Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ci: check license of third party Go dependencies #31129

Merged
merged 2 commits into from Mar 5, 2024
Merged

ci: check license of third party Go dependencies #31129

merged 2 commits into from Mar 5, 2024

Conversation

rolinh
Copy link
Member

@rolinh rolinh commented Mar 4, 2024
edited

Members of the @cilium/vendor group are currently required to inspect new or updated Go dependencies manually to verify that they comply with the CNCF policy for third party dependencies. This patch adds a tool and associated CI check to do the license verification automatically instead of relying on a manual review. When a non-conformant third party is detected, the CI check fails with a message indicating which dependency is a problem and links to relevant resources. Example:

The third party dependencies below are not allowed under the CNCF's IP policy:
  - github.com/hashicorp/boundary/sdk/wspb (MPL-2.0)

Projects under the following licenses are generally accepted:
  - Apache-2.0
  - BSD-2-Clause
  - BSD-2-Clause-FreeBSD
  - BSD-3-Clause
  - ISC
  - MIT
  - PostgreSQL
  - Python-2.0
  - X11
  - Zlib

Under certain circumstances, exceptions can be made for projects using a different license. For more information, please consult the following resources:
https://github.com/cncf/foundation/blob/main/allowed-third-party-license-policy.md
https://github.com/cncf/foundation/tree/main/license-exceptions

See example failed CI run.

@rolinh rolinh added kind/enhancement This would improve or streamline existing functionality. release-note/ci This PR makes changes to the CI. labels Mar 4, 2024
@rolinh rolinh force-pushed the pr/rolinh/license-check branch 3 times, most recently from 54795cf to 5a92f10 Compare March 4, 2024 15:33
@rolinh rolinh marked this pull request as ready for review March 4, 2024 15:45
@rolinh rolinh requested review from a team as code owners March 4, 2024 15:45
@aanm
Copy link
Member

aanm commented Mar 4, 2024

/test

sayboras
sayboras approved these changes Mar 5, 2024
View reviewed changes
Copy link
Member

@sayboras sayboras left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One small comment on the version in go.mod, the rest seems legit, we can improve along the way.

go.mod Show resolved Hide resolved
@rolinh
tools: add tool to check for unauthorized third party licenses
ad7de9e 
Signed-off-by: Robin Hahling <robin.hahling@gw-computing.net>
@rolinh
ci: check for 3rd party Go dependencies licenses
f4170bb 
Signed-off-by: Robin Hahling <robin.hahling@gw-computing.net>
@rolinh
Copy link
Member Author

rolinh commented Mar 5, 2024
edited

/test

EDIT: I had to rebase already due to a go.mod conflict.

@tklauser tklauser removed the request for review from aditighag March 5, 2024 12:47
@tklauser tklauser added this pull request to the merge queue Mar 5, 2024
Merged via the queue into main with commit 82ed062 Mar 5, 2024
229 checks passed
@tklauser tklauser deleted the pr/rolinh/license-check branch March 5, 2024 12:54
@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Mar 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@chancez chancez chancez left review comments

@tklauser tklauser tklauser approved these changes

@aanm aanm aanm approved these changes

@sayboras sayboras sayboras approved these changes

Assignees
No one assigned
Labels
kind/enhancement This would improve or streamline existing functionality. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/ci This PR makes changes to the CI.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@rolinh @aanm @tklauser @chancez @sayboras