ci: add Go dependency license check workflow by ivankatliarchuk · Pull Request #6334 · kubernetes-sigs/external-dns

ivankatliarchuk · 2026-04-01T10:30:57Z

What does it do ?

Currently there is no automated check exists to catch incompatible licenses when dependencies are added or updated.

Example RUN https://github.com/kubernetes-sigs/external-dns/actions/runs/23844817593/job/69509373373

Motivation

Example dependency leaked with wrong licence #5955

.github/workflows/license-check.yml - runs skywalking-eyes/dependency on PRs that modify go.mod, go.sum, go.tool.mod, or go.tool.sum
.licenserc.yaml - configures the check against go.mod; excludes 5 HashiCorp MPL-2.0 indirect deps (pulled transitively by the Exoscale and RFC2136 providers)

More

Yes, this PR title follows Conventional Commits
Yes, I added unit tests
Yes, I updated end user documentation accordingly

Current licences

I was using go install github.com/google/go-licenses/v2, but looks like the tool is not longer maintained

cloud.google.com/go/auth,https://github.com/googleapis/google-cloud-go/blob/auth/v0.18.2/auth/LICENSE,Apache-2.0
cloud.google.com/go/auth/oauth2adapt,https://github.com/googleapis/google-cloud-go/blob/auth/oauth2adapt/v0.2.8/auth/oauth2adapt/LICENSE,Apache-2.0
cloud.google.com/go/compute/metadata,https://github.com/googleapis/google-cloud-go/blob/compute/metadata/v0.9.0/compute/metadata/LICENSE,Apache-2.0
github.com/99designs/gqlgen/graphql,https://github.com/99designs/gqlgen/blob/v0.17.73/LICENSE,MIT
github.com/Azure/azure-sdk-for-go/sdk/azcore,https://github.com/Azure/azure-sdk-for-go/blob/sdk/azcore/v1.21.0/sdk/azcore/LICENSE.txt,MIT
github.com/Azure/azure-sdk-for-go/sdk/azidentity,https://github.com/Azure/azure-sdk-for-go/blob/sdk/azidentity/v1.13.1/sdk/azidentity/LICENSE.txt,MIT
github.com/Azure/azure-sdk-for-go/sdk/internal,https://github.com/Azure/azure-sdk-for-go/blob/sdk/internal/v1.11.2/sdk/internal/LICENSE.txt,MIT
github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/dns/armdns,https://github.com/Azure/azure-sdk-for-go/blob/sdk/resourcemanager/dns/armdns/v1.2.0/sdk/resourcemanager/dns/armdns/LICENSE.txt,MIT
github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/privatedns/armprivatedns,https://github.com/Azure/azure-sdk-for-go/blob/sdk/resourcemanager/privatedns/armprivatedns/v1.3.0/sdk/resourcemanager/privatedns/armprivatedns/LICENSE.txt,MIT
github.com/AzureAD/microsoft-authentication-library-for-go/apps,https://github.com/AzureAD/microsoft-authentication-library-for-go/blob/v1.6.0/LICENSE,MIT
github.com/F5Networks/k8s-bigip-ctlr/v2/config/apis/cis/v1,https://github.com/F5Networks/k8s-bigip-ctlr/blob/v2.20.2/LICENSE,Apache-2.0
github.com/Yamashou/gqlgenc,https://github.com/Yamashou/gqlgenc/blob/v0.33.0/LICENSE,MIT
github.com/akamai/AkamaiOPEN-edgegrid-golang,https://github.com/akamai/AkamaiOPEN-edgegrid-golang/blob/v1.2.2/LICENSE,Apache-2.0
github.com/alecthomas/kingpin/v2,https://github.com/alecthomas/kingpin/blob/v2.4.0/COPYING,MIT
github.com/alecthomas/units,https://github.com/alecthomas/units/blob/0f3dac36c52b/COPYING,MIT
github.com/aliyun/alibaba-cloud-sdk-go,https://github.com/aliyun/alibaba-cloud-sdk-go/blob/v1.63.107/LICENSE,Apache-2.0
github.com/aws/aws-sdk-go-v2,https://github.com/aws/aws-sdk-go-v2/blob/v1.41.5/LICENSE.txt,Apache-2.0
github.com/aws/aws-sdk-go-v2/config,https://github.com/aws/aws-sdk-go-v2/blob/config/v1.32.13/config/LICENSE.txt,Apache-2.0
github.com/aws/aws-sdk-go-v2/credentials,https://github.com/aws/aws-sdk-go-v2/blob/credentials/v1.19.13/credentials/LICENSE.txt,Apache-2.0
github.com/aws/aws-sdk-go-v2/feature/dynamodb/attributevalue,https://github.com/aws/aws-sdk-go-v2/blob/feature/dynamodb/attributevalue/v1.20.37/feature/dynamodb/attributevalue/LICENSE.txt,Apache-2.0
github.com/aws/aws-sdk-go-v2/feature/ec2/imds,https://github.com/aws/aws-sdk-go-v2/blob/feature/ec2/imds/v1.18.21/feature/ec2/imds/LICENSE.txt,Apache-2.0
