Skip to content

ci: add Enforce License Compliance workflow #13

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
thomasrockhu-codecov wants to merge 1 commit into
base: main
Choose a base branch
from
Open

ci: add Enforce License Compliance workflow #13

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 11 additions & 0 deletions .fossa.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
version: 3

# FOSSA CLI for getsentry/action-enforce-license-compliance.
# https://github.com/fossas/fossa-cli/blob/master/docs/references/files/fossa-yml.md

project:
id: github.com/codecov/contributing
url: https://github.com/codecov/contributing

telemetry:
scope: "off"
15 changes: 15 additions & 0 deletions .github/workflows/enforce-license-compliance.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
name: Enforce License Compliance

on:
pull_request:
types: [opened, synchronize, reopened, ready_for_review]
workflow_dispatch:

jobs:
enforce-license-compliance:
runs-on: ubuntu-latest
steps:
- name: 'Enforce License Compliance'
Copy link
Copy Markdown

@sentry sentry Bot Apr 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug: The workflow will fail for pull requests from forks because secrets.FOSSA_API_KEY is not available, causing the license compliance check to either fail or be silently skipped.
Severity: HIGH

Suggested Fix

Use the pull_request_target event instead of pull_request. This event runs in the context of the base repository and has access to secrets. Alternatively, add a condition to the step to only run it on non-fork PRs, for example: if: github.event.pull_request.head.repo.full_name == github.repository.

Prompt for AI Agent 
Review the code at the location below. A potential bug has been identified by an AI
agent. Verify if this is a real issue. If it is, propose a fix; if not, explain why it's
not valid.

Location: .github/workflows/enforce-license-compliance.yml#L12

Potential issue: The `enforce-license-compliance` workflow is triggered on
`pull_request` events, including those from forks. However, GitHub Actions intentionally
do not provide secrets like `FOSSA_API_KEY` to workflows from forked repositories for
security reasons. Consequently, for any external contribution via a fork PR, the
`fossa_api_key` input will be an empty string. This will either cause the
`getsentry/action-enforce-license-compliance` action to fail, blocking the PR, or
silently bypass the license scan, defeating the purpose of the workflow.

Did we get this right? 👍 / 👎 to inform future reviews.

uses: getsentry/action-enforce-license-compliance@57ba820387a1a9315a46115ee276b2968da51f3d # main
with:
fossa_api_key: ${{ secrets.FOSSA_API_KEY }}
1 change: 1 addition & 0 deletions requirements.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
# FOSSA: setuptools discovery target at repo root (add real deps here if applicable).
Copy link
Copy Markdown

@sentry sentry Bot Apr 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug: The empty requirements.txt file will cause the FOSSA CLI to find zero dependencies and exit with an error, failing the CI workflow on every run.
Severity: HIGH

Suggested Fix

Since the repository contains no Python dependencies, the requirements.txt file should be removed. The FOSSA configuration (.fossa.yml) should be updated to explicitly ignore Python/setuptools targets to prevent the tool from searching for them and failing when none are found.

Prompt for AI Agent 
Review the code at the location below. A potential bug has been identified by an AI
agent. Verify if this is a real issue. If it is, propose a fix; if not, explain why it's
not valid.

Location: requirements.txt#L1

Potential issue: The newly added `requirements.txt` file contains only a comment and no
actual dependencies. The FOSSA CLI tool, which is executed by the
`enforce-license-compliance` workflow, is documented to exit with a non-zero status code
when it analyzes a project and discovers zero dependency targets. This will cause the
`fossa analyze` command to fail, which in turn will cause the entire GitHub Actions
workflow to fail on every run, blocking all pull requests from being merged.

Did we get this right? 👍 / 👎 to inform future reviews.