feat: auto-fix license files on PRs and improve CI reliability

SamMorrowDrums · SamMorrowDrums · commit 681f56202aee · 2025-12-12T12:22:18.000+01:00
Changes:
- Pin go-licenses version in CI for reproducibility (commit 5348b744)
- Add GOROOT/PATH setup for 'Package does not have module info' fix
- Update license-check.yml to auto-fix and push to PR branches
- Add CI=true env var to use pinned go-licenses version
- Add dependabot exclusion from auto-fix workflow
- Remove unnecessary fetch-depth: 0 from checkout
- Fix comment body indentation in PR comment
- Add code-scanning exclusion for third-party files
- Simplify licenses-check to regenerate and compare
diff --git a/.github/workflows/license-check.yml b/.github/workflows/license-check.yml
@@ -19,16 +19,14 @@ permissions:
 jobs:
   license-check:
     runs-on: ubuntu-latest
-    # Don't run on forks (they can't push back) or dependabot (has its own token)
-    if: github.event.pull_request.head.repo.full_name == github.repository
+    # Don't run on forks (they can't push back) or dependabot
+    if: github.event.pull_request.head.repo.full_name == github.repository && github.actor != 'dependabot[bot]'
 
     steps:
       - name: Check out code
         uses: actions/checkout@v6
         with:
           ref: ${{ github.head_ref }}
-          # Need full history for push
-          fetch-depth: 0
 
       - name: Set up Go
         uses: actions/setup-go@v6
@@ -39,6 +37,8 @@ jobs:
       # which causes go-licenses to raise "Package ... does not have module info" errors.
       # For more information, https://github.com/google/go-licenses/issues/244#issuecomment-1885098633
       - name: Regenerate licenses
+        env:
+          CI: "true"
         run: |
           export GOROOT=$(go env GOROOT)
           export PATH=${GOROOT}/bin:$PATH
@@ -76,12 +76,12 @@ jobs:
               issue_number: context.issue.number,
               body: `## 📜 License files updated
 
-            I noticed the third-party license files were out of date and pushed a fix to this PR.
+I noticed the third-party license files were out of date and pushed a fix to this PR.
 
-            **What changed:** Dependencies were added, removed, or updated, which requires regenerating the license documentation.
+**What changed:** Dependencies were added, removed, or updated, which requires regenerating the license documentation.
 
-            **What I did:** Ran \`./script/licenses\` and committed the result.
+**What I did:** Ran \`./script/licenses\` and committed the result.
 
-            Please pull the latest changes before pushing again.`
+Please pull the latest changes before pushing again.`
             })
 
diff --git a/script/licenses-check b/script/licenses-check
@@ -1,28 +1,42 @@
 #!/bin/bash
+#
+# Check that license files are up to date.
+# This script regenerates the license files and compares them with the committed versions.
+# If there are differences, it exits with an error.
 
-# Pinned version for CI reproducibility, latest for local development
-# See: https://github.com/cli/cli/pull/11161
-if [ "$CI" = "true" ]; then
-    go install github.com/google/go-licenses@5348b744d0983d85713295ea08a20cca1654a45e # v2.0.1
-else
-    go install github.com/google/go-licenses@latest
-fi
+set -e
+
+# Store original files for comparison
+TEMPDIR="$(mktemp -d)"
+trap "rm -fr ${TEMPDIR}" EXIT
+
+for goos in darwin linux windows; do
+    cp "third-party-licenses.${goos}.md" "${TEMPDIR}/"
+done
+
+# Regenerate using the same script
+./script/licenses
 
-for goos in linux darwin windows ; do
-    # Note: we ignore warnings because we want the command to succeed, however the output should be checked
-    #       for any new warnings, and potentially we may need to add license information. 
-    #
-    #       Normally these warnings are packages containing non go code, which may or may not require explicit attribution,
-    #       depending on the license.
-    GOOS="${goos}" GOFLAGS=-mod=mod go-licenses report ./... --template .github/licenses.tmpl > third-party-licenses.${goos}.copy.md || echo "Ignore warnings"
-    if ! diff -s third-party-licenses.${goos}.copy.md third-party-licenses.${goos}.md; then
-        printf "License check failed for %s.\n\nPlease update the license file by running \`./script/licenses\` and committing the output.\n" "${goos}"
-        rm -f third-party-licenses.${goos}.copy.md
-        exit 1
+# Compare with originals
+has_diff=0
+for goos in darwin linux windows; do
+    if ! diff -q "${TEMPDIR}/third-party-licenses.${goos}.md" "third-party-licenses.${goos}.md" >/dev/null 2>&1; then
+        echo "License file for ${goos} is out of date:"
+        diff "${TEMPDIR}/third-party-licenses.${goos}.md" "third-party-licenses.${goos}.md" || true
+        has_diff=1
     fi
-    rm -f third-party-licenses.${goos}.copy.md
 done
 
+# Restore original files (check shouldn't modify anything)
+for goos in darwin linux windows; do
+    cp "${TEMPDIR}/third-party-licenses.${goos}.md" "./"
+done
+
+if [ $has_diff -eq 1 ]; then
+    printf "\nLicense check failed.\n\nPlease update the license files by running \`./script/licenses\` and committing the output.\n"
+    exit 1
+fi
+
 echo "License check passed for all platforms."
 
 