github.com/aws/aws-sdk-go-v2/internal/configsources,https://github.com/aws/aws-sdk-go-v2/blob/internal/configsources/v1.4.21/internal/configsources/LICENSE.txt,Apache-2.0
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2,https://github.com/aws/aws-sdk-go-v2/blob/internal/endpoints/v2.7.21/internal/endpoints/v2/LICENSE.txt,Apache-2.0
github.com/aws/aws-sdk-go-v2/internal/ini,https://github.com/aws/aws-sdk-go-v2/blob/internal/ini/v1.8.6/internal/ini/LICENSE.txt,Apache-2.0
github.com/aws/aws-sdk-go-v2/internal/sync/singleflight,https://github.com/aws/aws-sdk-go-v2/blob/v1.41.5/internal/sync/singleflight/LICENSE,BSD-3-Clause
github.com/aws/aws-sdk-go-v2/service/dynamodb,https://github.com/aws/aws-sdk-go-v2/blob/service/dynamodb/v1.57.1/service/dynamodb/LICENSE.txt,Apache-2.0
github.com/aws/aws-sdk-go-v2/service/dynamodbstreams/types,https://github.com/aws/aws-sdk-go-v2/blob/service/dynamodbstreams/v1.32.14/service/dynamodbstreams/LICENSE.txt,Apache-2.0
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding,https://github.com/aws/aws-sdk-go-v2/blob/service/internal/accept-encoding/v1.13.7/service/internal/accept-encoding/LICENSE.txt,Apache-2.0
github.com/aws/aws-sdk-go-v2/service/internal/endpoint-discovery,https://github.com/aws/aws-sdk-go-v2/blob/service/internal/endpoint-discovery/v1.11.21/service/internal/endpoint-discovery/LICENSE.txt,Apache-2.0
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url,https://github.com/aws/aws-sdk-go-v2/blob/service/internal/presigned-url/v1.13.21/service/internal/presigned-url/LICENSE.txt,Apache-2.0
github.com/aws/aws-sdk-go-v2/service/route53,https://github.com/aws/aws-sdk-go-v2/blob/service/route53/v1.62.5/service/route53/LICENSE.txt,Apache-2.0
github.com/aws/aws-sdk-go-v2/service/servicediscovery,https://github.com/aws/aws-sdk-go-v2/blob/service/servicediscovery/v1.39.26/service/servicediscovery/LICENSE.txt,Apache-2.0
github.com/aws/aws-sdk-go-v2/service/signin,https://github.com/aws/aws-sdk-go-v2/blob/service/signin/v1.0.9/service/signin/LICENSE.txt,Apache-2.0
github.com/aws/aws-sdk-go-v2/service/sso,https://github.com/aws/aws-sdk-go-v2/blob/service/sso/v1.30.14/service/sso/LICENSE.txt,Apache-2.0
github.com/aws/aws-sdk-go-v2/service/ssooidc,https://github.com/aws/aws-sdk-go-v2/blob/service/ssooidc/v1.35.18/service/ssooidc/LICENSE.txt,Apache-2.0
github.com/aws/aws-sdk-go-v2/service/sts,https://github.com/aws/aws-sdk-go-v2/blob/service/sts/v1.41.10/service/sts/LICENSE.txt,Apache-2.0
github.com/aws/smithy-go,https://github.com/aws/smithy-go/blob/v1.24.2/LICENSE,Apache-2.0
github.com/aws/smithy-go/internal/sync/singleflight,https://github.com/aws/smithy-go/blob/v1.24.2/internal/sync/singleflight/LICENSE,BSD-3-Clause
github.com/benbjohnson/clock,https://github.com/benbjohnson/clock/blob/v1.3.0/LICENSE,MIT
github.com/beorn7/perks/quantile,https://github.com/beorn7/perks/blob/v1.0.1/LICENSE,MIT
github.com/bodgit/tsig,https://github.com/bodgit/tsig/blob/v1.2.2/LICENSE,BSD-3-Clause
github.com/cenkalti/backoff/v5,https://github.com/cenkalti/backoff/blob/v5.0.3/LICENSE,MIT
github.com/cespare/xxhash/v2,https://github.com/cespare/xxhash/blob/v2.3.0/LICENSE.txt,MIT
github.com/civo/civogo,https://github.com/civo/civogo/blob/v0.7.0/LICENSE,MIT
github.com/cloudflare/cloudflare-go/v6,https://github.com/cloudflare/cloudflare-go/blob/v6.8.0/LICENSE,Apache-2.0
github.com/coreos/go-semver/semver,https://github.com/coreos/go-semver/blob/v0.3.1/LICENSE,Apache-2.0
github.com/coreos/go-systemd/v22/journal,https://github.com/coreos/go-systemd/blob/v22.5.0/LICENSE,Apache-2.0
github.com/datawire/ambassador/pkg/api/getambassador.io/v2,https://github.com/datawire/ambassador/blob/v1.12.4/LICENSE,Apache-2.0
github.com/davecgh/go-spew/spew,https://github.com/davecgh/go-spew/blob/d8f796af33cc/LICENSE,ISC
github.com/deepmap/oapi-codegen/pkg,https://github.com/deepmap/oapi-codegen/blob/v1.9.1/LICENSE,Apache-2.0
github.com/denverdino/aliyungo,https://github.com/denverdino/aliyungo/blob/ab98a9173ace/LICENSE.txt,Apache-2.0
github.com/dnsimple/dnsimple-go/dnsimple,https://github.com/dnsimple/dnsimple-go/blob/v1.7.0/LICENSE.txt,MIT
