Merged
Conversation
There was a problem hiding this comment.
Pull request overview
This PR adds CI tooling to verify that all Go dependencies use CNCF-approved licenses, aligning dependency policy enforcement with the rest of the project’s centralized tooling/versioning approach.
Changes:
- Add
go_licensesversion entry to.versions.yamlunder the linting tools section. - Introduce a
verify-licensesGitHub Actions workflow that runsgoogle/go-licenseson Go modules, using centralized versions from theload-versionscomposite action and a SHA-pinnedactions/setup-gov6.2.0. - Extend workflow path triggers so changes to
verify-licenses.yamlitself also trigger the license verification job.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
.versions.yaml |
Adds a pinned go_licenses version to the shared versions manifest so the tool can be consistently installed in CI. |
.github/workflows/verify-licenses.yaml |
Defines the new license verification workflow, wiring it into the central version loader and updating the Go setup action and triggers accordingly (though the go_licenses output wiring in load-versions still needs to be added for the install step to work). |
Add GitHub Action to verify all Go dependencies use CNCF-approved licenses, inspired by Kubernetes' verify-licenses.sh pattern. Uses google/go-licenses to check against allowed license list: Apache-2.0, BSD-2-Clause, BSD-3-Clause, ISC, MIT Changes from review feedback: - Pin go-licenses version (v1.6.0) in .versions.yaml - Use load-versions action for consistent tooling - Update actions/setup-go to v6.2.0 (SHA-pinned) - Add workflow file to paths trigger for self-testing Signed-off-by: Davanum Srinivas <dsrinivas@nvidia.com>
dims
force-pushed
the
feat/verify-licenses-v2
branch
from
803a1c3 to
e47f2f9
Compare
Coverage Report ✅
Coverage BadgeNo Go source files changed in this PR. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add GitHub Action to verify all Go dependencies use CNCF-approved licenses, inspired by Kubernetes' verify-licenses.sh pattern.
Uses google/go-licenses to check against allowed license list: Apache-2.0, BSD-2-Clause, BSD-3-Clause, ISC, MIT
Changes from review feedback:
Summary
Motivation / Context
Fixes:
Related:
Type of Change
Component(s) Affected
cmd/eidos,pkg/cli)cmd/eidosd,pkg/api,pkg/server)pkg/recipe)pkg/bundler,pkg/component/*)pkg/collector,pkg/snapshotter)pkg/validator)pkg/errors,pkg/k8s)docs/,examples/)Implementation Notes
Testing
# Commands run (prefer `make qualify` for non-trivial changes) make qualifyRisk Assessment
Rollout notes:
Checklist
make testwith-race)make lint)git commit -s) — DCO info