license-check fails with "GitLabApiException: 401 Unauthorized" when unvetted dependency is found

[sebthom]

We configured a license-check job at https://github.com/eclipse/tm4e/blob/main/.github/workflows/licensecheck.yml

When a PR is opened that introduces a new dependency, the license-check currently fails with a confusing error: org.gitlab4j.api.GitLabApiException: 401 Unauthorized, see https://github.com/eclipse/tm4e/actions/runs/9453794511/job/26039895454

The reason apparently is, that we do not provide a dash iplab token by default which is required for the license plugin to automatically open a review request.

However, we do not want to add a dash token by default, because we do not want that review requests are opened by random PRs,
instead we would like to see a human comprehensible error message, such as the one you get if you provide a dash iplab token: Some dependencies must be vetted.

[netomi]

To be clear you add in your job the option -Ddash.iplab.token="$DASH_IPLAB_TOKEN" when executing the dash tool while the variable DASH_IPLAB_TOKEN is an empty string. The dash tool could detect that, but as I suggested, you do not need to add this option in case no token is provided to the workflow and the error would go away.

[HannesWell]

Have you considered to use the reusable workflow provided in this repository and for example used in eclipse-platform?
https://github.com/eclipse-platform/eclipse.platform.releng.aggregator/blob/master/.github/workflows/licensecheck.yml

This workflow provides exactly what you want: a committer explicitly has to request a review by adding a corresponding comment.
And reusing it should simplify your pipeline.
All that should be described in the readme of this project.

[sebthom]

To be clear you add in your job the option -Ddash.iplab.token="$DASH_IPLAB_TOKEN" when executing the dash tool while the variable DASH_IPLAB_TOKEN is an empty string. The dash tool could detect that, but as I suggested, you do not need to add this option in case no token is provided to the workflow and the error would go away.

@netomi Thanks, I didn't understand this part fully before. I can confirm that completely omitting -Ddash.iplab.token from the command instead of providing an empty value like -Ddash.iplab.token= solves the issue.

[sebthom]

Have you considered to use the reusable workflow provided in this repository and for example used in eclipse-platform? eclipse-platform/eclipse.platform.releng.aggregator@master/.github/workflows/licensecheck.yml

This workflow provides exactly what you want: a committer explicitly has to request a review by adding a corresponding comment. And reusing it should simplify your pipeline. All that should be described in the readme of this project.

@HannesWell thanks for the suggestion. I will have a look into the reusable workflow.

[netomi]

Actually, maybe that ticket is still relevant. I had thought that an issue in the IP Lab repo is only created when specifying -review and the token. In this case only the token was specified and no -review option (see the referenced workflow above), but the connection to the IP Lab was still being made and failed with an error.

Furthermore there is this jgit error, which should be fixed in the latest version of jgit:

Error: Exception in thread "Thread-2" java.lang.NoClassDefFoundError: org/eclipse/jgit/internal/JGitText
	at org.eclipse.jgit.internal.util.ShutdownHook.cleanup(ShutdownHook.java:85)
	at java.base/java.lang.Thread.run(Thread.java:840)
Caused by: java.lang.ClassNotFoundException: org.eclipse.jgit.internal.JGitText

see eclipse-jgit/jgit#36