github.com/emicklei/go-restful/v3,https://github.com/emicklei/go-restful/blob/v3.13.0/LICENSE,MIT
github.com/evanphx/json-patch/v5,https://github.com/evanphx/json-patch/blob/v5.9.11/v5/LICENSE,BSD-3-Clause
github.com/exoscale/egoscale,https://github.com/exoscale/egoscale/blob/v0.102.3/LICENSE,Apache-2.0
github.com/felixge/httpsnoop,https://github.com/felixge/httpsnoop/blob/v1.0.4/LICENSE.txt,MIT
github.com/ffledgling/pdns-go,https://github.com/ffledgling/pdns-go/blob/524e7daccd99/LICENSE,Apache-2.0
github.com/fxamacker/cbor/v2,https://github.com/fxamacker/cbor/blob/v2.9.0/LICENSE,MIT
github.com/go-gandi/go-gandi,https://github.com/go-gandi/go-gandi/blob/v0.7.0/LICENSE,MIT
github.com/go-logr/logr,https://github.com/go-logr/logr/blob/v1.4.3/LICENSE,Apache-2.0
github.com/go-logr/stdr,https://github.com/go-logr/stdr/blob/v1.2.2/LICENSE,Apache-2.0
github.com/go-openapi/jsonpointer,https://github.com/go-openapi/jsonpointer/blob/v0.22.4/LICENSE,Apache-2.0
github.com/go-openapi/jsonreference,https://github.com/go-openapi/jsonreference/blob/v0.21.4/LICENSE,Apache-2.0
github.com/go-openapi/swag,https://github.com/go-openapi/swag/blob/v0.25.4/LICENSE,Apache-2.0
github.com/go-openapi/swag/cmdutils,https://github.com/go-openapi/swag/blob/cmdutils/v0.25.4/cmdutils/LICENSE,Apache-2.0
github.com/go-openapi/swag/conv,https://github.com/go-openapi/swag/blob/conv/v0.25.4/conv/LICENSE,Apache-2.0
github.com/go-openapi/swag/fileutils,https://github.com/go-openapi/swag/blob/fileutils/v0.25.4/fileutils/LICENSE,Apache-2.0
github.com/go-openapi/swag/jsonname,https://github.com/go-openapi/swag/blob/jsonname/v0.25.4/jsonname/LICENSE,Apache-2.0
github.com/go-openapi/swag/jsonutils,https://github.com/go-openapi/swag/blob/jsonutils/v0.25.4/jsonutils/LICENSE,Apache-2.0
github.com/go-openapi/swag/loading,https://github.com/go-openapi/swag/blob/loading/v0.25.4/loading/LICENSE,Apache-2.0
github.com/go-openapi/swag/mangling,https://github.com/go-openapi/swag/blob/mangling/v0.25.4/mangling/LICENSE,Apache-2.0
github.com/go-openapi/swag/netutils,https://github.com/go-openapi/swag/blob/netutils/v0.25.4/netutils/LICENSE,Apache-2.0
github.com/go-openapi/swag/stringutils,https://github.com/go-openapi/swag/blob/stringutils/v0.25.4/stringutils/LICENSE,Apache-2.0
github.com/go-openapi/swag/typeutils,https://github.com/go-openapi/swag/blob/typeutils/v0.25.4/typeutils/LICENSE,Apache-2.0
github.com/go-openapi/swag/yamlutils,https://github.com/go-openapi/swag/blob/yamlutils/v0.25.4/yamlutils/LICENSE,Apache-2.0
github.com/go-resty/resty/v2,https://github.com/go-resty/resty/blob/v2.17.2/LICENSE,MIT
github.com/goccy/go-yaml,https://github.com/goccy/go-yaml/blob/v1.19.2/LICENSE,MIT
github.com/gofrs/flock,https://github.com/gofrs/flock/blob/v0.10.0/LICENSE,BSD-3-Clause
github.com/gofrs/uuid,https://github.com/gofrs/uuid/blob/v4.4.0/LICENSE,MIT
github.com/gogo/protobuf,https://github.com/gogo/protobuf/blob/v1.3.2/LICENSE,BSD-3-Clause
github.com/golang-jwt/jwt/v5,https://github.com/golang-jwt/jwt/blob/v5.3.0/LICENSE,MIT
github.com/golang/protobuf,https://github.com/golang/protobuf/blob/v1.5.4/LICENSE,BSD-3-Clause
github.com/google/gnostic-models,https://github.com/google/gnostic-models/blob/v0.7.1/LICENSE,Apache-2.0
github.com/google/go-cmp/cmp,https://github.com/google/go-cmp/blob/v0.7.0/LICENSE,BSD-3-Clause
github.com/google/go-querystring/query,https://github.com/google/go-querystring/blob/v1.2.0/LICENSE,BSD-3-Clause
github.com/google/s2a-go,https://github.com/google/s2a-go/blob/v0.1.9/LICENSE.md,Apache-2.0
github.com/google/uuid,https://github.com/google/uuid/blob/v1.6.0/LICENSE,BSD-3-Clause
github.com/googleapis/enterprise-certificate-proxy/client,https://github.com/googleapis/enterprise-certificate-proxy/blob/v0.3.14/LICENSE,Apache-2.0
github.com/googleapis/gax-go/v2,https://github.com/googleapis/gax-go/blob/v2.19.0/v2/LICENSE,BSD-3-Clause
github.com/grpc-ecosystem/grpc-gateway/v2/protoc-gen-openapiv2/options,https://github.com/grpc-ecosystem/grpc-gateway/blob/v2.27.1/LICENSE,BSD-3-Clause
