From 99516d64bae63193ff74727ff92d3c4e98294713 Mon Sep 17 00:00:00 2001
From: Andy Feller <andyfeller@github.com>
Date: Wed, 23 Jul 2025 15:29:32 -0400
Subject: [PATCH 1/2] Regenerate third-party licenses on trunk pushes

Fixes #11270

This commit refactors the work done in #11047 of blocking pull requests for manual `third-party` license updates to having GitHub Actions automatically update it on pushes to `trunk`.

This will allow maintainers to streamline Dependabot PR reviews while reducing contributor friction when changing dependencies.
---
 .github/workflows/lint.yml                 | 16 -------
 .github/workflows/third-party-licenses.yml | 49 ++++++++++++++++++++++
 2 files changed, 49 insertions(+), 16 deletions(-)
 create mode 100644 .github/workflows/third-party-licenses.yml

diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index 5281a46d0..5afe6cd2f 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -7,15 +7,11 @@ on:
       - "**.go"
       - go.mod
       - go.sum
-      - ".github/licenses.tmpl"
-      - "script/licenses*"
   pull_request:
     paths:
       - "**.go"
       - go.mod
       - go.sum
-      - ".github/licenses.tmpl"
-      - "script/licenses*"
 permissions:
   contents: read
 jobs:
@@ -50,18 +46,6 @@ jobs:
         with:
           version: v2.1.6
 
-      # actions/setup-go does not setup the installed toolchain to be preferred over the system install,
-      # which causes go-licenses to raise "Package ... does not have module info" errors.
-      # for more information, https://github.com/google/go-licenses/issues/244#issuecomment-1885098633
-      #
-      # go-licenses has been pinned for automation use.
-      - name: Check licenses
-        run: |
-          export GOROOT=$(go env GOROOT)
-          export PATH=${GOROOT}/bin:$PATH
-          go install github.com/google/go-licenses@5348b744d0983d85713295ea08a20cca1654a45e
-          make licenses-check
-
   # Discover vulnerabilities within Go standard libraries used to build GitHub CLI using govulncheck.
   govulncheck:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/third-party-licenses.yml b/.github/workflows/third-party-licenses.yml
new file mode 100644
index 000000000..b9d29e9dc
--- /dev/null
+++ b/.github/workflows/third-party-licenses.yml
@@ -0,0 +1,49 @@
+name: Third Party Licenses
+on:
+  push:
+    branches:
+      - trunk
+    paths:
+      - go.mod
+      - go.sum
+      - ".github/licenses.tmpl"
+      - "script/licenses*"
+jobs:
+  # This job is responsible for updating the third-party license reports and source code.
+  # It should be safe to cancel as the latest version of `go.mod` should be checked in.
+  regenerate-licenses:
+    runs-on: ubuntu-latest
+    concurrency:
+      group: ${{ github.workflow }}
+      cancel-in-progress: true
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v4
+        with:
+          token: ${{ secrets.AUTOMATION_TOKEN }}
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: 'go.mod'
+
+      - name: Regenerate licenses
+        run: |
+          export GOROOT=$(go env GOROOT)
+          export PATH=${GOROOT}/bin:$PATH
+          go install github.com/google/go-licenses@5348b744d0983d85713295ea08a20cca1654a45e
+          make licenses
+          git diff
+
+      - name: Commit and push changes
+        run: |
+          if git diff --exit-code; then
+            echo "No third-party license changes to commit"
+          else
+            git config --local user.name "github-actions[bot]"
+            git config --local user.email "41898282+github-actions[bot]@users.noreply.github.com"
+            git add third-party third-party-licenses.*.md
+            git commit -m "Generate licenses - $GITHUB_SHA"
+            git pull
+            git push origin
+          fi

From 8037c61827b70fff1740735b08951960d27b9bda Mon Sep 17 00:00:00 2001
From: Andy Feller <andyfeller@github.com>
Date: Fri, 1 Aug 2025 15:36:55 -0400
Subject: [PATCH 2/2] Update permissions and events for workflow

This commit makes a few notable changes:

1. Use the GitHub Actions automatic token for committing changes
2. Include workflow file in paths to trigger workflow
3. Checkout the default branch explicitly
---
 .github/workflows/third-party-licenses.yml | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/third-party-licenses.yml b/.github/workflows/third-party-licenses.yml
index b9d29e9dc..3cdc5858e 100644
--- a/.github/workflows/third-party-licenses.yml
+++ b/.github/workflows/third-party-licenses.yml
@@ -4,10 +4,11 @@ on:
     branches:
       - trunk
     paths:
+      - .github/licenses.tmpl
+      - .github/workflows/third-party-licenses.yml
       - go.mod
       - go.sum
-      - ".github/licenses.tmpl"
-      - "script/licenses*"
+      - script/licenses*
 jobs:
   # This job is responsible for updating the third-party license reports and source code.
   # It should be safe to cancel as the latest version of `go.mod` should be checked in.
@@ -16,11 +17,13 @@ jobs:
     concurrency:
       group: ${{ github.workflow }}
       cancel-in-progress: true
+    permissions:
+      contents: write
     steps:
       - name: Check out code
         uses: actions/checkout@v4
         with:
-          token: ${{ secrets.AUTOMATION_TOKEN }}
+          ref: trunk
 
       - name: Set up Go
         uses: actions/setup-go@v5