Ensure lint workflow checks whether 3rd party license and code is up to date #11047
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This commit introduces the use of `go-licenses` within CI/CD and manual processes for generating / updating the license information used by GitHub CLI including the code required by license to be redistributed. During GitHub CLI pull requests, the `lint` workflow will notify users if this information is not updated.
Contributor
There was a problem hiding this comment.
Pull Request Overview
This PR adds automated checks and tooling to ensure third-party license information is kept up to date, including source files for licenses that require redistribution.
- Introduce
script/licensesto generate license reports and copy necessary license files - Add
script/licenses-checkand update.github/workflows/lint.ymlto fail CI if license docs aren’t current - Add documentation (
docs/license-compliance.md) and a Go-licenses template for consistent output
Reviewed Changes
Copilot reviewed 1028 out of 1028 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/lint.yml | Include license compliance paths and add a “Check licenses” step |
| script/licenses | New script to generate third-party license files |
| script/licenses-check | New script to verify license documentation is up to date |
| docs/license-compliance.md | Documentation for maintaining and checking license compliance |
| .github/licenses.tmpl | Go-licenses template for generating markdown listings |
Comments suppressed due to low confidence (2)
script/licenses-check:1
- Ensure this script file has execute permissions (e.g.,
chmod +x script/licenses-check) so that CI and local invocations can run it directly.
#!/bin/bash
script/licenses:1
- Ensure this script file has execute permissions (e.g.,
chmod +x script/licenses) so it can be executed in CI and by contributors.
#!/bin/bash
third-party/github.com/letsencrypt/boulder/metrics/measured_http/http.go
Dismissed
Show dismissed
Hide dismissed
third-party/github.com/letsencrypt/boulder/observer/probers/tls/tls.go
Dismissed
Show dismissed
Hide dismissed
third-party/github.com/letsencrypt/boulder/ocsp/responder/responder.go
Dismissed
Show dismissed
Hide dismissed
BagToad
reviewed
May 30, 2025
BagToad
reviewed
May 30, 2025
With these changes, `cli/cli` will be redistributing code as-is due to license compliance, which we will not change or address issues around. Without these changes, our pull requests are getting a bunch of false positive annotations we cannot and will not fix directly.
This was referenced Jun 16, 2025
This comment was marked as spam.
This comment was marked as spam.
BagToad
approved these changes
Jun 23, 2025
Member
BagToad
left a comment
There was a problem hiding this comment.
LGTM! I don't think anything is blocking enough to avoid merge this 👏
I would like to understand the versioning strategy a bit more, but I don't think that blocks this PR - more details in my comment on script/licenses :)
| @@ -0,0 +1,25 @@ | |||
| #!/bin/bash | |||
|
|
|||
| go install github.com/google/go-licenses@latest | |||
Member
There was a problem hiding this comment.
Question: Are we comfortable with always using the latest here, or should we pin to a sha for stability/security etc?
I know that pinning comes with the "when does this get updated then?" question, and I don't know the answer to that either :P
Member
There was a problem hiding this comment.
I guess this is especially in my mind with this script being used in actions... 🤔
Member
Author
There was a problem hiding this comment.
@BagToad : what do you think about conditionalizing this to skip installing this if CI, leaving that to the workflow?
otherwise, everything running the script has to manage its installation. conditionalizing it will make it easy for contributors and maintainers.
Comment on lines
+9
to
+12
| # Clear third-party source code to avoid stale content | ||
| rm -rf third-party | ||
| mkdir -p third-party | ||
|
|
Member
There was a problem hiding this comment.
Question: Should we check successes (exit codes) here? Are we okay with this maybe failing but then continuing?
Member
Author
There was a problem hiding this comment.
