├── LICENSE ├── README.md └── action.yml /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2020 Tidelift 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Tidelift Alignment GitHub Action 2 | 3 | The Tidelift Alignment GitHub action allows you to integrate a Tidelift 4 | catalog alignment into your GitHub repositories. 5 | 6 | This lets you get a bill of materials and optionally fail PRs that add unapproved packages – all as a part 7 | of your CI/CD process. 8 | 9 | For more information see support.tidelift.com 10 | 11 | ## Example usage 12 | 13 | To use this action, you'll create a workflow that sets up an image 14 | and installs any tools that are needed to create a dependency graph 15 | for your application. 16 | 17 | ### JavaScript, Ruby, and others with an included lockfile 18 | 19 | For this case, you just need to check out your source code and run 20 | the action. For example, to run on every push you can use something 21 | like the following 22 | 23 | ```yaml 24 | name: Tidelift Alignment 25 | on: 26 | push 27 | 28 | jobs: 29 | build: 30 | name: Run Tidelift to ensure approved open source packages are in use 31 | runs-on: ubuntu-latest 32 | steps: 33 | - name: Checkout 34 | uses: actions/checkout@v2 35 | - name: Alignment 36 | uses: tidelift/alignment-action@v2 37 | env: 38 | TIDELIFT_API_KEY: ${{ secrets.TIDELIFT_API_KEY }} 39 | TIDELIFT_ORGANIZATION: ${{ secrets.TIDELIFT_ORGANIZATION }} 40 | TIDELIFT_PROJECT: ${{ secrets.TIDELIFT_PROJECT }} 41 | ``` 42 | 43 | ### Java 44 | 45 | For a Java application, you do not have a lockfile and will need to 46 | generate a dependency graph as part of the process and thus install 47 | an environment that can build your application. You can use the 48 | [setup-java](https://github.com/actions/setup-java) action and configure 49 | it as makes sense for your environment. An example would be something 50 | like the following. 51 | 52 | ```yaml 53 | name: Tidelift Alignment 54 | on: 55 | push 56 | 57 | jobs: 58 | build: 59 | name: Run Tidelift to ensure approved open source packages are in use 60 | runs-on: ubuntu-latest 61 | steps: 62 | - name: Checkout 63 | uses: actions/checkout@v2 64 | - name: Setup JDK 65 | uses: actions/setup-java@v4 66 | with: 67 | distribution: 'zulu' 68 | java-version: '21' 69 | cache: 'maven' 70 | - name: Alignment 71 | uses: tidelift/alignment-action@v2 72 | env: 73 | TIDELIFT_API_KEY: ${{ secrets.TIDELIFT_API_KEY }} 74 | TIDELIFT_ORGANIZATION: ${{ secrets.TIDELIFT_ORGANIZATION }} 75 | TIDELIFT_PROJECT: ${{ secrets.TIDELIFT_PROJECT }} 76 | ``` 77 | 78 | ### Python 79 | 80 | For a Python application, you do not have a lockfile and will need to 81 | generate a dependency graph as part of the process and thus install 82 | an environment that can build your application. You can use the 83 | [setup-python](https://github.com/actions/setup-python) action and configure 84 | it as makes sense for your environment. An example would be something 85 | like the following. 86 | 87 | ```yaml 88 | name: Tidelift Alignment 89 | on: 90 | push 91 | 92 | jobs: 93 | build: 94 | name: Run Tidelift to ensure approved open source packages are in use 95 | runs-on: ubuntu-latest 96 | steps: 97 | - name: Checkout 98 | uses: actions/checkout@v2 99 | - name: Setup Go 100 | uses: actions/setup-python@v5 101 | with: 102 | python-version: '3.12' 103 | - name: Alignment 104 | uses: tidelift/alignment-action@v2 105 | env: 106 | TIDELIFT_API_KEY: ${{ secrets.TIDELIFT_API_KEY }} 107 | TIDELIFT_ORGANIZATION: ${{ secrets.TIDELIFT_ORGANIZATION }} 108 | TIDELIFT_PROJECT: ${{ secrets.TIDELIFT_PROJECT }} 109 | ``` 110 | 111 | ### Go 112 | 113 | For a Go application, you do not have a lockfile and will need to 114 | generate a dependency graph as part of the process and thus install 115 | an environment that can build your application. You can use the 116 | [setup-go](https://github.com/actions/setup-go) action and configure 117 | it as makes sense for your environment. An example would be something 118 | like the following. 119 | 120 | ```yaml 121 | name: Tidelift Alignment 122 | on: 123 | push 124 | 125 | jobs: 126 | build: 127 | name: Run Tidelift to ensure approved open source packages are in use 128 | runs-on: ubuntu-latest 129 | steps: 130 | - name: Checkout 131 | uses: actions/checkout@v2 132 | - name: Setup Go 133 | uses: actions/setup-go@v5 134 | with: 135 | go-version: '1.22' 136 | - name: Alignment 137 | uses: tidelift/alignment-action@v2 138 | env: 139 | TIDELIFT_API_KEY: ${{ secrets.TIDELIFT_API_KEY }} 140 | TIDELIFT_ORGANIZATION: ${{ secrets.TIDELIFT_ORGANIZATION }} 141 | TIDELIFT_PROJECT: ${{ secrets.TIDELIFT_PROJECT }} 142 | ``` 143 | 144 | 145 | ## Tidelift secrets 146 | 147 | The example above refers to a number of secrets. These secrets can be retrieved 148 | from your Tidelift web UI in the API key section. More information on Tidelift 149 | API keys can be found in 150 | [the documentation](https://docs.tidelift.com/article/27-tracking-repositories-and-creating-api-keys) 151 | 152 | ## Other configuration 153 | 154 | You can use environment variables to pass any of the other configuration options 155 | to run the CLI as described in [the documentation] 156 | (https://support.tidelift.com/hc/en-us/articles/4406293629204-Tidelift-CLI-troubleshooting) 157 | 158 | -------------------------------------------------------------------------------- /action.yml: -------------------------------------------------------------------------------- 1 | name: "Tidelift Alignment" 2 | description: "Ensures all software being used is a part of your Tidelift catalog" 3 | author: "Jeremy Katz" 4 | branding: 5 | icon: "alert-circle" 6 | color: "orange" 7 | 8 | runs: 9 | using: "composite" 10 | steps: 11 | - name: "Download Tidelift CLI" 12 | run: | 13 | case "$(uname -s)" in 14 | Linux) 15 | curl -s -o ./tidelift https://download.tidelift.com/cli/tidelift 16 | ;; 17 | Darwin) 18 | curl -s -o ./tidelift https://download.tidelift.com/cli/tidelift_darwin 19 | ;; 20 | *) 21 | echo "Unable to detect OS. Please contact Tidelift support at support@tidelift.com" 22 | exit 1 23 | ;; 24 | esac 25 | chmod +x tidelift 26 | shell: bash 27 | - name: "Check CLI version" 28 | run: ./tidelift version 29 | shell: bash 30 | - name: "Upload alignment" 31 | run: ./tidelift alignment save --revision ${GITHUB_SHA} --branch ${GITHUB_REF##*/} --directory ${GITHUB_WORKSPACE} 32 | shell: bash 33 | - name: "Wait for results" 34 | run: sleep 15 35 | shell: bash 36 | - name: "Check results" 37 | run: ./tidelift status --wait ${GITHUB_SHA} 38 | shell: bash 39 | --------------------------------------------------------------------------------