Skip to content
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
84 changes: 82 additions & 2 deletions .github/workflows/ci.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -132,6 +132,7 @@ jobs:
copilot-plugin: ${{ steps.filter.outputs.copilot-plugin }}
operator-chart: ${{ steps.filter.outputs.operator-chart }}
desktop: ${{ steps.filter.outputs.desktop }}
licenses: ${{ steps.filter.outputs.licenses }}
calico-cni: ${{ steps.filter.outputs.calico-cni }}
steps:
- name: 📄 Checkout
Expand Down Expand Up @@ -258,6 +259,19 @@ jobs:
- 'go.mod'
- 'go.sum'
- '.github/workflows/ci.yaml'
licenses:
# THIRD_PARTY_LICENSES tracks BOTH module graphs; anything that
# changes either graph (or the generator itself) can drift the
# inventory, so regenerate-and-self-heal on those paths (#5716).
- 'go.mod'
- 'go.sum'
- 'desktop/go.mod'
- 'desktop/go.sum'
- 'scripts/gen-third-party-licenses/**'
- 'THIRD_PARTY_LICENSES'
# The verify-licenses job's own behaviour lives in this file
# (same pattern as the go filter above).
- '.github/workflows/ci.yaml'
calico-cni:
# The Calico installer derives the tigera-operator chart version
# from the calico/node image tag in this Dockerfile (see
Expand Down Expand Up @@ -499,12 +513,12 @@ jobs:
name: 📤 Auto-Commit Generated Changes
runs-on: ubuntu-latest
timeout-minutes: 15
needs: [changes, generate, verify-desktop-tidy]
needs: [changes, generate, verify-desktop-tidy, verify-licenses]
if: >-
always()
&& github.event_name != 'merge_group'
&& (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository)
&& (needs.generate.result == 'success' || needs.verify-desktop-tidy.result == 'success')
&& (needs.generate.result == 'success' || needs.verify-desktop-tidy.result == 'success' || needs.verify-licenses.result == 'success')
permissions:
contents: write
pull-requests: write
Expand Down Expand Up @@ -1289,6 +1303,70 @@ jobs:
exit 1
fi

verify-licenses:
name: 📜 Verify Third-Party License Inventory
runs-on: ubuntu-latest
timeout-minutes: 20
needs: [changes]
if: github.event_name != 'merge_group' && needs.changes.outputs.licenses == 'true'
permissions:
contents: read
steps:
- name: 📄 Checkout
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
repository: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name || github.repository }}
ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }}

- name: ⚙️ Setup Go
uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0
with:
go-version-file: go.mod

- name: 📦 Install go-licenses
run: go install github.com/google/go-licenses/v2@v2.0.1

# THIRD_PARTY_LICENSES is generated from BOTH Go module graphs (root +
# desktop/) by scripts/gen-third-party-licenses, which emits a
# deterministic document (no timestamp), so any diff after regeneration
# is real inventory drift. Self-heal the same way generated files are
# synced: regenerate, capture the diff as a patch artifact, and let the
# 📤 Auto-Commit Generated Changes job apply it to the PR branch (#5716).
# Fork PRs — which that job cannot push to — hard-fail with guidance.
# The generator also fails here when a NEW dependency has no license
# file bundled and no manual verification recorded in
# scripts/gen-third-party-licenses/verified_unknown.go.
- name: 📜 Regenerate license inventory
run: make licenses

- name: 📤 Upload patch
run: |
git add -N .
git diff > /tmp/licenses.patch
if [ -s /tmp/licenses.patch ]; then
echo "License inventory drift detected; patch will be auto-committed on same-repo PRs."
else
echo "License inventory already up to date."
fi
- uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
with:
name: licenses-patch
path: /tmp/licenses.patch
if-no-files-found: ignore
retention-days: 1

- name: ❌ Fail if license inventory is out of date (fork PR)
if: >-
github.event_name == 'pull_request'
&& github.event.pull_request.head.repo.full_name != github.repository
shell: bash
run: |
if [ -s /tmp/licenses.patch ]; then
echo "::error::THIRD_PARTY_LICENSES is out of date. Please run 'make licenses' locally and commit the result."
exit 1
fi

validate-calico-chart:
name: 🔍 Validate Calico Chart Version
runs-on: ubuntu-latest
Expand Down Expand Up @@ -1366,6 +1444,7 @@ jobs:
operator-chart-lint,
operator-chart-e2e,
verify-desktop-tidy,
verify-licenses,
validate-calico-chart,
]
if: ${{ always() }}
Expand Down Expand Up @@ -1393,4 +1472,5 @@ jobs:
${{ needs.operator-chart-lint.result }}
${{ needs.operator-chart-e2e.result }}
${{ needs.verify-desktop-tidy.result }}
${{ needs.verify-licenses.result }}
${{ needs.validate-calico-chart.result }}
5 changes: 4 additions & 1 deletion AGENTS.md
Original file line number Diff line number Diff line change
Expand Up @@ -376,7 +376,10 @@ dependency order and is THE regeneration command. The artifacts, for reference:
`docs/src/content/docs/configuration/declarative-configuration.mdx` (`go generate ./docs/...`),
`pkg/svc/chat/docs_generated.go` (`go generate ./pkg/svc/chat/...`, after docs), `mocks.go` files
(`mockery`), and `web/ui/src/generated/ksail-config.ts` (`npm --prefix web/ui run gen:types`,
after schemas). See also `.github/instructions/`.
after schemas). `THIRD_PARTY_LICENSES` is generated separately by `make licenses`
(scripts/gen-third-party-licenses; deterministic output, CI self-heals drift on module-graph
changes — a new dependency without a bundled license file must be manually verified and recorded
in `scripts/gen-third-party-licenses/verified_unknown.go`). See also `.github/instructions/`.
**Shared machine / autonomous worktrees:** only create/inspect/delete
clusters you created; build throwaway binaries to `/tmp` (not `./ksail`) to avoid polluting the
worktree. Maintainers building locally should still use the standard `make build` (`go build -o
Expand Down
5 changes: 4 additions & 1 deletion Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ SHELL := /bin/bash
DESKTOP_DIR := desktop
VERSION ?= $(shell git describe --tags --always 2>/dev/null | sed 's/^v//' || echo dev)

.PHONY: help ui build test desktop desktop-app generate
.PHONY: help ui build test desktop desktop-app generate licenses

help: ## Show available targets.
@grep -hE '^[a-zA-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) | \
Expand All @@ -25,6 +25,9 @@ desktop-app: ui ## Build the macOS KSail.app bundle (macOS only); output: ./KSai
test: ## Run the Go unit tests.
go test ./...

licenses: ## Regenerate THIRD_PARTY_LICENSES from both Go module graphs (root + desktop/). Requires go-licenses (go install github.com/google/go-licenses/v2@v2.0.1).
go run ./scripts/gen-third-party-licenses

generate: ## Regenerate ALL generated artifacts (JSON schema, CRD/deepcopy, reference docs, chat docs, mocks, web UI types). Ordering matters: schema before web UI types, docs before chat docs.
go generate ./schemas/... ./pkg/apis/...
go generate ./docs/...
Expand Down
Loading
Loading