ci: replace custom license tooling with GHAS Dependency Review#5789
ci: replace custom license tooling with GHAS Dependency Review#5789devantler wants to merge 2 commits into
Conversation
Retire the go-licenses license-check job in favor of the org's shared dependency-review reusable workflow (deny-list ports go-licenses' forbidden category 1:1), and remove the stale THIRD_PARTY_LICENSES notice file — dependency inventory is covered by GHAS dependency submission (maintainer direction on #5787). Fixes #5788 Closes #5716 Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
|
Important Review skippedNo new commits to review since the last review. ⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Plus Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
📝 WalkthroughWalkthroughThe CI workflow replaces the Caution Pre-merge checks failedPlease resolve all errors before merging. Addressing warnings is optional.
❌ Failed checks (1 error, 1 inconclusive)
✅ Passed checks (4 passed)
Comment |
|
I believe we already run the dependency review as a required workflow, so I do not think we need to include it in CI. |
✅MegaLinter analysis: Success✅ Linters with no issuesactionlint, bash-exec, git_diff, hadolint, jscpd, jsonlint, lychee, markdown-table-formatter, markdownlint, prettier, prettier, shellcheck, shfmt, stylelint, syft, trivy-sbom, trufflehog, v8r, v8r, yamllint Notices📣 MegaLinter 9.5.0 is out! Discover the new features and security recommendations in the release announcement. (Skip this info by defining See detailed reports in MegaLinter artifacts
|
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/ci.yaml:
- Around line 596-613: The new dependency-review job in the CI workflow is not
equivalent to the old go-licenses gate because it only checks PR-diff dependency
changes and it omits non-SPDX forbidden licenses like CommonsClause and the
Facebook-* variants. Update the workflow around the dependency-review
configuration so the policy matches the intended coverage, either by adding an
additional check for existing tree licenses or by restoring equivalent coverage
for the missing license families; use the dependency-review step and its
deny-licenses input as the main locator.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro Plus
Run ID: a1a826b8-1ce7-4a24-b65c-fc796cafea38
📒 Files selected for processing (2)
.github/workflows/ci.yamlTHIRD_PARTY_LICENSES
💤 Files with no reviewable changes (1)
- THIRD_PARTY_LICENSES
📜 Review details
⏰ Context from checks skipped due to timeout. (11)
- GitHub Check: 🧹 Lint - mega-linter
- GitHub Check: ⛵ Operator Chart E2E
- GitHub Check: 🏗️ Build KSail Binary
- GitHub Check: 🧩 Verify Desktop Module Tidy
- GitHub Check: 🧩 VSCode Extension
- GitHub Check: 📚 Build Documentation
- GitHub Check: 🛡️ Dependency Review / dependency-review
- GitHub Check: Analyze (javascript-typescript)
- GitHub Check: Analyze (go)
- GitHub Check: Analyze (javascript-typescript)
- GitHub Check: Analyze (go)
🔇 Additional comments (3)
.github/workflows/ci.yaml (3)
1059-1064: LGTM!
608-613: 🩺 Stability & AvailabilityNo change needed —
warn-onlyanddeny-licensesare valid reusable-workflow inputs, andcomment-summary-in-prdefaults tonever, socontents: readis sufficient unless PR commenting is enabled.> Likely an incorrect or invalid review comment.
959-960: 📐 Maintainability & Code QualityOnly the explanatory note mentions
license-check; no workflow logic still references the retired job.> Likely an incorrect or invalid review comment.
The DependencyReview ruleset (id 17213449) already requires reusable-workflows/dependency-review.yaml@main on every PR, so a second in-CI invocation is redundant (maintainer direction on #5789). Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Confirmed and done — the |
|
@coderabbitai review
All threads are resolved and the in-CI dependency-review job was dropped per the maintainer's direction (the |
|
✅ Action performedReview finished.
|

Why
Per your direction on #5787 and #5789: GHAS already covers what our custom license tooling did — the DependencyReview ruleset runs the shared Dependency Review workflow on every PR, and dependency submission covers the inventory, so the go-licenses job and the third-party notice file are redundant to maintain.
What
Removes the custom
license-checkCI job (no replacement needed — the ruleset-required Dependency Review workflow already gates every PR) and deletes the staleTHIRD_PARTY_LICENSESfile.Fixes #5788
Closes #5716