ci: add Go dependency license check workflow

.claude/settings.local.json

@@ -0,0 +1,56 @@
+{
+  "permissions": {
+    "allow": [
+      "Bash(gh pr:*)",
+      "Bash(gh api:*)",
+      "Bash(git:*)",
+      "Bash(gofmt:*)",
+      "Bash(sed:*)",
+      "Bash(go version:*)",
+      "Bash(go build:*)",
+      "Bash(go doc:*)",
+      "WebFetch(domain:github.com)",
+      "Bash(xxd:*)",
+      "Bash(python3:*)",
+      "Bash(xargs -I{} sh -c \"git show {}:plan/plan.go 2>/dev/null | grep -l \"\"RecordTypeA, endpoint.RecordTypeAAAA, endpoint.RecordTypeCNAME\"\" && echo {}\")",
+      "Bash(while read:*)",
+      "Bash(do if:*)",
+      "Bash(then echo:*)",
+      "Bash(go run:*)",
+      "Bash(xargs -I{} perl -pi -e 's/\\(?<![\\\\.A-Za-z_]\\)validateEndpoints\\\\\\(/testutils.ValidateEndpoints\\(/g; s/\\(?<![\\\\.A-Za-z_]\\)validateEndpoint\\\\\\(/testutils.ValidateEndpoint\\(/g' {} echo \"done\")",
+      "Bash(ls:*)",
+      "Bash(go mod:*)",
+      "Bash(kwokctl --version)",
+      "Bash(go get:*)",
+      "Bash(kwokctl get:*)",
+      "Bash(kubectl get:*)",
+      "Bash(echo \"exit: $?\")",
+      "Read(//Users/ik/.kwok/clusters/ext-dns-bench/**)",
+      "Read(//Users/ik/.kwok/clusters/ext-dns-bench/logs/**)",
+      "Bash(kwokctl delete:*)",
+      "Bash(kwokctl create:*)",
+      "Bash(kwokctl logs:*)",
+      "Bash(kubectl cluster-info:*)",
+      "Bash(bash -c 'cd /Users/ik/source/self/workshops/kubernetes-sigs-issues/iac/kwok && go build . 2>&1 | tail -5')",
+      "Bash(bash -c 'cd /Users/ik/source/self/workshops/kubernetes-sigs-issues/iac/kwok && go build . 2>&1')",
+      "Bash(go list:*)",
+      "Bash(go vet:*)",
+      "Bash(go tool:*)",
+      "WebFetch(domain:patch-diff.githubusercontent.com)",
+      "WebFetch(domain:raw.githubusercontent.com)",
+      "Bash(~/.gvm/gos/go1.25.8/bin/go test:*)",
+      "Bash(make go-lint:*)",
+      "Bash(make go-test:*)",
+      "Bash(source ~/.gvm/scripts/gvm)",
+      "Bash(gvm use:*)",
+      "Bash(~/.gvm/gos/go1.25.8/bin/go build:*)",
+      "Bash(for f:*)",
+      "Bash(do echo:*)",
+      "Read(//private/tmp/claude-501/-Users-ik-source-self-go-work-fork-external-dns/a80ddbca-fe31-4b60-8ab8-5515663a14bc/tasks/**)",
+      "Bash(done)",
+      "Bash(go-licenses report:*)",
+      "Bash(license-eye -v debug -c .licenserc.yaml dep check)",
+      "Bash(license-eye:*)"
+    ]
+  }
+}

.github/workflows/license-check.yml

@@ -0,0 +1,28 @@
+name: License Check
+
+on:
+  pull_request:
+    paths:
+      - 'go.mod'
+      - 'go.sum'
+      - 'go.tool.mod'
+      - 'go.tool.sum'
+
+permissions:
+  contents: read
+
+jobs:
+  license-check:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      # https://github.com/apache/skywalking-eyes
+      - name: Check dependency licenses
+        uses: apache/skywalking-eyes/dependency@61275cc80d0798a405cb070f7d3a8aaf7cf2c2c1 # v0.8.0
+        with:
+          config: .licenserc.yaml
+          mode: check
+          log: debug

.licenserc.yaml

@@ -0,0 +1,18 @@
+header:
+  license:
+    # The license scan needs to know the project's own license to run the compatibility matrix.
+    spdx-id: Apache-2.0
+
+dependency:
+  files:
+    - go.mod
+    - go.tool.mod
+  # MPL-2.0 HashiCorp indirect dependencies — weak-compatible with Apache-2.0
+  # go-cleanhttp, go-retryablehttp: provider/exoscale -> egoscale/v2 -> hashicorp
+  # errwrap, go-multierror, go-uuid: provider/rfc2136 -> bodgit/tsig/gss -> hashicorp
+  excludes:
+    - name: github.com/hashicorp/errwrap
+    - name: github.com/hashicorp/go-cleanhttp
+    - name: github.com/hashicorp/go-multierror
+    - name: github.com/hashicorp/go-retryablehttp
+    - name: github.com/hashicorp/go-uuid

go.mod

@@ -1,5 +1,5 @@
 module sigs.k8s.io/external-dns
-
+// test
 go 1.26.1
 
 require (