Skip to content

Commit

Permalink
GitHub Actions: Check Go Dependency Licenses
Browse files Browse the repository at this point in the history
By utilizing the neat go-licenses[0] tool, scanning the cached Go
dependencies against an allow list of licenses, which is currently
leaned from Icinga DB, works quite like a charm.

This, however, only includes Go code and produces warnings for
(transitive) included Go Assembly code[1]. If we are planning to include
other non-Go artefacts in the future, those also might need to be
identified - REUSE[2] might help there.

Closes #139.

[0] https://github.com/google/go-licenses
[1] google/go-licenses#120
[2] https://reuse.software/
  • Loading branch information
oxzi authored and julianbrost committed Dec 7, 2023
1 parent 6fc8449 commit 10d5b1b
Showing 1 changed file with 34 additions and 0 deletions.
34 changes: 34 additions & 0 deletions .github/workflows/compliance.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
name: Compliance

on:
push:
branches: [ main ]
pull_request: {}

permissions:
# https://docs.github.com/en/rest/overview/permissions-required-for-github-apps?apiVersion=2022-11-28#repository-permissions-for-contents
contents: read

jobs:
compliance:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
with:
go-version: stable

- name: Download modules to local cache
run: go mod download

- name: Install go-licenses
run: go install github.com/google/go-licenses@latest

- name: Check licenses against allow list
run: |
# Pass allowed licenses as SPDX Identifiers: https://spdx.org/licenses/
# The current list is based on Icinga DB, plus GPL-2.0 as both Icinga DB
# and this very icinga-notifications are licensed under GPL-2.0.
# https://github.com/Icinga/icingadb/blob/v1.1.1/.github/workflows/compliance/check-licenses.sh
go-licenses check github.com/icinga/icinga-notifications/... \
--allowed_licenses BSD-2-Clause,BSD-3-Clause,GPL-2.0,MIT,MPL-2.0

0 comments on commit 10d5b1b

Please sign in to comment.