Skip to content

Add agentic workflow for daily GPL dependency detection#902

Merged
lpcox merged 2 commits intomainfrom
copilot/review-gomod-dependencies
Feb 11, 2026
Merged

Add agentic workflow for daily GPL dependency detection#902
lpcox merged 2 commits intomainfrom
copilot/review-gomod-dependencies

Conversation

Copy link
Contributor

Copilot AI commented Feb 11, 2026
edited
Loading

Implements automated daily scanning of go.mod dependencies to detect GPL-licensed packages (GPL, AGPL, LGPL) that may conflict with project licensing requirements.

Workflow Capabilities

  • Multi-source license detection: Queries pkg.go.dev API, fetches LICENSE files via GitHub MCP, and pattern-matches SPDX identifiers
  • Transitive dependency tracking: Uses go mod why to trace GPL packages through the dependency graph
  • Stateful operation: Cache memory prevents duplicate issue creation and tracks resolutions across runs
  • Actionable remediation: Generated issues include dependency paths, license implications, alternative packages, and removal commands

Configuration

schedule: daily                    # Fuzzy scheduling, auto-scattered
permissions: read-all              # Safe outputs for write operations
network: [proxy.golang.org, ...]  # Go ecosystem + GitHub API
safe-outputs:
  create-issue: max 3              # New GPL dependencies
  add-comment: max 2               # Resolution tracking
  noop:                            # Silent success

Detection Scope

Identifies all GPL-family licenses requiring review:

  • GPL-2.0/3.0 (all variants: only, or-later)
  • AGPL-3.0 (network use = distribution)
  • LGPL-2.0/2.1/3.0 (linking restrictions)

Issues include full dependency path, license type, removal strategies, and verification commands. Comments on existing issues when GPL packages are removed.

Files

  • .github/workflows/gpl-dependency-checker.md - Workflow definition (editable without recompilation)
  • .github/workflows/gpl-dependency-checker.lock.yml - Compiled GitHub Actions workflow

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

@lpcox
Add GPL dependency checker agentic workflow
b5a9417 
Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>
Copilot AI changed the title [WIP] Implement daily review of go.mod dependencies Add agentic workflow for daily GPL dependency detection Feb 11, 2026
Copilot AI requested a review from lpcox February 11, 2026 15:39
@lpcox lpcox marked this pull request as ready for review February 11, 2026 16:22
Copilot AI review requested due to automatic review settings February 11, 2026 16:22
@lpcox lpcox merged commit da1ad16 into main Feb 11, 2026
2 checks passed
@lpcox lpcox deleted the copilot/review-gomod-dependencies branch February 11, 2026 16:22
Copilot AI reviewed Feb 11, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a new gh-aw agentic workflow that performs daily GPL-family license detection across Go module dependencies and opens/updates GitHub issues to track remediation.

Changes:

  • Introduces a new agentic workflow definition for scanning go.mod/go.sum for GPL/AGPL/LGPL dependencies and producing actionable remediation guidance.
  • Adds the compiled/locked GitHub Actions workflow generated from the agentic workflow source.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.

File Description
.github/workflows/gpl-dependency-checker.md Defines the daily agent instructions, safe-outputs configuration, and network/tooling constraints for GPL dependency detection.
.github/workflows/gpl-dependency-checker.lock.yml Compiled GitHub Actions workflow that runs the agent on schedule and processes safe outputs/cache memory.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

.github/workflows/gpl-dependency-checker.lock.yml
Comment on lines +923 to +929
GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }}
GH_AW_WORKFLOW_NAME: "GPL Dependency Checker"
GH_AW_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
GH_AW_AGENT_CONCLUSION: ${{ needs.agent.result }}
GH_AW_NOOP_MESSAGE: ${{ steps.noop.outputs.noop_message }}
GH_AW_NOOP_REPORT_AS_ISSUE: "true"
with:
Copy link

Copilot AI Feb 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The workflow is configured to report noop messages as issues (GH_AW_NOOP_REPORT_AS_ISSUE is set to "true"), which conflicts with the workflow’s goal of “silent success” and will likely create recurring noise on clean daily runs. Consider disabling noop-to-issue reporting (or avoiding noop on success) so clean scans don’t open/track issues.

Copilot uses AI. Check for mistakes.
.github/workflows/gpl-dependency-checker.md
Comment on lines +12 to +16

network:
allowed:
- defaults
- proxy.golang.org
Copy link

Copilot AI Feb 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This workflow frontmatter omits an explicit engine declaration. Other agentic workflow .md files in this repo set engine: copilot; adding it here would avoid relying on defaults that could change and break compilation/behavior.

Copilot uses AI. Check for mistakes.
.github/workflows/gpl-dependency-checker.md
Comment on lines +188 to +191
1. **Search for similar packages:**
- Use `go list` and web searches to find alternatives
- Look for packages with permissive licenses (MIT, Apache-2.0, BSD)

Copy link

Copilot AI Feb 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The instructions suggest doing “web searches” to find alternative packages, but the workflow’s network allowlist is limited (proxy.golang.org/sum.golang.org/pkg.go.dev/api.github.com + defaults). Update this guidance to use sources available within the allowlist (e.g., pkg.go.dev search, GitHub repo search via MCP) so the agent doesn’t attempt blocked outbound requests.

Copilot uses AI. Check for mistakes.
.github/workflows/gpl-dependency-checker.md

1. **Create a detailed GitHub issue** using safe-outputs create-issue:

**Title format:** `GPL-licensed dependency detected: <package-name>`
Copy link

Copilot AI Feb 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The issue title format in the instructions doesn’t mention the configured safe-outputs title-prefix: "[license] ", so the actual title will differ from what this section claims. Consider updating the documented title format to include the prefix (or explicitly note that the prefix is auto-applied).

Suggested change
**Title format:** `GPL-licensed dependency detected: <package-name>`
**Title format:** `[license] GPL-licensed dependency detected: <package-name>`

Copilot uses AI. Check for mistakes.
@github-actions github-actions bot mentioned this pull request Feb 12, 2026
Closed
Copilot AI mentioned this pull request Feb 12, 2026
Closed
@github-actions github-actions bot mentioned this pull request Feb 12, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@lpcox lpcox Awaiting requested review from lpcox

Assignees

@lpcox lpcox

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@lpcox

Comments