Merge pull request #11370 from cli/andyfeller/11270-improve-dependabot-pr-thirdparty-checks

Regenerate third-party licenses on trunk pushes
2025-08-01 16:05:02 -04:00 · 2025-08-01 16:05:02 -04:00 · 24f502ba1f
commit 24f502ba1f
parent 68887865c1 8037c61827
2 changed files with 52 additions and 16 deletions
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@ -7,15 +7,11 @@ on:
      - "**.go"
      - go.mod
      - go.sum
-      - ".github/licenses.tmpl"
-      - "script/licenses*"
  pull_request:
    paths:
      - "**.go"
      - go.mod
      - go.sum
-      - ".github/licenses.tmpl"
-      - "script/licenses*"
 permissions:
  contents: read
 jobs:
@ -50,18 +46,6 @@ jobs:
        with:
          version: v2.1.6

-      # actions/setup-go does not setup the installed toolchain to be preferred over the system install,
-      # which causes go-licenses to raise "Package ... does not have module info" errors.
-      # for more information, https://github.com/google/go-licenses/issues/244#issuecomment-1885098633
-      #
-      # go-licenses has been pinned for automation use.
-      - name: Check licenses
-        run: |
-          export GOROOT=$(go env GOROOT)
-          export PATH=${GOROOT}/bin:$PATH
-          go install github.com/google/go-licenses@5348b744d0983d85713295ea08a20cca1654a45e
-          make licenses-check
-
  # Discover vulnerabilities within Go standard libraries used to build GitHub CLI using govulncheck.
  govulncheck:
    runs-on: ubuntu-latest
--- a/.github/workflows/third-party-licenses.yml
+++ b/.github/workflows/third-party-licenses.yml
@ -0,0 +1,52 @@
+name: Third Party Licenses
+on:
+  push:
+    branches:
+      - trunk
+    paths:
+      - .github/licenses.tmpl
+      - .github/workflows/third-party-licenses.yml
+      - go.mod
+      - go.sum
+      - script/licenses*
+jobs:
+  # This job is responsible for updating the third-party license reports and source code.
+  # It should be safe to cancel as the latest version of `go.mod` should be checked in.
+  regenerate-licenses:
+    runs-on: ubuntu-latest
+    concurrency:
+      group: ${{ github.workflow }}
+      cancel-in-progress: true
+    permissions:
+      contents: write
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v4
+        with:
+          ref: trunk
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: 'go.mod'
+
+      - name: Regenerate licenses
+        run: |
+          export GOROOT=$(go env GOROOT)
+          export PATH=${GOROOT}/bin:$PATH
+          go install github.com/google/go-licenses@5348b744d0983d85713295ea08a20cca1654a45e
+          make licenses
+          git diff
+
+      - name: Commit and push changes
+        run: |
+          if git diff --exit-code; then
+            echo "No third-party license changes to commit"
+          else
+            git config --local user.name "github-actions[bot]"
+            git config --local user.email "41898282+github-actions[bot]@users.noreply.github.com"
+            git add third-party third-party-licenses.*.md
+            git commit -m "Generate licenses - $GITHUB_SHA"
+            git pull
+            git push origin
+          fi