github.com/hashicorp/errwrap,https://github.com/hashicorp/errwrap/blob/v1.1.0/LICENSE,MPL-2.0
github.com/hashicorp/go-cleanhttp,https://github.com/hashicorp/go-cleanhttp/blob/v0.5.2/LICENSE,MPL-2.0
github.com/hashicorp/go-multierror,https://github.com/hashicorp/go-multierror/blob/v1.1.1/LICENSE,MPL-2.0
github.com/hashicorp/go-retryablehttp,https://github.com/hashicorp/go-retryablehttp/blob/v0.7.7/LICENSE,MPL-2.0
github.com/hashicorp/go-uuid,https://github.com/hashicorp/go-uuid/blob/v1.0.3/LICENSE,MPL-2.0
github.com/jcmturner/aescts/v2,https://github.com/jcmturner/aescts/blob/v2.0.0/v2/LICENSE,Apache-2.0
github.com/jcmturner/dnsutils/v2,https://github.com/jcmturner/dnsutils/blob/v2.0.0/v2/LICENSE,Apache-2.0
github.com/jcmturner/gofork,https://github.com/jcmturner/gofork/blob/v1.7.6/LICENSE,BSD-3-Clause
github.com/jcmturner/goidentity/v6,https://github.com/jcmturner/goidentity/blob/v6.0.1/v6/LICENSE,Apache-2.0
github.com/jcmturner/gokrb5/v8,https://github.com/jcmturner/gokrb5/blob/v8.4.3/v8/LICENSE,Apache-2.0
github.com/jcmturner/rpc/v2,https://github.com/jcmturner/rpc/blob/v2.0.3/v2/LICENSE,Apache-2.0
github.com/jinzhu/copier,https://github.com/jinzhu/copier/blob/v0.4.0/License,MIT
github.com/jmespath/go-jmespath,Unknown,Unknown
github.com/json-iterator/go,https://github.com/json-iterator/go/blob/v1.1.12/LICENSE,MIT
github.com/kylelemons/godebug,https://github.com/kylelemons/godebug/blob/v1.1.0/LICENSE,Apache-2.0
github.com/linode/linodego,https://github.com/linode/linodego/blob/v1.66.0/LICENSE,MIT
github.com/mattn/go-runewidth,https://github.com/mattn/go-runewidth/blob/v0.0.16/LICENSE,MIT
github.com/miekg/dns,https://github.com/miekg/dns/blob/v1.1.72/LICENSE,BSD-3-Clause
github.com/mitchellh/colorstring,https://github.com/mitchellh/colorstring/blob/d06e56a500db/LICENSE,MIT
github.com/mitchellh/go-homedir,https://github.com/mitchellh/go-homedir/blob/v1.1.0/LICENSE,MIT
github.com/modern-go/concurrent,https://github.com/modern-go/concurrent/blob/bacd9c7ef1dd/LICENSE,Apache-2.0
github.com/modern-go/reflect2,https://github.com/modern-go/reflect2/blob/35a7c28c31ee/LICENSE,Apache-2.0
github.com/munnerz/goautoneg,https://github.com/munnerz/goautoneg/blob/a7dc8b61c822/LICENSE,BSD-3-Clause
github.com/openshift/api/route/v1,https://github.com/openshift/api/blob/264e80a2b6e7/LICENSE,Apache-2.0
github.com/openshift/client-go/route,https://github.com/openshift/client-go/blob/db0dee36e235/LICENSE,Apache-2.0
github.com/opentracing/opentracing-go,https://github.com/opentracing/opentracing-go/blob/10b1cf09e00b/LICENSE,Apache-2.0
github.com/oracle/oci-go-sdk/v65,https://github.com/oracle/oci-go-sdk/blob/v65.109.3/LICENSE.txt,Apache-2.0
github.com/oracle/oci-go-sdk/v65,https://github.com/oracle/oci-go-sdk/blob/v65.109.3/LICENSE.txt,UPL-1.0
github.com/ovh/go-ovh/ovh,https://github.com/ovh/go-ovh/blob/v1.9.0/LICENSE,BSD-3-Clause
github.com/patrickmn/go-cache,https://github.com/patrickmn/go-cache/blob/v2.1.0/LICENSE,MIT
github.com/peterhellberg/link,https://github.com/peterhellberg/link/blob/v1.1.0/LICENSE,MIT
github.com/pkg/browser,https://github.com/pkg/browser/blob/5ac0b6a4141c/LICENSE,BSD-2-Clause
github.com/pluralsh/gqlclient,https://github.com/pluralsh/gqlclient/blob/v1.12.2/LICENSE,Apache-2.0
github.com/pmezard/go-difflib/difflib,https://github.com/pmezard/go-difflib/blob/5d4384ee4fb2/LICENSE,BSD-3-Clause
github.com/projectcontour/contour/apis/projectcontour/v1,https://github.com/projectcontour/contour/blob/v1.33.3/LICENSE,Apache-2.0
github.com/prometheus/client_golang/internal/github.com/golang/gddo/httputil,https://github.com/prometheus/client_golang/blob/v1.23.2/internal/github.com/golang/gddo/LICENSE,BSD-3-Clause
github.com/prometheus/client_golang/prometheus,https://github.com/prometheus/client_golang/blob/v1.23.2/LICENSE,Apache-2.0
github.com/prometheus/client_model/go,https://github.com/prometheus/client_model/blob/v0.6.2/LICENSE,Apache-2.0
