild returns a pipe to be used in the build phase.
@@ -83,6 +85,9 @@ func (Pipe) Default(ctx *context.Context) error {
 		if nix.Goamd64 == "" {
 			nix.Goamd64 = "v1"
 		}
+		if nix.License != "" && !slices.Contains(validLicenses, nix.License) {
+			return fmt.Errorf("%w: %s", errInvalidLicense, nix.License)
+		}
 	}

 	return nil
--- a/internal/pipe/nix/nix_test.go
+++ b/internal/pipe/nix/nix_test.go
@@ -86,6 +86,7 @@ func TestPrefetcher(t *testing.T) {
 func TestRunPipe(t *testing.T) {
 	for _, tt := range []struct {
 		name                 string
+		expectDefaultErrorIs error
 		expectRunErrorIs     error
 		expectPublishErrorIs error
 		nix                  config.Nix
@@ -100,6 +101,18 @@ func TestRunPipe(t *testing.T) {
 				},
 			},
 		},
+		{
+			name:                 "invalid license",
+			expectDefaultErrorIs: errInvalidLicense,
+			nix: config.Nix{
+				IDs:     []string{"foo"},
+				License: "mitt",
+				Repository: config.RepoRef{
+					Owner: "foo",
+					Name:  "bar",
+				},
+			},
+		},
 		{
 			name: "deps",
 			nix: config.Nix{
@@ -529,12 +542,18 @@ func TestRunPipe(t *testing.T) {
 			}

 			// default
+			if tt.expectDefaultErrorIs != nil {
+				err := bpipe.Default(ctx)
+				require.ErrorAs(t, err, &tt.expectDefaultErrorIs)
+				return
+
+			}
 			require.NoError(t, bpipe.Default(ctx))

 			// run
 			if tt.expectRunErrorIs != nil {
 				err := bpipe.runAll(ctx, client)
-				require.ErrorAs(t, err, &tt.expectPublishErrorIs)
+				require.ErrorAs(t, err, &tt.expectRunErrorIs)
 				return
 			}
 			require.NoError(t, bpipe.runAll(ctx, client))
--- a/scripts/gen-nix-licenses.sh
+++ b/scripts/gen-nix-licenses.sh
@@ -0,0 +1,17 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+{
+	echo "// AUTO-GENERATED. DO NOT EDIT."
+	echo
+	echo "package nix"
+	echo "var validLicenses = []string {"
+	curl -s https://raw.githubusercontent.com/NixOS/nixpkgs/master/lib/licenses.nix |
+		grep -E '.* = \{' |
+		grep -v default |
+		cut -f1 -d= |
+		awk '{print "\"" $1 "\","}'
+	echo -e "}"
+} >./internal/pipe/nix/licenses.go
+
+gofumpt -w ./internal/pipe/nix/licenses.go