Improvement: Integrate Eclipse Dash License Tool for license type checking

[nradakovic]

Background

Ensuring compliance with licensing requirements for tools and binaries used in the repository is critical to maintaining legal and operational integrity. To address this, we propose introducing the Eclipse Dash License Tool, which will check the license types of tools and binaries. The tool will be integrated with Bazel for ease of use and added to our CI workflows for automated compliance checks.

Objectives

1. Integrate the dash tool into the Bazel build system.
2. Automate license compliance checks as part of the CI pipeline.
3. Provide visibility into the licenses of all dependencies.
4. Fail builds if non-compliant or unknown licenses are detected.

Acceptance Criteria

• The dash tool is successfully integrated into Bazel and can scan all dependencies pulled by the build system.
  • Python;
  • Rust;
  • Go;
  • Bazel;
• A GitHub Actions workflow is set up to run dash on every push and pull request.
• Non-compliant or unknown licenses cause the CI workflow to fail.
• Documentation is updated with instructions for running dash manually and interpreting its results.

Proposed Steps

• Add dash to the Bazel workspace:
  • Include the dash tool as a dependency in the Bazel setup.
  • Configure a Bazel rule to invoke dash and perform license checks.
• Set up CI workflow:
  • Implement a GitHub Actions workflow that runs the dash tool during CI.
  • Configure the workflow to fail for non-compliant licenses or errors.
• Update documentation:
  • Provide instructions for running dash manually via Bazel.
  • Add details on interpreting the results and resolving license issues.

Resources

• Eclipse Dash License Tool Documentation
• Bazel documentation on creating custom rules
• GitHub Actions Documentation

Impact

By integrating the dash tool into Bazel and the CI pipeline:

• We ensure automated and consistent license compliance checks across the project.
• Risks associated with introducing non-compliant licenses are minimized.
• Developers gain visibility into the licensing of dependencies, supporting informed decision-making.
• The overall quality, maintainability, and legal compliance of the repository are improved.

NOTE: This ticket belong to #36

[ltekieli]

Possible overlap #82

[nradakovic]

To support other language (like Bazel/Starlark or Rust) we need to get access right to ClearlyDefinded service. ClearlyDefined and parent organization, the Open Source Initiative, are on a mission to help Open Source projects thrive by being, well, clearly defined. Lack of clarity around licenses and security vulnerabilities reduces engagement -- that means fewer users, fewer contributors and a smaller community.
The ticket needs to be refined.

[AlexanderLanin]

@nradakovic you wanna split this to sub-issues? Doesn't make sense for me to split it, as I would probably create an unreasonable split.
P.S. Feel free to make them small! We have a lot of new people working here and it would help to have small simple issues :)

Ref: https://github.com/orgs/eclipse-score/discussions/236#discussioncomment-11981703

split OSS (#82, #126) to sub-issues, e.g.:

• setup dash for python on PR (non blocking) -> dash: Integrate DASH tool in Bazel build #155
  • rename "license check" to something like "license dry run"
• automation: print problems as comment to pull request, see also bug: pr-preview comment #211
• create private key for automatic clearance
• extend automaton with automatic clearance
• add rust dependencies to dash (via bazel)
• add C++ dependencies to dash (via bazel)
• bazel modules
• change automation (daily / blocking / etc)

[AlexanderLanin]

Update on the token:

A GitLab bot user for the eclipse-score project (username: score-bot) and an API token have been created.
The API token has been added to eclipse-score organization as organization secret (ID: ECLIPSE_GITLAB_API_TOKEN)

Reference: https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/issues/5590
Reference: eclipse-score/.eclipsefdn@d4adfcd