Skip to content

Detect unused dependency license metadata files #219

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Apr 15, 2022
Merged

Detect unused dependency license metadata files #219

merged 1 commit into from
Apr 15, 2022

Conversation

per1234
Copy link
Contributor

@per1234 per1234 commented Apr 15, 2022
edited
Loading

Background

The "Check Go Dependencies" GitHub Actions workflow checks for dependencies with incompatible or unapproved license types.

The dependency license metadata consumed by the "Licensed" tool is cached in the project repository, in a dedicated file for each dependency.

The check-cache job of the workflow checks whether that cache is in sync with the project's current dependencies. It does this by using the "Licensed" tool to update the cache and then a git diff command to check whether that resulted in any changes (which would indicate it is out of sync).

Out of sync states could result from any of three distinct conditions:

  • Missing metadata file
  • Incorrect metadata file contents
  • Superfluous metadata file

Problem

🐛 An incorrectly configured git diff command previously caused the last of these to be missed.

My first take at this system was simply using git diff --exit-code alone. That detects the last two, but misses the first. I added a preceding git add --intent-to-add . command to detect added files, but didn't realize that it also caused the last condition to be missed.

Superfluous files in the dependency license metadata cache won't interfere with its intended functionality, but it is still important to avoid an accumulation of unused files.

Solution

The new commands will catch all three of the possible out of sync conditions by staging all changes that result from the metadata cache update to the repository and then comparing those against the HEAD commit.

Additional Context

I considered an alternative approach which works just as well as the chosen one (explanation of the two approaches here):

git add .
git diff --exit-code HEAD

However, I feel that the git diff command with the --cached flag is more self-explanatory.

@per1234
Detect unused dependency license metadata files
0a66312 
The "Check Go Dependencies" GitHub Actions workflow checks for dependencies with incompatible or unapproved license
types.

The dependency license metadata consumed by the "Licensed" tool is cached in the project repository, in a dedicated file
for each dependency.

The `check-cache` job of the workflow checks whether that cache is in sync with the project's current dependencies. It
does this by using the "Licensed" tool to update the cache and then a `git diff` command to check whether that resulted
in any changes (which would indicate it is out of sync).

Out of sync states could result from any of three distinct conditions:

- Missing metadata file
- Incorrect metadata file contents
- Superfluous metadata file

An incorrectly configured `git diff` command previously caused the last of these to be missed.

My first take at this system was simply using `git diff --exit-code` alone. That detects the last two, but misses the
first. I added the `git add --intent-to-add .` command to detect added files, but didn't realize that it caused the last
to be missed.

Superfluous files in the dependency license metadata cache won't actually interfere with its intended functionality, but
it is still important to avoid an accumulation of unused files.

The new commands will catch all three of the possible out of sync conditions by staging all changes that result from
the metadata cache update to the repository and then comparing those against the `HEAD` commit.

I considered an alternative approach which works just as well as the chosen one:

```
git add .
git diff --exit-code HEAD
```

However, I feel that the `--cached` flag makes the `git diff` command more self-explanatory.
@per1234 per1234 added type: imperfection Perceived defect in any part of project topic: code Related to content of the project itself labels Apr 15, 2022
@per1234 per1234 requested a review from umbynos April 15, 2022 10:48
@per1234 per1234 self-assigned this Apr 15, 2022
@per1234 per1234 merged commit 0d9d4a9 into arduino:main Apr 15, 2022
@per1234 per1234 deleted the catch-unused-dep-metadata branch April 15, 2022 12:35
@per1234 per1234 mentioned this pull request Sep 3, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@umbynos umbynos umbynos approved these changes

Assignees

@per1234 per1234

Labels
topic: code Related to content of the project itself type: imperfection Perceived defect in any part of project
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@per1234 @umbynos