github.com/prometheus/common,https://github.com/prometheus/common/blob/v0.67.5/LICENSE,Apache-2.0
github.com/rivo/uniseg,https://github.com/rivo/uniseg/blob/v0.4.7/LICENSE.txt,MIT
github.com/scaleway/scaleway-sdk-go,https://github.com/scaleway/scaleway-sdk-go/blob/v1.0.0-beta.36/LICENSE,Apache-2.0
github.com/schollz/progressbar/v3,https://github.com/schollz/progressbar/blob/v3.8.6/LICENSE,MIT
github.com/shopspring/decimal,https://github.com/shopspring/decimal/blob/v1.3.1/LICENSE,MIT
github.com/sirupsen/logrus,https://github.com/sirupsen/logrus/blob/v1.9.4/LICENSE,MIT
github.com/sony/gobreaker,https://github.com/sony/gobreaker/blob/v0.5.0/LICENSE,MIT
github.com/sosodev/duration,https://github.com/sosodev/duration/blob/v1.3.1/LICENSE,MIT
github.com/spf13/pflag,https://github.com/spf13/pflag/blob/v1.0.10/LICENSE,BSD-3-Clause
github.com/stretchr/objx,https://github.com/stretchr/objx/blob/v0.5.3/LICENSE,MIT
github.com/stretchr/testify,https://github.com/stretchr/testify/blob/v1.11.1/LICENSE,MIT
github.com/tidwall/gjson,https://github.com/tidwall/gjson/blob/v1.18.0/LICENSE,MIT
github.com/tidwall/match,https://github.com/tidwall/match/blob/v1.1.1/LICENSE,MIT
github.com/tidwall/pretty,https://github.com/tidwall/pretty/blob/v1.2.1/LICENSE,MIT
github.com/tidwall/sjson,https://github.com/tidwall/sjson/blob/v1.2.5/LICENSE,MIT
github.com/transip/gotransip/v6,https://github.com/transip/gotransip/blob/v6.26.1/LICENSE,MIT
github.com/vektah/gqlparser/v2,https://github.com/vektah/gqlparser/blob/v2.5.26/LICENSE,MIT
github.com/x448/float16,https://github.com/x448/float16/blob/v0.8.4/LICENSE,MIT
github.com/xhit/go-str2duration/v2,https://github.com/xhit/go-str2duration/blob/v2.1.0/LICENSE,BSD-3-Clause
github.com/youmark/pkcs8,https://github.com/youmark/pkcs8/blob/a2c0da244d78/LICENSE,MIT
go.etcd.io/etcd/api/v3,https://github.com/etcd-io/etcd/blob/api/v3.6.9/api/LICENSE,Apache-2.0
go.etcd.io/etcd/client/pkg/v3,https://github.com/etcd-io/etcd/blob/client/pkg/v3.6.9/client/pkg/LICENSE,Apache-2.0
go.etcd.io/etcd/client/v3,https://github.com/etcd-io/etcd/blob/client/v3.6.9/client/v3/LICENSE,Apache-2.0
go.opentelemetry.io/auto/sdk,https://github.com/open-telemetry/opentelemetry-go-instrumentation/blob/sdk/v1.2.1/sdk/LICENSE,Apache-2.0
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp,https://github.com/open-telemetry/opentelemetry-go-contrib/blob/instrumentation/net/http/otelhttp/v0.61.0/instrumentation/net/http/otelhttp/LICENSE,Apache-2.0
go.opentelemetry.io/otel,https://github.com/open-telemetry/opentelemetry-go/blob/v1.42.0/LICENSE,Apache-2.0
go.opentelemetry.io/otel,https://github.com/open-telemetry/opentelemetry-go/blob/v1.42.0/LICENSE,BSD-3-Clause
go.opentelemetry.io/otel/metric,https://github.com/open-telemetry/opentelemetry-go/blob/metric/v1.42.0/metric/LICENSE,Apache-2.0
go.opentelemetry.io/otel/metric,https://github.com/open-telemetry/opentelemetry-go/blob/metric/v1.42.0/metric/LICENSE,BSD-3-Clause
go.opentelemetry.io/otel/trace,https://github.com/open-telemetry/opentelemetry-go/blob/trace/v1.42.0/trace/LICENSE,Apache-2.0
go.opentelemetry.io/otel/trace,https://github.com/open-telemetry/opentelemetry-go/blob/trace/v1.42.0/trace/LICENSE,BSD-3-Clause
go.uber.org/multierr,https://github.com/uber-go/multierr/blob/v1.11.0/LICENSE.txt,MIT
go.uber.org/ratelimit,https://github.com/uber-go/ratelimit/blob/v0.3.1/LICENSE,MIT
go.uber.org/zap,https://github.com/uber-go/zap/blob/v1.27.0/LICENSE,MIT
go.yaml.in/yaml/v2,https://github.com/yaml/go-yaml/blob/v2.4.3/LICENSE,Apache-2.0
go.yaml.in/yaml/v3,https://github.com/yaml/go-yaml/blob/v3.0.4/LICENSE,MIT
golang.org/x/crypto,https://cs.opensource.google/go/x/crypto/+/v0.49.0:LICENSE,BSD-3-Clause
golang.org/x/net,https://cs.opensource.google/go/x/net/+/v0.52.0:LICENSE,BSD-3-Clause
golang.org/x/oauth2,https://cs.opensource.google/go/x/oauth2/+/v0.36.0:LICENSE,BSD-3-Clause
golang.org/x/sync/errgroup,https://cs.opensource.google/go/x/sync/+/v0.20.0:LICENSE,BSD-3-Clause
golang.org/x/sys/unix,https://cs.opensource.google/go/x/sys/+/v0.42.0:LICENSE,BSD-3-Clause
