Ensure lint workflow checks whether 3rd party license and code is up to date #11047
Conversation
This commit introduces the use of `go-licenses` within CI/CD and manual processes for generating / updating the license information used by GitHub CLI including the code required by license to be redistributed. During GitHub CLI pull requests, the `lint` workflow will notify users if this information is not updated.
There was a problem hiding this comment.
Pull Request Overview
This PR adds automated checks and tooling to ensure third-party license information is kept up to date, including source files for licenses that require redistribution.
- Introduce
script/licensesto generate license reports and copy necessary license files - Add
script/licenses-checkand update.github/workflows/lint.ymlto fail CI if license docs aren’t current - Add documentation (
docs/license-compliance.md) and a Go-licenses template for consistent output
Reviewed Changes
Copilot reviewed 1028 out of 1028 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/lint.yml | Include license compliance paths and add a “Check licenses” step |
| script/licenses | New script to generate third-party license files |
| script/licenses-check | New script to verify license documentation is up to date |
| docs/license-compliance.md | Documentation for maintaining and checking license compliance |
| .github/licenses.tmpl | Go-licenses template for generating markdown listings |
Comments suppressed due to low confidence (2)
script/licenses-check:1
- Ensure this script file has execute permissions (e.g.,
chmod +x script/licenses-check) so that CI and local invocations can run it directly.
#!/bin/bash
script/licenses:1
- Ensure this script file has execute permissions (e.g.,
chmod +x script/licenses) so it can be executed in CI and by contributors.
#!/bin/bash
third-party/github.com/letsencrypt/boulder/metrics/measured_http/http.go
Dismissed
Show dismissed
Hide dismissed
third-party/github.com/letsencrypt/boulder/observer/probers/tls/tls.go
Dismissed
Show dismissed
Hide dismissed
third-party/github.com/letsencrypt/boulder/ocsp/responder/responder.go
Dismissed
Show dismissed
Hide dismissed
With these changes, `cli/cli` will be redistributing code as-is due to license compliance, which we will not change or address issues around. Without these changes, our pull requests are getting a bunch of false positive annotations we cannot and will not fix directly.
This comment was marked as spam.
This comment was marked as spam.
| @@ -0,0 +1,25 @@ | |||
| #!/bin/bash | |||
|
|
|||
| go install github.com/google/go-licenses@latest | |||
There was a problem hiding this comment.
Question: Are we comfortable with always using the latest here, or should we pin to a sha for stability/security etc?
I know that pinning comes with the "when does this get updated then?" question, and I don't know the answer to that either :P
There was a problem hiding this comment.
I guess this is especially in my mind with this script being used in actions... 🤔
There was a problem hiding this comment.
@BagToad : what do you think about conditionalizing this to skip installing this if CI, leaving that to the workflow?
otherwise, everything running the script has to manage its installation. conditionalizing it will make it easy for contributors and maintainers.
| # Clear third-party source code to avoid stale content | ||
| rm -rf third-party | ||
| mkdir -p third-party | ||
|
|
There was a problem hiding this comment.
Question: Should we check successes (exit codes) here? Are we okay with this maybe failing but then continuing?
There was a problem hiding this comment.
I'm not worried about these commands failing, but if there is a concern then we might want to set -e so any errors cause the whole script to fail.
|
|
||
| # Setup temporary directory to collect updated third-party source code | ||
| export TEMPDIR="$(mktemp -d)" | ||
| trap "rm -fr ${TEMPDIR}" EXIT |
| echo "Generating licenses for ${goos}..." | ||
| GOOS="${goos}" go-licenses save ./... --save_path="${TEMPDIR}/${goos}" --force || echo "Ignore warnings" | ||
| GOOS="${goos}" go-licenses report ./... --template .github/licenses.tmpl --ignore github.com/cli/cli > third-party-licenses.${goos}.md || echo "Ignore warnings" | ||
| cp -fR "${TEMPDIR}/${goos}"/* third-party/ |
There was a problem hiding this comment.
Question: Similar question here - should we check exit codes here or keep going even if something failed?
fixes #9422
fixes github/cli#111
This pull request addresses GitHub CLI obligation to comply with the licenses of our 3rd party dependencies.
These changes update the
lintworkflow to verify license information is up to date including source code certain licenses require redistributing source code around.Additionally, this pull request introduces
scripts/licenseandscripts/license-checkto help maintainers and contributors regenerate this information easily.