Skip to content

fix: resolve licenses for versioned modules and module-only roots #175

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
adamwalach wants to merge 1 commit into
base: master
Choose a base branch
from
Open

fix: resolve licenses for versioned modules and module-only roots #175

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 14 additions & 14 deletions licenses/list-licenses
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,23 +16,23 @@ fi

# list Go licenses
if [ -f go.mod ]; then
# List all direct Go module dependencies, transform their paths to root module paths
# (e.g., github.com/ory/x instead of github.com/ory/x/foo/bar), and generate a license report
# for each unique root module. This ensures that the license report is generated for the root
# module of a repository, where licenses are typically defined.
go_modules=$(
go list -f "{{if not .Indirect}}{{.Path}}{{end}}" -m ... |
sort -u |
awk -F/ '{ if ($1 == "github.com" && NF >= 3) { print $1"/"$2"/"$3 } else { print } }' |
sort -u
# For each direct Go module dependency, pick one importable package and let
# go-licenses report on it. Calling `go-licenses report <module>` directly
# does not work for two common cases:
# - Versioned modules carry a /vN suffix that must be present verbatim
# (github.com/golang-jwt/jwt/v5, github.com/dgraph-io/ristretto/v2).
# - Some module roots have no Go file of their own; only sub-packages
# are importable (cloud.google.com/go/secretmanager -> .../apiv1).
# Walking the actual import graph with `go list -deps` sidesteps both.
go_packages=$(
go list -deps -f '{{if .Module}}{{if not .Module.Main}}{{if not .Module.Indirect}}{{.Module.Path}}|{{.ImportPath}}{{end}}{{end}}{{end}}' ./... |
sort -u -t'|' -k1,1 |
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot May 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Test whether sort -u -k1,1 produces deterministic output

# Create test data with multiple packages per module
test_data="moduleA|packageZ
moduleA|packageA
moduleB|packageY
moduleB|packageB"

echo "Testing current sort command:"
echo "$test_data" | sort -u -t'|' -k1,1 | cut -d'|' -f2

echo -e "\nTesting with secondary key:"
echo "$test_data" | sort -u -t'|' -k1,1 -k2,2 | cut -d'|' -f2

Repository: ory/ci

Length of output: 163

Fix deterministic per-module package selection in licenses/list-licenses

sort -u -t'|' -k1,1 keeps “one line per module key”, but the retained package isn’t guaranteed because there’s no deterministic secondary key. The proposed change to sort -u ... -k1,1 -k2,2 also breaks module-only deduplication by making uniqueness effectively (module, package), which can output multiple packages per module.

Use deterministic ordering + module-only dedupe instead:

🔧 Proposed fix 
-		sort -u -t'|' -k1,1 |
+		sort -t'|' -k1,1 -k2,2 | awk -F'|' '!seen[$1]++' |
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
sort -u -t'|' -k1,1 |
sort -t'|' -k1,1 -k2,2 | awk -F'|' '!seen[$1]++' |
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@licenses/list-licenses` at line 29, Replace the non-deterministic "sort -u
-t'|' -k1,1" step in licenses/list-licenses with a two-step approach: first sort
deterministically by module then package (use sort -t'|' -k1,1 -k2,2) so package
selection is stable, then perform module-only deduplication by keeping the first
occurrence per module (e.g. use an awk filter with FS='|' and '!seen[$1]++' to
emit only the first package per module). In short, remove the -u flag from the
sort command and add a secondary sort key -k2,2, then pipe the result into an
awk-based module-only uniquing step to guarantee one deterministic package per
module.

cut -d'|' -f2
)
if [ -z "$go_modules" ]; then
if [ -z "$go_packages" ]; then
echo "No Go modules found" >&2
else
# Workaround until https://github.com/google/go-licenses/issues/307 is fixed
# .bin/go-licenses report "$module_name" --template .bin/license-template-go.tpl 2>/dev/null
#
echo "$go_modules" | xargs -I {} sh -c '.bin/go-licenses report --template .bin/license-template-go.tpl {}' | grep -v '^$'
echo "$go_packages" | xargs -I {} sh -c '.bin/go-licenses report --template .bin/license-template-go.tpl {}' | grep -v '^$'
echo
fi
fi
Loading