golang.org/x/term,https://cs.opensource.google/go/x/term/+/v0.41.0:LICENSE,BSD-3-Clause
golang.org/x/text,https://cs.opensource.google/go/x/text/+/v0.35.0:LICENSE,BSD-3-Clause
golang.org/x/time/rate,https://cs.opensource.google/go/x/time/+/v0.15.0:LICENSE,BSD-3-Clause
google.golang.org/api,https://github.com/googleapis/google-api-go-client/blob/v0.273.0/LICENSE,BSD-3-Clause
google.golang.org/api/internal/third_party/uritemplates,https://github.com/googleapis/google-api-go-client/blob/v0.273.0/internal/third_party/uritemplates/LICENSE,BSD-3-Clause
google.golang.org/genproto/googleapis/api,https://github.com/googleapis/go-genproto/blob/0b37fe3546d5/googleapis/api/LICENSE,Apache-2.0
google.golang.org/genproto/googleapis/rpc,https://github.com/googleapis/go-genproto/blob/d00831a3d3e7/googleapis/rpc/LICENSE,Apache-2.0
google.golang.org/grpc,https://github.com/grpc/grpc-go/blob/v1.79.3/LICENSE,Apache-2.0
google.golang.org/protobuf,https://github.com/protocolbuffers/protobuf-go/blob/v1.36.11/LICENSE,BSD-3-Clause
gopkg.in/evanphx/json-patch.v4,https://github.com/evanphx/json-patch/blob/v4.13.0/LICENSE,BSD-3-Clause
gopkg.in/inf.v0,https://github.com/go-inf/inf/blob/v0.9.1/LICENSE,BSD-3-Clause
gopkg.in/ini.v1,https://github.com/go-ini/ini/blob/v1.67.1/LICENSE,Apache-2.0
gopkg.in/ns1/ns1-go.v2/rest,https://github.com/ns1/ns1-go/blob/v2.17.2/LICENSE.txt,Apache-2.0
gopkg.in/yaml.v2,https://github.com/go-yaml/yaml/blob/v2.4.0/LICENSE,Apache-2.0
gopkg.in/yaml.v3,https://github.com/go-yaml/yaml/blob/v3.0.1/LICENSE,MIT
istio.io/api,https://github.com/istio/api/blob/v1.29.1/LICENSE,Apache-2.0
istio.io/client-go/pkg,https://github.com/istio/client-go/blob/v1.29.1/LICENSE,Apache-2.0
k8s.io/api,https://github.com/kubernetes/api/blob/v0.35.3/LICENSE,Apache-2.0
k8s.io/apimachinery/pkg,https://github.com/kubernetes/apimachinery/blob/v0.35.3/LICENSE,Apache-2.0
k8s.io/apimachinery/third_party/forked/golang,https://github.com/kubernetes/apimachinery/blob/v0.35.3/third_party/forked/golang/LICENSE,BSD-3-Clause
k8s.io/client-go,https://github.com/kubernetes/client-go/blob/v0.35.3/LICENSE,Apache-2.0
k8s.io/klog/v2,https://github.com/kubernetes/klog/blob/v2.140.0/LICENSE,Apache-2.0
k8s.io/kube-openapi/pkg,https://github.com/kubernetes/kube-openapi/blob/4e65d59e963e/LICENSE,Apache-2.0
k8s.io/kube-openapi/pkg/internal/third_party/go-json-experiment/json,https://github.com/kubernetes/kube-openapi/blob/4e65d59e963e/pkg/internal/third_party/go-json-experiment/json/LICENSE,BSD-3-Clause
k8s.io/kube-openapi/pkg/validation/spec,https://github.com/kubernetes/kube-openapi/blob/4e65d59e963e/pkg/validation/spec/LICENSE,Apache-2.0
k8s.io/utils,https://github.com/kubernetes/utils/blob/914a6e750570/LICENSE,Apache-2.0
k8s.io/utils/internal/third_party/forked/golang/net,https://github.com/kubernetes/utils/blob/914a6e750570/internal/third_party/forked/golang/LICENSE,BSD-3-Clause
moul.io/http2curl,https://github.com/moul/http2curl/blob/v1.0.0/LICENSE,MIT
sigs.k8s.io/controller-runtime/pkg,https://github.com/kubernetes-sigs/controller-runtime/blob/v0.23.3/LICENSE,Apache-2.0
sigs.k8s.io/external-dns,https://github.com/kubernetes-sigs/external-dns/blob/HEAD/LICENSE.md,Apache-2.0
sigs.k8s.io/gateway-api,https://github.com/kubernetes-sigs/gateway-api/blob/v1.5.1/LICENSE,Apache-2.0
sigs.k8s.io/json,https://github.com/kubernetes-sigs/json/blob/2d320260d730/LICENSE,Apache-2.0
sigs.k8s.io/json,https://github.com/kubernetes-sigs/json/blob/2d320260d730/LICENSE,BSD-3-Clause
sigs.k8s.io/randfill,https://github.com/kubernetes-sigs/randfill/blob/v1.0.0/LICENSE,Apache-2.0
sigs.k8s.io/structured-merge-diff/v6,https://github.com/kubernetes-sigs/structured-merge-diff/blob/v6.3.2/LICENSE,Apache-2.0
sigs.k8s.io/yaml,https://github.com/kubernetes-sigs/yaml/blob/v1.6.0/LICENSE,MIT
sigs.k8s.io/yaml,https://github.com/kubernetes-sigs/yaml/blob/v1.6.0/LICENSE,Apache-2.0
sigs.k8s.io/yaml,https://github.com/kubernetes-sigs/yaml/blob/v1.6.0/LICENSE,BSD-3-Clause

