setup-cli/.github/workflows/licensed.yml

# This workflow refreshes and checks dependency license records used in this
# action with the help of the Licensed tool. If any licenses are invalid or
# missing, this workflow will fail. See: https://github.com/licensee/licensed

name: Licensed

on:
  pull_request:
  push:
    branches:
      - main
    paths:
      - .github/workflows/licensed.yml
      - .licensed.yml
      - .licenses/**
      - bun.lock
      - package.json
  workflow_dispatch:

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

jobs:
  check-licenses:
    if: ${{ github.event_name != 'workflow_dispatch' }}
    name: Licensed
    runs-on: ubuntu-latest
    timeout-minutes: 15
    permissions:
      contents: read
      pull-requests: read

    steps:
      - name: Detect license inputs
        id: license-inputs
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          PR_NUMBER: ${{ github.event.pull_request.number }}
          REPOSITORY: ${{ github.repository }}
        run: |
          if [[ "${{ github.event_name }}" != "pull_request" ]]; then
            echo "changed=true" >> "$GITHUB_OUTPUT"
            exit 0
          fi

          gh api "repos/${REPOSITORY}/pulls/${PR_NUMBER}/files" --paginate --jq '.[].filename' > changed-files.txt
          if grep -Eq '^(\.github/workflows/licensed\.yml|\.licensed\.yml|\.licenses/.*|bun\.lock|package\.json)$' changed-files.txt; then
            echo "changed=true" >> "$GITHUB_OUTPUT"
          else
            echo "changed=false" >> "$GITHUB_OUTPUT"
          fi

      - name: Checkout
        id: checkout
        if: steps.license-inputs.outputs.changed == 'true'
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Setup Bun
        id: setup-bun
        if: steps.license-inputs.outputs.changed == 'true'
        uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0
        with:
          bun-version-file: .bun-version

      - name: Install Dependencies
        id: bun-install
        if: steps.license-inputs.outputs.changed == 'true'
        run: bun install --frozen-lockfile

      - name: Setup Ruby
        id: setup-ruby
        if: steps.license-inputs.outputs.changed == 'true'
        uses: ruby/setup-ruby@7372622e62b60b3cb750dcd2b9e32c247ffec26a # v1.302.0
        with:
          ruby-version: ruby

      - uses: licensee/setup-licensed@0d52e575b3258417672be0dff2f115d7db8771d8 # v1.3.2
        if: steps.license-inputs.outputs.changed == 'true'
        with:
          version: 4.x
          github_token: ${{ secrets.GITHUB_TOKEN }}

      - name: Refresh License Cache
        id: refresh-license-cache
        if: steps.license-inputs.outputs.changed == 'true'
        run: licensed cache

      - name: Check Licenses
        id: check-licenses
        if: steps.license-inputs.outputs.changed == 'true'
        run: licensed status

  update-licenses:
    if: ${{ github.event_name == 'workflow_dispatch' }}
    name: Update Licenses
    runs-on: ubuntu-latest
    timeout-minutes: 15
    permissions:
      contents: write

    steps:
      - name: Checkout
        id: checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Setup Bun
        id: setup-bun
        uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0
        with:
          bun-version-file: .bun-version

      - name: Install Dependencies
        id: bun-install
        run: bun install --frozen-lockfile

      - name: Setup Ruby
        id: setup-ruby
        uses: ruby/setup-ruby@7372622e62b60b3cb750dcd2b9e32c247ffec26a # v1.302.0
        with:
          ruby-version: ruby

      - uses: licensee/setup-licensed@0d52e575b3258417672be0dff2f115d7db8771d8 # v1.3.2
        with:
          version: 4.x
          github_token: ${{ secrets.GITHUB_TOKEN }}

      - name: Update License Cache
        id: update-licenses
        run: licensed cache

      - name: Format License Files
        id: format-licenses
        run: bun x oxfmt --write .licensed.yml .licenses

      - name: Commit Licenses
        id: commit-licenses
        run: |
          git config --local user.email "licensed-ci@users.noreply.github.com"
          git config --local user.name "licensed-ci"
          git add .licenses .licensed.yml
          if git diff --cached --quiet; then
            echo "No license cache changes to commit."
            exit 0
          fi
          git commit -m "Auto-update license files"
          git push