Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GitHub Actions: Check Go Dependency Licenses #140

Merged
merged 1 commit into from
Dec 7, 2023
Merged

GitHub Actions: Check Go Dependency Licenses #140

merged 1 commit into from
Dec 7, 2023

Conversation

oxzi
Copy link
Member

@oxzi oxzi commented Dec 6, 2023

By utilizing the neat go-licenses1 tool, scanning the cached Go dependencies against an allow list of licenses, which is currently leaned from Icinga DB, works quite like a charm.

This, however, only includes Go code and produces warnings for (transitive) included Go Assembly code2. If we are planning to include other non-Go artefacts in the future, those also might need to be identified - REUSE3 might help there.

Closes #139.

For an example, take a look at:

  • f944c7a, which was a successfully run or
  • e042220, where MPL-2.0 was missing in the allowed licenses, resulting in an adequate error of:

    Not allowed license MPL-2.0 found for library github.com/go-sql-driver/mysql

Footnotes

  1. https://github.com/google/go-licenses

  2. https://github.com/google/go-licenses/issues/120

  3. https://reuse.software/

@cla-bot cla-bot bot added the cla/signed CLA is signed by all contributors of a PR label Dec 6, 2023
@oxzi oxzi assigned julianbrost and unassigned julianbrost Dec 6, 2023
@oxzi oxzi requested a review from julianbrost December 6, 2023 16:09
@oxzi oxzi force-pushed the go-license-compliance branch from d3deb40 to 0a7d1f5 Compare December 6, 2023 16:12
julianbrost
julianbrost requested changes Dec 7, 2023
View reviewed changes
.github/workflows/compliance.yml Outdated Show resolved Hide resolved
.github/workflows/compliance.yml Outdated Show resolved Hide resolved
@oxzi oxzi force-pushed the go-license-compliance branch from 0a7d1f5 to d803160 Compare December 7, 2023 14:46
@oxzi
GitHub Actions: Check Go Dependency Licenses
b6b28c4 
By utilizing the neat go-licenses[0] tool, scanning the cached Go
dependencies against an allow list of licenses, which is currently
leaned from Icinga DB, works quite like a charm.

This, however, only includes Go code and produces warnings for
(transitive) included Go Assembly code[1]. If we are planning to include
other non-Go artefacts in the future, those also might need to be
identified - REUSE[2] might help there.

Closes #139.

[0] https://github.com/google/go-licenses
[1] google/go-licenses#120
[2] https://reuse.software/
@oxzi oxzi force-pushed the go-license-compliance branch from d803160 to b6b28c4 Compare December 7, 2023 14:47
@oxzi oxzi requested a review from julianbrost December 7, 2023 14:47
@julianbrost julianbrost merged commit 10d5b1b into main Dec 7, 2023
4 checks passed
@julianbrost julianbrost deleted the go-license-compliance branch December 7, 2023 14:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@julianbrost julianbrost julianbrost approved these changes

Assignees
No one assigned
Labels
cla/signed CLA is signed by all contributors of a PR
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Track Dependency Licenses
2 participants
@oxzi @julianbrost