Signed-off-by: ivan katliarchuk <ivan.katliarchuk@gmail.com>

k8s-ci-robot · 2026-04-01T10:31:06Z

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign mloiseleur for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

Signed-off-by: ivan katliarchuk <ivan.katliarchuk@gmail.com>

coveralls · 2026-04-01T10:37:04Z

Pull Request Test Coverage Report for Build 23889183866

Details

0 of 0 changed or added relevant lines in 0 files are covered.
No unchanged relevant lines lost coverage.
Overall coverage remained the same at 80.484%

Totals
Change from base Build 23839155929:	0.0%
Covered Lines:	16941
Relevant Lines:	21049

💛 - Coveralls

Signed-off-by: ivan katliarchuk <ivan.katliarchuk@gmail.com>

ivankatliarchuk · 2026-04-01T10:54:57Z

+  excludes:
+    - name: github.com/hashicorp/errwrap
+    - name: github.com/hashicorp/go-cleanhttp
+    - name: github.com/hashicorp/go-multierror
+    - name: github.com/hashicorp/go-retryablehttp
+    - name: github.com/hashicorp/go-uuid


without this

ERROR the following licenses are unknown or incompatible with the main license, please check manually: Apache-2.0 Dependency | License ------------------------------------- | ------- github.com/hashicorp/errwrap | MPL-2.0 github.com/hashicorp/go-cleanhttp | MPL-2.0 github.com/hashicorp/go-multierror | MPL-2.0 github.com/hashicorp/go-retryablehttp | MPL-2.0 github.com/hashicorp/go-uuid | MPL-2.0 ERROR one or more errors occurred checking license compatibility Error: Process completed with exit code 1.

AFAIR, MPL & Apache 2.0 licenses are not “incompatible”. See here for instance. MPL requires adding a third-party file referencing the author of the deps that is used.
But maybe I missed something. Would you please detail this incompatiblity?

I'm just making things visible. Here is the rule https://github.com/apache/skywalking-eyes/blob/main/assets/compatibility/Apache-2.0.yaml

This is an official apache project - it could have bugs, is not that I've decided ;-)

Explanation, there is weak compatibility. so I manually excluded them from check.

I think weak compatibility is treated as incompatible and require manual exclusions.

I think the tool capture correctly weak compability

On the same page https://licensecheck.io/licenses

🤔 Wdyt of using -w flags instead of this exclusion list?

Moved to -w. I kinda don't think this is the right approach. Better to make it visible but really no difference. As long is green is fine.

I kinda don't think this is the right approach.

Then please revert and keep the explicit list. I do not have a strong opinion on that.

I spend some time. You are correct. If we exclude, this will not catch licence change. So lets keep -w

Signed-off-by: ivan katliarchuk <ivan.katliarchuk@gmail.com>

Co-authored-by: Michel Loiseleur <97035654+mloiseleur@users.noreply.github.com>

Signed-off-by: ivan katliarchuk <ivan.katliarchuk@gmail.com>

…rkflow' into ci/license-check-workflow * refs/remotes/origin/ci/license-check-workflow: ci: add Go dependency license check workflow

mloiseleur · 2026-04-02T07:21:23Z

+
+dependency:
+  files:
+    - go.mod


Shouldn't there is also the go.tool.mod?
Or should the go.tool.mod be removed for the gh action trigger?

I will add go.tool.mod support to the upstream. At the moment it does not support

https://github.com/apache/skywalking-eyes/pull/268/changes

Co-authored-by: Michel Loiseleur <97035654+mloiseleur@users.noreply.github.com>

Raffo · 2026-04-08T10:17:13Z

@ivankatliarchuk there is official guidance from the kubernetes project on this topic, I will research and post it to you. Let's hold this PR.

ivankatliarchuk · 2026-04-08T10:18:15Z

Ok /hold

ivankatliarchuk · 2026-04-08T10:18:49Z

/hold

Raffo · 2026-04-08T10:44:49Z

Here's some very old context: kubernetes/kubernetes#108942

This is the periodic build for kubernetes/kubernetes: https://testgrid.k8s.io/sig-testing-misc#kubernetes-verify-go-licenses-periodical .

I think the script is https://github.com/kubernetes/kubernetes/blob/master/hack/verify-licenses.sh .