I'm not worried about these commands failing, but if there is a concern then we might want to set -e so any errors cause the whole script to fail.
|
|
||
| # Setup temporary directory to collect updated third-party source code | ||
| export TEMPDIR="$(mktemp -d)" | ||
| trap "rm -fr ${TEMPDIR}" EXIT |
| echo "Generating licenses for ${goos}..." | ||
| GOOS="${goos}" go-licenses save ./... --save_path="${TEMPDIR}/${goos}" --force || echo "Ignore warnings" | ||
| GOOS="${goos}" go-licenses report ./... --template .github/licenses.tmpl --ignore github.com/cli/cli > third-party-licenses.${goos}.md || echo "Ignore warnings" | ||
| cp -fR "${TEMPDIR}/${goos}"/* third-party/ |
Member
There was a problem hiding this comment.
Question: Similar question here - should we check exit codes here or keep going even if something failed?
This was referenced Jul 10, 2025
andyfeller
added a commit
that referenced
this pull request
Jul 23, 2025
Fixes #11270 This commit refactors the work done in #11047 of blocking pull requests for manual `third-party` license updates to having GitHub Actions automatically update it on pushes to `trunk`. This will allow maintainers to streamline Dependabot PR reviews while reducing contributor friction when changing dependencies.
tmeijn
pushed a commit
to tmeijn/dotfiles
that referenced
this pull request
Jul 27, 2025
This MR contains the following updates: | Package | Update | Change | |---|---|---| | [cli/cli](https://github.com/cli/cli) | minor | `v2.74.2` -> `v2.76.1` | MR created with the help of [el-capitano/tools/renovate-bot](https://gitlab.com/el-capitano/tools/renovate-bot). **Proposed changes to behavior should be submitted there as MRs.** --- ### Release Notes <details> <summary>cli/cli (cli/cli)</summary> ### [`v2.76.1`](https://github.com/cli/cli/releases/tag/v2.76.1): GitHub CLI 2.76.1 [Compare Source](cli/cli@v2.76.0...v2.76.1) #### `gh pr create` regression fix This release fixes a regression introduced in `v2.76.0` where organization teams were retrieved outside of intentional use cases. This caused problems for GitHub Enterprise Server users using the GitHub Actions automatic token that does not have access to organization teams. For more information, see cli/cli#11360 #### What's Changed ##### 🐛 Fixes - Fix: `gh pr create`, only fetch teams when reviewers contain a team by [@​BagToad](https://github.com/BagToad) in cli/cli#11361 ##### 📚 Docs & Chores - add tenancy aware for san matcher by [@​ejahnGithub](https://github.com/ejahnGithub) in cli/cli#11261 - Run Lint and Tests on `push` to `trunk` branch by [@​andyfeller](https://github.com/andyfeller) in cli/cli#11325 - update ownership of pkg/cmd/release/shared/ by [@​ejahnGithub](https://github.com/ejahnGithub) in cli/cli#11326 - Automate spam issue detection by [@​babakks](https://github.com/babakks) in cli/cli#11316 - Improve `api` `--preview` docs by [@​jsoref](https://github.com/jsoref) in cli/cli#11274 - Incorporate govulncheck into workflows by [@​andyfeller](https://github.com/andyfeller) in cli/cli#11332 - chore(deps): bump advanced-security/filter-sarif from 1.0.0 to 1.0.1 by [@​dependabot](https://github.com/dependabot)\[bot] in cli/cli#11298 - chore(deps): bump github.com/sigstore/sigstore-go from 1.0.0 to 1.1.0 by [@​dependabot](https://github.com/dependabot)\[bot] in cli/cli#11307 **Full Changelog**: cli/cli@v2.76.0...v2.76.1 ### [`v2.76.0`](https://github.com/cli/cli/releases/tag/v2.76.0): GitHub CLI 2.76.0 [Compare Source](cli/cli@v2.75.1...v2.76.0) ####Copilot Coding Agent Support GitHub Copilot Pro+ and Copilot Enterprise