feat: auto-fix license files on PRs and improve CI reliability

- license-check.yml: Auto-regenerate licenses, push fix to PR, and comment
- script/licenses: Pin go-licenses version in CI for reproducibility
- script/licenses-check: Pin go-licenses version in CI
- code-scanning.yml: Exclude third-party folder from CodeQL

Inspired by cli/cli improvements:
- cli/cli#11161 (pinned version)
- cli/cli#11127 (GHAS exclusion)
- cli/cli#11370 (auto-regenerate)

Author: SamMorrowDrums

.github/workflows/code-scanning.yml

@@ -46,6 +46,9 @@ jobs:
           queries: "" # Default query suite
           packs: github/ccr-${{ matrix.language }}-queries
           config: |
+            paths-ignore:
+              - third-party
+              - third-party-licenses.*.md
             default-setup:
               org:
                 model-packs: [ ${{ github.event.inputs.code_scanning_codeql_packs }} ]

.github/workflows/license-check.yml

@@ -1,21 +1,87 @@
-# Create a github action that runs the license check script and fails if it exits with a non-zero status
+# Automatically fix license files on PRs that need updates
+# Instead of just failing, this workflow pushes the fix and comments on the PR
 
 name: License Check
-on: [push, pull_request]
+on:
+  pull_request:
+    paths:
+      - "**.go"
+      - go.mod
+      - go.sum
+      - ".github/licenses.tmpl"
+      - "script/licenses*"
+      - "third-party-licenses.*.md"
+      - "third-party/**"
 permissions:
-  contents: read
+  contents: write
+  pull-requests: write
 
 jobs:
   license-check:
     runs-on: ubuntu-latest
+    # Don't run on forks (they can't push back) or dependabot (has its own token)
+    if: github.event.pull_request.head.repo.full_name == github.repository
 
     steps:
       - name: Check out code
         uses: actions/checkout@v6
+        with:
+          ref: ${{ github.head_ref }}
+          # Need full history for push
+          fetch-depth: 0
 
       - name: Set up Go
         uses: actions/setup-go@v6
         with:
           go-version-file: "go.mod"
-      - name: check licenses
-        run: ./script/licenses-check
+
+      # actions/setup-go does not setup the installed toolchain to be preferred over the system install,
+      # which causes go-licenses to raise "Package ... does not have module info" errors.
+      # For more information, https://github.com/google/go-licenses/issues/244#issuecomment-1885098633
+      - name: Regenerate licenses
+        run: |
+          export GOROOT=$(go env GOROOT)
+          export PATH=${GOROOT}/bin:$PATH
+          ./script/licenses
+
+      - name: Check for changes
+        id: changes
+        run: |
+          if git diff --exit-code; then
+            echo "changed=false" >> $GITHUB_OUTPUT
+            echo "✅ License files are up to date"
+          else
+            echo "changed=true" >> $GITHUB_OUTPUT
+            echo "📝 License files need updating"
+            git diff --stat
+          fi
+
+      - name: Commit and push fixes
+        if: steps.changes.outputs.changed == 'true'
+        run: |
+          git config --local user.name "github-actions[bot]"
+          git config --local user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          git add third-party third-party-licenses.*.md
+          git commit -m "chore: regenerate third-party licenses"
+          git push
+
+      - name: Comment on PR
+        if: steps.changes.outputs.changed == 'true'
+        uses: actions/github-script@v7
+        with:
+          script: |
+            github.rest.issues.createComment({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: context.issue.number,
+              body: `## 📜 License files updated
+
+            I noticed the third-party license files were out of date and pushed a fix to this PR.
+
+            **What changed:** Dependencies were added, removed, or updated, which requires regenerating the license documentation.
+
+            **What I did:** Ran \`./script/licenses\` and committed the result.
+
+            Please pull the latest changes before pushing again.`
+            })
+

script/licenses

@@ -19,7 +19,13 @@
 
 set -e
 
-go install github.com/google/go-licenses@latest
+# Pinned version for CI reproducibility, latest for local development
+# See: https://github.com/cli/cli/pull/11161
+if [ "$CI" = "true" ]; then
+    go install github.com/google/go-licenses@5348b744d0983d85713295ea08a20cca1654a45e # v2.0.1
+else
+    go install github.com/google/go-licenses@latest
+fi
 
 rm -rf third-party
 mkdir -p third-party

script/licenses-check

@@ -1,6 +1,12 @@
 #!/bin/bash
 
-go install github.com/google/go-licenses@latest
+# Pinned version for CI reproducibility, latest for local development
+# See: https://github.com/cli/cli/pull/11161
+if [ "$CI" = "true" ]; then
+    go install github.com/google/go-licenses@5348b744d0983d85713295ea08a20cca1654a45e # v2.0.1
+else
+    go install github.com/google/go-licenses@latest
+fi
 
 for goos in linux darwin windows ; do
     # Note: we ignore warnings because we want the command to succeed, however the output should be checked
@@ -10,12 +16,14 @@ for goos in linux darwin windows ; do
     #       depending on the license.
     GOOS="${goos}" GOFLAGS=-mod=mod go-licenses report ./... --template .github/licenses.tmpl > third-party-licenses.${goos}.copy.md || echo "Ignore warnings"
     if ! diff -s third-party-licenses.${goos}.copy.md third-party-licenses.${goos}.md; then
-        printf "License check failed.\n\nPlease update the license file by running \`.script/licenses\` and committing the output."
+        printf "License check failed for %s.\n\nPlease update the license file by running \`./script/licenses\` and committing the output.\n" "${goos}"
         rm -f third-party-licenses.${goos}.copy.md
         exit 1
     fi
     rm -f third-party-licenses.${goos}.copy.md
 done
 
+echo "License check passed for all platforms."
+