The approved licenses are in https://github.com/cncf/foundation/blob/main/policies-guidance/allowed-third-party-license-policy.md and notably contain exceptions.

I think the test infra still doesn't have something that scans all repos so we are a bit on our own.

ivankatliarchuk · 2026-04-08T11:12:33Z

So do you want to use the script provided?

It uses go install github.com/google/go-licenses@latest https://github.com/kubernetes/kubernetes/blob/6e753bd2b4793152b55ad9cefd3130169fb1a749/hack/verify-licenses.sh#L55 , the dependency was alright, but is no longer maintained and only google employees could maintain it.

This is why I though apache/skywalking-eyes is good enough aka from apache foundation.

I could try to open an issue on prow aka create a plugin

Raffo · 2026-04-08T13:07:26Z

Yeah I think we might as well roll our own, as long that we do follow all the approvals in https://github.com/cncf/foundation/blob/main/policies-guidance/allowed-third-party-license-policy.md . We also generally should not add anything new ever, if anything, remove dependencies as we delete more providers.

ci: add Go dependency license check workflow

92b37ec

Signed-off-by: ivan katliarchuk <ivan.katliarchuk@gmail.com>

k8s-ci-robot requested a review from szuecs April 1, 2026 10:31

k8s-ci-robot added the github_actions Pull requests that update GitHub Actions code label Apr 1, 2026

k8s-ci-robot requested a review from vflaux April 1, 2026 10:31

k8s-ci-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Apr 1, 2026

ci: add Go dependency license check workflow

ae199e3

Signed-off-by: ivan katliarchuk <ivan.katliarchuk@gmail.com>

ivankatliarchuk added 4 commits April 1, 2026 11:37

ci: add Go dependency license check workflow

e8c3127

Signed-off-by: ivan katliarchuk <ivan.katliarchuk@gmail.com>

ci: add Go dependency license check workflow

fe1c783

Signed-off-by: ivan katliarchuk <ivan.katliarchuk@gmail.com>

ci: add Go dependency license check workflow

b52a6e8

Signed-off-by: ivan katliarchuk <ivan.katliarchuk@gmail.com>

ci: add Go dependency license check workflow

84dff12

Signed-off-by: ivan katliarchuk <ivan.katliarchuk@gmail.com>

k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Apr 1, 2026

ivankatliarchuk commented Apr 1, 2026

View reviewed changes

ivankatliarchuk added 3 commits April 1, 2026 11:57

ci: add Go dependency license check workflow

9d1db97

Signed-off-by: ivan katliarchuk <ivan.katliarchuk@gmail.com>

ci: add Go dependency license check workflow

1d2a00d

Signed-off-by: ivan katliarchuk <ivan.katliarchuk@gmail.com>

ci: add Go dependency license check workflow

b831a91

Signed-off-by: ivan katliarchuk <ivan.katliarchuk@gmail.com>

k8s-ci-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Apr 1, 2026

ci: add Go dependency license check workflow

9cb4e75

Signed-off-by: ivan katliarchuk <ivan.katliarchuk@gmail.com>

ivankatliarchuk requested a review from mloiseleur April 1, 2026 20:20

mloiseleur reviewed Apr 2, 2026

View reviewed changes

Comment thread .github/workflows/license-check.yml Outdated

ivankatliarchuk and others added 3 commits April 2, 2026 08:14

ci: add Go dependency license check workflow

4d1a3c4

Co-authored-by: Michel Loiseleur <97035654+mloiseleur@users.noreply.github.com>

ci: add Go dependency license check workflow

b908ebc

Signed-off-by: ivan katliarchuk <ivan.katliarchuk@gmail.com>

Merge remote-tracking branch 'refs/remotes/origin/ci/license-check-wo…

6c20bb9

…rkflow' into ci/license-check-workflow * refs/remotes/origin/ci/license-check-workflow: ci: add Go dependency license check workflow

ivankatliarchuk requested a review from mloiseleur April 2, 2026 07:16

mloiseleur reviewed Apr 2, 2026

View reviewed changes

Comment thread .github/workflows/license-check.yml Outdated

mloiseleur reviewed Apr 2, 2026

View reviewed changes

ci: add Go dependency license check workflow

c7e9960

Co-authored-by: Michel Loiseleur <97035654+mloiseleur@users.noreply.github.com>

ivankatliarchuk requested a review from mloiseleur April 2, 2026 07:26

k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Apr 8, 2026

ivankatliarchuk mentioned this pull request Apr 8, 2026

ci: add plugin for Go dependency license check kubernetes-sigs/prow#676

Open

Conversation

ivankatliarchuk commented Apr 1, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

What does it do ?

Motivation

More

Uh oh!

k8s-ci-robot commented Apr 1, 2026

Uh oh!

coveralls commented Apr 1, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Pull Request Test Coverage Report for Build 23889183866

Details

💛 - Coveralls

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Raffo commented Apr 8, 2026

Uh oh!

ivankatliarchuk commented Apr 8, 2026

Uh oh!

ivankatliarchuk commented Apr 8, 2026

Uh oh!

Raffo commented Apr 8, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

ivankatliarchuk commented Apr 8, 2026

Uh oh!

Raffo commented Apr 8, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

ivankatliarchuk commented Apr 1, 2026 •

edited

Loading

coveralls commented Apr 1, 2026 •

edited

Loading

Raffo commented Apr 8, 2026 •

edited

Loading