chore: update license workflow and switch to nodejs wrapper (eclipse-theia#16456)

Resolves eclipse-theiaGH-13426
Resolves eclipse-theiaGH-16315

- add @eclipse-dash/nodejs-wrapper to dev dependencies
- switch to dash-licenses - nodejs-wrapper
- update workflow to run license check only for actual dependency updates (package-lock.json updates), manual trigger and daily cron job
- add documentation for running license check in review mode for newly added dependencies
- remove unused dependency-check-baseline file and update gitignore

Author: ndoschek

.github/workflows/license-check.yml

@@ -4,15 +4,18 @@ on:
   push:
     branches:
       - master
+    paths:
+      - 'package-lock.json'
   workflow_dispatch:
   pull_request:
     branches:
       - master
+    paths:
+      - 'package-lock.json'
   schedule:
     - cron: '0 4 * * *' # Runs every day at 4am: https://docs.github.com/en/actions/reference/events-that-trigger-workflows#scheduled-events-schedule
 
 jobs:
-
   License-check:
     name: 3PP License Check
 
@@ -44,8 +47,8 @@ jobs:
           distribution: 'adopt'
           java-version: ${{ matrix.java }}
 
-      - name: Run dash-licenses
-        if: matrix.tests != 'skip'
+      - name: Run dash-licenses check
         shell: bash
         run: |
+          npm ci
           npm run license:check

.gitignore

@@ -28,12 +28,11 @@ gh-pages
 dev-packages/electron/compile_commands.json
 *.tsbuildinfo
 .eslintcache
-scripts/download
-dependency-check-summary.txt*
 *-trace.json
 .tours
 /performance-result.json
 *.vsix
 /scripts/native-dependencies-*
 allure-results
 .claude
+license-check-summary.txt*

configs/license-check-config.json

@@ -0,0 +1,7 @@
+{
+    "project": "ecd.theia",
+    "inputFile": "package-lock.json",
+    "batch": 50,
+    "timeout": 240,
+    "summary": "license-check-summary.txt"
+}

dependency-check-baseline.json

@@ -53,6 +53,9 @@ If a rule causes distress during discussions itself, it has to be reviewed on [t
 - [3.](#checklist-breaking-changes) Breaking changes are justified and recorded in the [changelog](https://github.com/eclipse-theia/theia/blob/master/CHANGELOG.md).
 <a name="checklist-dependencies"></a>
 - [4.](#checklist-dependencies) New dependencies are justified and [verified](https://github.com/eclipse-theia/theia/wiki/Registering-CQs#wip---new-ecd-theia-intellectual-property-clearance-approach-experimental).
+  - For newly added dependencies, we run the [license check workflow](../.github/workflows/license-check.yml), but not in review mode.
+    - If the license check reveals that a review is needed for the new dependency (i.e., `ERROR: Found results that aren't part of the baseline! X some-dependency, some-license`), we need to run the license check in review mode (`npm run license:check:review`).
+    - Since we have no PAT secret defined for the repo at the moment, the license check in review mode needs to be done locally, either by the contributor (if they are a Theia committer) or by the reviewer.
 <a name="checklist-copied-code"></a>
 - [5.](#checklist-copied-code) Copied code is justified and [approved via a CQ](https://github.com/eclipse-theia/theia/wiki/Registering-CQs#case-3rd-party-project-code-copiedforked-from-another-project-into-eclipse-theia-maintained-by-us).
   - Look closely at the GitHub actions running for your PR: the 3pp/dash license check should be green.

doc/pull-requests.md

@@ -10,8 +10,8 @@
     "@types/express": "^4.17.21"
   },
   "devDependencies": {
+    "@eclipse-dash/nodejs-wrapper": "^0.0.1",
     "@types/chai": "4.3.0",
-    "minimatch": "^10.0.3",
     "@types/chai-spies": "1.0.3",
     "@types/chai-string": "^1.4.0",
     "@types/jsdom": "^21.1.7",
@@ -41,6 +41,7 @@
     "ignore-styles": "^5.0.1",
     "jsdom": "^22.1.0",
     "lerna": "^7.1.1",
+    "minimatch": "^10.0.3",
     "mkdirp": "^0.5.0",
     "nan": "2.23.0",
     "node-abi": "^4.12.0",
@@ -72,8 +73,8 @@
     "docs:packages": "node scripts/generate-typedoc-per-package.js",
     "docs:merge": "node scripts/merge-package-typedocs.js",
     "download:plugins": "theia download:plugins",
-    "license:check": "node scripts/check_3pp_licenses.js",
-    "license:check:review": "node scripts/check_3pp_licenses.js --review",
+    "license:check": "npx dash-licenses-wrapper  --configFile=./configs/license-check-config.json",
+    "license:check:review": "npx dash-licenses-wrapper  --configFile=./configs/license-check-config.json --review",
     "lint": "lerna run lint",
     "lint:clean": "rimraf .eslintcache",
     "lint:fix": "lerna run lint -- --fix",