GitHub Actions: Check Go Dependency Licenses

By utilizing the neat go-licenses[0] tool, scanning the cached Go dependencies against an allow list of licenses, which is currently leaned from Icinga DB, works quite like a charm. This, however, only includes Go code and produces warnings for (transitive) included Go Assembly code[1]. If we are planning to include other non-Go artefacts in the future, those also might need to be identified - REUSE[2] might help there. [0] https://github.com/google/go-licenses [1] google/go-licenses#120 [2] https://reuse.software/
Icinga · Dec 6, 2023 · f944c7a · f944c7a
1 parent 087d9b5
commit f944c7a
Showing 1 changed file with 34 additions and 0 deletions.
diff --git a/.github/workflows/compliance.yml b/.github/workflows/compliance.yml
@@ -0,0 +1,34 @@
+name: Compliance
+
+on:
+  push:
+    branches: [ main, go-license-compliance ]  # TODO
+  pull_request: {}
+
+permissions:
+  # https://docs.github.com/en/rest/overview/permissions-required-for-github-apps?apiVersion=2022-11-28#repository-permissions-for-contents
+  contents: read
+
+jobs:
+  go:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+    - uses: actions/setup-go@v4
+      with:
+        go-version: stable
+
+    - name: Download modules to local cache
+      run: go mod download
+
+    - name: Install go-licenses
+      run: go install github.com/google/go-licenses@latest
+
+    - name: Check licenses against an allow list
+      run: |
+        # Pass allowed licenses as SPDX Identifiers: https://spdx.org/licenses/
+        # The current list is based on Icinga DB, plus GPL-2.0 as both Icinga DB
+        # and this very icinga-notifications is licensed as GPL-2.0.
+        # https://github.com/Icinga/icingadb/blob/v1.1.1/.github/workflows/compliance/check-licenses.sh
+        go-licenses check github.com/icinga/icinga-notifications/... \
+          --allowed_licenses BSD-2-Clause,BSD-3-Clause,GPL-2.0,MIT,MPL-2.0