From 6a751d683f5daa44965eab86a9fa8441ba9c1795 Mon Sep 17 00:00:00 2001 From: Keshav Priyadarshi Date: Wed, 25 Feb 2026 15:06:05 +0530 Subject: [PATCH 1/3] Support ScanCode.io optional dependencies Also use pip direct URL syntax while installing from branch, see https://packaging.python.org/en/latest/specifications/version-specifiers/#direct-references Resolves: https://github.com/aboutcode-org/scancode-action/issues/32 Signed-off-by: Keshav Priyadarshi --- action.yml | 23 +++++++++++++++++++---- 1 file changed, 19 insertions(+), 4 deletions(-) diff --git a/action.yml b/action.yml index d747c69..f321250 100644 --- a/action.yml +++ b/action.yml @@ -44,6 +44,10 @@ inputs: description: "Branch to install ScanCode.io from the GitHub repository (optional)" required: false default: "" + scancodeio-extras: + description: "ScanCode.io optional dependencies (comma-separated) (optional)." + required: false + default: "" runs: using: "composite" @@ -84,16 +88,27 @@ runs: sudo -u postgres psql -c "ALTER USER ${{ env.SCANCODEIO_DB_USER }} WITH ENCRYPTED PASSWORD '${{ env.SCANCODEIO_DB_PASSWORD }}'" sudo -u postgres createdb --owner=scancodeio --encoding=UTF-8 ${{ env.SCANCODEIO_DB_NAME }} + - name: Generate scancodeio pip install argument + if: env.SCANCODEIO_IS_INSTALLED != 'true' + shell: bash + run: | + SCANCODEIO_PIP_PACKAGE_ARG="scancodeio" + TRIMMED_EXTRAS="$(echo "${{ inputs.scancodeio-extras }}" | tr -d '[:space:]')" + if [ -n "$TRIMMED_EXTRAS" ]; then + SCANCODEIO_PIP_PACKAGE_ARG+="[$TRIMMED_EXTRAS]" + fi + echo "SCANCODEIO_PIP_PACKAGE_ARG=${SCANCODEIO_PIP_PACKAGE_ARG}" >> $GITHUB_ENV + - name: Install ScanCode.io (only if not already installed) if: env.SCANCODEIO_IS_INSTALLED != 'true' shell: bash run: | if [ -z "${{ inputs.scancodeio-repo-branch }}" ]; then - echo "Installing the latest ScanCode.io release from PyPI" - pip install --upgrade scancodeio + echo "Installing the latest ${{ env.SCANCODEIO_PIP_PACKAGE_ARG }} release from PyPI" + pip install --upgrade "${{ env.SCANCODEIO_PIP_PACKAGE_ARG }}" else - echo "Installing ScanCode.io from the GitHub branch: ${{ inputs.scancodeio-repo-branch }}" - pip install git+https://github.com/aboutcode-org/scancode.io.git@${{ inputs.scancodeio-repo-branch }} + echo "Installing ${{ env.SCANCODEIO_PIP_PACKAGE_ARG }} from the GitHub branch: ${{ inputs.scancodeio-repo-branch }}" + pip install "${{ env.SCANCODEIO_PIP_PACKAGE_ARG }} @ git+https://github.com/aboutcode-org/scancode.io.git@${{ inputs.scancodeio-repo-branch }}" fi - name: Run migrations to prepare the database From 0336e3da18c877d201b1c7b65e8b0fcdec1e9cd5 Mon Sep 17 00:00:00 2001 From: Keshav Priyadarshi Date: Wed, 25 Feb 2026 15:07:23 +0530 Subject: [PATCH 2/3] Add optional dependencies example in README Signed-off-by: Keshav Priyadarshi --- README.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/README.md b/README.md index 664f3a2..d6829d0 100644 --- a/README.md +++ b/README.md @@ -25,6 +25,7 @@ from your **GitHub Workflows**. - [Check for compliance issues](#check-for-compliance-issues) - [Define a custom project name](#define-a-custom-project-name) - [Install ScanCode.io from a repository branch](#install-scancodeio-from-a-repository-branch) + - [Install ScanCode.io with optional dependencies](#install-scancodeio-with-optional-dependencies) - [Run source to binary mapping](#run-source-to-binary-mapping) - [Where does the scan results go?](#where-are-the-scan-results) @@ -227,6 +228,14 @@ Activate this behavior by enabling `check-compliance` and setting scancodeio-repo-branch: "main" ``` +### Install ScanCode.io with optional dependencies + +```yaml +- uses: aboutcode-org/scancode-action@beta + with: + scancodeio-extras: "android_analysis,mining" +``` + ### Run source to binary mapping Use this [workflow template](.github/workflows/map-deploy-to-develop-template.yml) for validating the integrity of open-source binary. It compares a project’s binary to its source code. Workflow will generate mapping between compiled binary and its original source code, which helps in spotting any malicious, unexpected, or otherwise undesirable code that may have made its way into the final binary. From 1b35f88283de152e19afec8948b1f0b05eff8c7e Mon Sep 17 00:00:00 2001 From: Keshav Priyadarshi Date: Thu, 26 Feb 2026 22:16:19 +0530 Subject: [PATCH 3/3] Add workflow to run optional android d2d Signed-off-by: Keshav Priyadarshi --- .../run-android-deploy-to-develop.yml | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 .github/workflows/run-android-deploy-to-develop.yml diff --git a/.github/workflows/run-android-deploy-to-develop.yml b/.github/workflows/run-android-deploy-to-develop.yml new file mode 100644 index 0000000..8e8ce50 --- /dev/null +++ b/.github/workflows/run-android-deploy-to-develop.yml @@ -0,0 +1,21 @@ +on: [push] + +jobs: + scan-codebase: + runs-on: ubuntu-24.04 + name: Run Android D2D + steps: + - name: Get the action.yml from the current branch + uses: actions/checkout@v4 + with: + sparse-checkout: action.yml + sparse-checkout-cone-mode: false + + - uses: ./ + with: + scancodeio-repo-branch: "bump-android" + scancodeio-extras: "android_analysis" + pipelines: "android_d2d" + input-urls: + https://github.com/aboutcode-org/scancode.io/raw/main/scanpipe/tests/data/d2d/jars/from-flume-ng-node-1.9.0.zip#from + https://github.com/aboutcode-org/scancode.io/raw/main/scanpipe/tests/data/d2d/jars/to-flume-ng-node-1.9.0.zip#to \ No newline at end of file