Skip to content

ci: replace custom license tooling with GHAS Dependency Review#5789

Open
devantler wants to merge 2 commits into
mainfrom
claude/ci-dependency-review-license-gate
Open

ci: replace custom license tooling with GHAS Dependency Review#5789
devantler wants to merge 2 commits into
mainfrom
claude/ci-dependency-review-license-gate

Conversation

@devantler

@devantler devantler commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

🤖 Generated by the Daily AI Assistant

Why

Per your direction on #5787 and #5789: GHAS already covers what our custom license tooling did — the DependencyReview ruleset runs the shared Dependency Review workflow on every PR, and dependency submission covers the inventory, so the go-licenses job and the third-party notice file are redundant to maintain.

What

Removes the custom license-check CI job (no replacement needed — the ruleset-required Dependency Review workflow already gates every PR) and deletes the stale THIRD_PARTY_LICENSES file.

Fixes #5788
Closes #5716

Retire the go-licenses license-check job in favor of the org's shared
dependency-review reusable workflow (deny-list ports go-licenses'
forbidden category 1:1), and remove the stale THIRD_PARTY_LICENSES
notice file — dependency inventory is covered by GHAS dependency
submission (maintainer direction on #5787).

Fixes #5788
Closes #5716

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented Jul 4, 2026

Copy link
Copy Markdown

Review Change Stack

Important

Review skipped

No new commits to review since the last review.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: e2c383a4-87d6-4594-918e-93e5a5e1b1db

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
📝 Walkthrough

Walkthrough

The CI workflow replaces the license-check job with a pull-request-scoped dependency-review job configured to fail on disallowed SPDX licenses. Three downstream jobs remove license-check from their needs lists. The require-checks-in-pr job now requires dependency-review and passes its result into aggregate-job-checks.


Caution

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

  • Ignore

❌ Failed checks (1 error, 1 inconclusive)

Check name Status Explanation Resolution
Linked Issues check ❌ Error [#5716] The file was removed rather than regenerated and automated, so the inventory-refresh requirement is not met. Regenerate the root and desktop inventories and add an automated refresh or drift check, with the provenance header updated.
Linked Issues check ❓ Inconclusive [#5788] The core license-gate swap is present, but the summary does not confirm the AGENTS.md update or full allowlist parity. Confirm the AGENTS.md CI note update and that the Dependency Review allowlist and risk-accepts match current policy.
✅ Passed checks (4 passed)
Check name Status Explanation
Out of Scope Changes check ✅ Passed No unrelated changes are evident; the diff stays within CI license gating and the THIRD_PARTY_LICENSES cleanup.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Title check ✅ Passed The title accurately summarizes the main change: replacing custom license CI tooling with GHAS Dependency Review.
Description check ✅ Passed The description is clearly related to the changeset and explains the CI and license-file removals.

Comment @coderabbitai help to get the list of available commands.

@devantler

Copy link
Copy Markdown
Contributor Author

I believe we already run the dependency review as a required workflow, so I do not think we need to include it in CI.

@github-actions

github-actions Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

MegaLinter analysis: Success

✅ Linters with no issues

actionlint, bash-exec, git_diff, hadolint, jscpd, jsonlint, lychee, markdown-table-formatter, markdownlint, prettier, prettier, shellcheck, shfmt, stylelint, syft, trivy-sbom, trufflehog, v8r, v8r, yamllint

Notices

📣 MegaLinter 9.5.0 is out! Discover the new features and security recommendations in the release announcement. (Skip this info by defining SECURITY_SUGGESTIONS: false)

See detailed reports in MegaLinter artifacts

MegaLinter is graciously provided by OX Security
Show us your support by starring ⭐ the repository

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/ci.yaml:
- Around line 596-613: The new dependency-review job in the CI workflow is not
equivalent to the old go-licenses gate because it only checks PR-diff dependency
changes and it omits non-SPDX forbidden licenses like CommonsClause and the
Facebook-* variants. Update the workflow around the dependency-review
configuration so the policy matches the intended coverage, either by adding an
additional check for existing tree licenses or by restoring equivalent coverage
for the missing license families; use the dependency-review step and its
deny-licenses input as the main locator.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: a1a826b8-1ce7-4a24-b65c-fc796cafea38

📥 Commits

Reviewing files that changed from the base of the PR and between 8554388 and 6f5837b.

📒 Files selected for processing (2)
  • .github/workflows/ci.yaml
  • THIRD_PARTY_LICENSES
💤 Files with no reviewable changes (1)
  • THIRD_PARTY_LICENSES
📜 Review details
⏰ Context from checks skipped due to timeout. (11)
  • GitHub Check: 🧹 Lint - mega-linter
  • GitHub Check: ⛵ Operator Chart E2E
  • GitHub Check: 🏗️ Build KSail Binary
  • GitHub Check: 🧩 Verify Desktop Module Tidy
  • GitHub Check: 🧩 VSCode Extension
  • GitHub Check: 📚 Build Documentation
  • GitHub Check: 🛡️ Dependency Review / dependency-review
  • GitHub Check: Analyze (javascript-typescript)
  • GitHub Check: Analyze (go)
  • GitHub Check: Analyze (javascript-typescript)
  • GitHub Check: Analyze (go)
🔇 Additional comments (3)
.github/workflows/ci.yaml (3)

1059-1064: LGTM!


608-613: 🩺 Stability & Availability

No change neededwarn-only and deny-licenses are valid reusable-workflow inputs, and comment-summary-in-pr defaults to never, so contents: read is sufficient unless PR commenting is enabled.

			> Likely an incorrect or invalid review comment.

959-960: 📐 Maintainability & Code Quality

Only the explanatory note mentions license-check; no workflow logic still references the retired job.

			> Likely an incorrect or invalid review comment.

Comment thread .github/workflows/ci.yaml Outdated
The DependencyReview ruleset (id 17213449) already requires
reusable-workflows/dependency-review.yaml@main on every PR, so a second
in-CI invocation is redundant (maintainer direction on #5789).

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@devantler

Copy link
Copy Markdown
Contributor Author

🤖 Generated by the Daily AI Assistant

Confirmed and done — the Require workflows to pass before merging - DependencyReview ruleset already runs reusable-workflows/dependency-review.yaml@main on every PR, so the in-CI job was redundant. Dropped it: ci.yaml now only removes the old license-check job, and THIRD_PARTY_LICENSES stays deleted.

@devantler devantler marked this pull request as ready for review July 4, 2026 16:59
@devantler

Copy link
Copy Markdown
Contributor Author

@coderabbitai review

🤖 Generated by the Daily AI Assistant

All threads are resolved and the in-CI dependency-review job was dropped per the maintainer's direction (the DependencyReview ruleset already requires the shared workflow on every PR) — requesting a fresh review so the stale CHANGES_REQUESTED state clears.

@coderabbitai

coderabbitai Bot commented Jul 4, 2026

Copy link
Copy Markdown

@devantler Sounds good — thanks for confirming the ruleset already covers dependency review. Triggering a fresh review now.

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

Status: 🫴 Ready

1 participant