subscribers can now assign issues to GitHub Copilot during issue creation using: - Command-line flag: `gh issue create --assignee @​copilot` - Launching web browser: `gh issue create --assignee @​copilot --web` - Or interactively selecting `Copilot (AI)` as assignee in `gh issue create` metadata For more details, refer to [the full changelog post for Copilot coding agent](https://github.blog/changelog/2025-05-19-github-copilot-coding-agent-in-public-preview/). #### What's Changed ##### ✨ Features - Assign Copilot during `gh issue create` by [@​andyfeller](https://github.com/andyfeller) in cli/cli#11279 - Display immutable field in `release view` command by [@​bdehamer](https://github.com/bdehamer) in cli/cli#11251 ##### 🐛 Fixes - FIX: Do not fetch logs for skipped jobs by [@​babakks](https://github.com/babakks) in cli/cli#11312 - Transform `extension` and `filename` qualifiers into `path` qualifier for web code search by [@​samcoe](https://github.com/samcoe) in cli/cli#11211 ##### 📚 Docs & Chores - FIX: Workflow does not contain permissions by [@​BagToad](https://github.com/BagToad) in cli/cli#11322 - Add automated feature request response workflow by [@​BagToad](https://github.com/BagToad) in cli/cli#11299 **Full Changelog**: cli/cli@v2.75.1...v2.76.0 ### [`v2.75.1`](https://github.com/cli/cli/releases/tag/v2.75.1): GitHub CLI 2.75.1 [Compare Source](cli/cli@v2.75.0...v2.75.1) #### What's Changed ##### 🐛 Fixes - Ensure hostnames are visible in CLI website by [@​andyfeller](https://github.com/andyfeller) in cli/cli#11295 - Revert "Fix: `gh pr create` prioritize `--title` and `--body` over `--fill` when `--web` is present" by [@​andyfeller](https://github.com/andyfeller) in cli/cli#11300 ##### 📚 Docs & Chores - Ensure go directive is always .0 version in bump by [@​williammartin](https://github.com/williammartin) in cli/cli#11259 - Minor (1-word) documentation typo in generated `~/.config/gh/config.yml` by [@​kurahaupo](https://github.com/kurahaupo) in cli/cli#11246 - Automate closing of stale issues by [@​babakks](https://github.com/babakks) in cli/cli#11268 - Filter the `third-party/` folder out of CodeQL results by [@​BagToad](https://github.com/BagToad) in cli/cli#11278 - Exclude `third-party` source from golangci-lint by [@​andyfeller](https://github.com/andyfeller) in cli/cli#11293 #####
Dependencies - Bump Go to 1.24.5 by [@​github-actions](https://github.com/github-actions)\[bot] in cli/cli#11255 - chore(deps): bump github.com/sigstore/protobuf-specs from 0.4.3 to 0.5.0 by [@​dependabot](https://github.com/dependabot)\[bot] in cli/cli#11263 - chore(deps): bump golang.org/x/term from 0.32.0 to 0.33.0 by [@​dependabot](https://github.com/dependabot)\[bot] in cli/cli#11266 - chore(deps): bump golang.org/x/sync from 0.15.0 to 0.16.0 by [@​dependabot](https://github.com/dependabot)\[bot] in cli/cli#11264 - chore(deps): bump golang.org/x/text from 0.26.0 to 0.27.0 by [@​dependabot](https://github.com/dependabot)\[bot] in cli/cli#11265 - chore(deps): bump golang.org/x/crypto from 0.39.0 to 0.40.0 by [@​dependabot](https://github.com/dependabot)\[bot] in cli/cli#11275 #### New Contributors - [@​kurahaupo](https://github.com/kurahaupo) made their first contribution in cli/cli#11246 - [@​github-actions](https://github.com/github-actions)\[bot] made their first contribution in cli/cli#11255 **Full Changelog**: cli/cli@v2.75.0...v2.75.1 ### [`v2.75.0`](https://github.com/cli/cli/releases/tag/v2.75.0): GitHub CLI 2.75.0 [Compare Source](cli/cli@v2.74.2...v2.75.0) #### What's Changed ##### ✨ Features - init release