Add GitHub Action for Dash License Check

[wba2hi]

Closes: #8

[erikbosch]

Some thoughts:

• I like the idea, but we should better somewhere within the KUKSA universe (kuksa-common wiki? Or as part of kuksa-actions README?) define how we want to handle findings and what we shall do with the result.
• Shall we for now just handle it as "nice to know"?
• Or do we want builds to fail if there are problems like below? (Well not now but in the long term)
• Or at least require that there is no issues before doing a release?
• Shall the result in anyway be included/reflected in a release?

As I understand you can as an Eclipse committer request review of licenses, like the ones below (see https://github.com/eclipse/dash-licenses). Do we want to do that?

Any input @SebastianSchildt ?

[main] INFO Querying Eclipse Foundation for license data for 14 items.
[main] INFO Found 4 items.
[main] INFO Querying ClearlyDefined for license data for 10 items.
[main] INFO Found 10 items.
[main] INFO License information could not be automatically verified for the following content:
[main] INFO 
[main] INFO pypi/pypi/-/grpcio-tools/1.56.2
[main] INFO pypi/pypi/-/grpcio/1.56.2
[main] INFO pypi/pypi/-/websockets/11.0.3
[main] INFO 
[main] INFO This content is either not correctly mapped by the system, or requires review.

[erikbosch]

I tried creating a request for a review, let see what happens

erik@debian4:~/kuksa-python-sdk$ java -jar ~/Downloads/org.eclipse.dash.licenses-1.1.1-20231208.065047-4.jar dependencies.txt -review -token XXXXXXXXX -repo https://github.com/eclipse-kuksa/kuksa-python-sdk -project automotive.kuksa
[main] INFO Querying Eclipse Foundation for license data for 14 items.
[main] INFO Found 4 items.
[main] INFO Querying ClearlyDefined for license data for 10 items.
[main] INFO Found 10 items.
[main] INFO License information could not be automatically verified for the following content:
[main] INFO 
[main] INFO pypi/pypi/-/grpcio-tools/1.56.2
[main] INFO pypi/pypi/-/grpcio/1.56.2
[main] INFO pypi/pypi/-/websockets/11.0.3
[main] INFO 
[main] INFO This content is either not correctly mapped by the system, or requires review.
[main] INFO A review is required for pypi/pypi/-/grpcio-tools/1.56.2.
[main] INFO A review request was created https://gitlab.eclipse.org/eclipsefdn/emo-team/iplab/-/issues/11848 .
[main] INFO A review is required for pypi/pypi/-/grpcio/1.56.2.
[main] INFO A review request was created https://gitlab.eclipse.org/eclipsefdn/emo-team/iplab/-/issues/11849 .
[main] INFO A review is required for pypi/pypi/-/websockets/11.0.3.
[main] INFO A review request was created https://gitlab.eclipse.org/eclipsefdn/emo-team/iplab/-/issues/11850 .

[SebastianSchildt]

So currently I create the tickets manually form time to time and do not release/allow you to release before master/main is clear.

I think a next step - at least I feel kuksa databroker side is robust enough for this - we should put a dash token as organisations secret and extend out dash action, that it can optionally create the tickets itself. basically automating what you did there.

For now I would not require everything being cleared in PRs. What I currently do, if I see just 1 or 2 new dependencies in a PR, I manually check the if. license "seems ok". The problem with waiting for clearing is, often it is fast (like < 1 hour, and auto cleared by scan), but sometimes it can take 2,3 weeks)

So far in recent we never had the situation that we needed to roll back a change.