GitHub Actions: Check Go Dependency Licenses

Icinga · Dec 6, 2023 · e042220 · e042220
1 parent 087d9b5
commit e042220
Showing 1 changed file with 34 additions and 0 deletions.
diff --git a/.github/workflows/compliance.yml b/.github/workflows/compliance.yml
@@ -0,0 +1,34 @@
+name: Compliance
+
+on:
+  push:
+    branches: [ main, go-license-compliance ]  # TODO
+  pull_request: {}
+
+permissions:
+  # https://docs.github.com/en/rest/overview/permissions-required-for-github-apps?apiVersion=2022-11-28#repository-permissions-for-contents
+  contents: read
+
+jobs:
+  go:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+    - uses: actions/setup-go@v4
+      with:
+        go-version: stable
+
+    - name: Download modules to local cache
+      run: go mod download
+
+    - name: Install go-licenses
+      run: go install github.com/google/go-licenses@latest
+
+    - name: Check licenses against an allow list
+      run: |
+        # Pass allowed licenses as SPDX Identifiers: https://spdx.org/licenses/
+        # The current list is based on IcingaDB, plus GPL-2.0 as both IcingaDB
+        # and this very icinga-notifications is licensed as GPL-2.0.
+        # https://github.com/Icinga/icingadb/blob/v1.1.1/.github/workflows/compliance/check-licenses.sh
+        go-licenses check github.com/icinga/icinga-notifications/... \
+          --allowed_licenses BSD-2-Clause,BSD-3-Clause,GPL-2.0,MIT #,MPL-2.0  # TODO: unfail this