verify subcommands by [@​ejahnGithub](https://github.com/ejahnGithub) in cli/cli#11018 - Embed Windows resources (VERSIONINFO) during build by [@​babakks](https://github.com/babakks) in cli/cli#11048 - Support `--no-repos-selected` on `gh secret set` by [@​williammartin](https://github.com/williammartin) in cli/cli#11217 ##### 🐛 Fixes - Fix: `gh pr create` prioritize `--title` and `--body` over `--fill` when `--web` is present by [@​dankrzeminski32](https://github.com/dankrzeminski32) in cli/cli#10547 - fix: get token for active user instead of blank if possible by [@​anuraaga](https://github.com/anuraaga) in cli/cli#11038 - Use Actions API to retrieve job run logs as a fallback mechanism by [@​babakks](https://github.com/babakks) in cli/cli#11172 - Fix query object state mutation during pagination by [@​babakks](https://github.com/babakks) in cli/cli#11244 - Handle `HTTP 404` when deleting remote branch in `pr merge` by [@​babakks](https://github.com/babakks) in cli/cli#11234 ##### 📚 Docs & Chores - chore: fix function name by [@​jinjingroad](https://github.com/jinjingroad) in cli/cli#11149 - chore: update Go version to 1.24 in devcontainer configuration and docs by [@​tMinamiii](https://github.com/tMinamiii) in cli/cli#11158 - Ensure lint workflow checks whether 3rd party license and code is up to date by [@​andyfeller](https://github.com/andyfeller) in cli/cli#11047 - docs: install\_linux.md: add Solus linux install instructions by [@​chax](https://github.com/chax) in cli/cli#10823 - Fix missing newline in install\_linux.md by [@​BagToad](https://github.com/BagToad) in cli/cli#11160 - Ensure automation uses pinned go-licenses version by [@​andyfeller](https://github.com/andyfeller) in cli/cli#11161 - Add `workflow_dispatch` support to MR Help Wanted check by [@​BagToad](https://github.com/BagToad) in cli/cli#11179 - Remove unused `GH_TOKEN` env variable from workflow by [@​BagToad](https://github.com/BagToad) in cli/cli#11190 - Add workflow to automate go version bumping by [@​williammartin](https://github.com/williammartin) in cli/cli#11189 - Fix inconsistent use of tabs and spaces by [@​Stefan-Heimersheim](https://github.com/Stefan-Heimersheim) in cli/cli#11194 - Decouple arg parsing from MR finder by [@​babakks](https://github.com/babakks) in cli/cli#11192 - docs: consistently use `apt` in installation instructions by [@​tklauser](https://github.com/tklauser) in cli/cli#11216 - Ensure bump go script has git user configured by [@​williammartin](https://github.com/williammartin) in cli/cli#11229 - Inject token into bump-go workflow by [@​williammartin](https://github.com/williammartin) in cli/cli#11233 - Reinstating Primer Style CLI content within `cli/cli` repository by [@​andyfeller](https://github.com/andyfeller) in cli/cli#11060 - Add setup-go to bump-go workflow by [@​williammartin](https://github.com/williammartin) in cli/cli#11237 - Ensure GoReleaser does not break on Mac OS and Linux when skipping Windows `.rsyso` generation script by [@​andyfeller](https://github.com/andyfeller) in cli/cli#11257 #####
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
fixes #9422
fixes github/cli#111
This pull request addresses GitHub CLI obligation to comply with the licenses of our 3rd party dependencies.
These changes update the
lintworkflow to verify license information is up to date including source code certain licenses require redistributing source code around.Additionally, this pull request introduces
scripts/licenseandscripts/license-checkto help maintainers and contributors regenerate this information easily.