Skip to content

ci: add license compliance workflow and CI Testing Pipeline gate#10

Merged
carlos-alm merged 1 commit intomainfrom
ci/shield-license-compliance
Feb 22, 2026
Merged

ci: add license compliance workflow and CI Testing Pipeline gate#10
carlos-alm merged 1 commit intomainfrom
ci/shield-license-compliance

Conversation

@carlos-alm
Copy link
Contributor

@carlos-alm carlos-alm commented Feb 22, 2026

Summary

  • Add [SHIELD] Open Source Licenses workflow — scans dependencies against a permissive license allowlist on dependency changes, weekly schedule, and manual dispatch
  • Add CI Testing Pipeline aggregation job to ci.yml for a single required status check instead of every matrix combination
  • Update admin-guide.md with the new required status checks (CI Testing Pipeline, License Compliance Scan)

Test plan

  • Verify CI Testing Pipeline job passes when all matrix jobs pass
  • Verify license compliance scan runs and produces artifact reports
  • Confirm admin-guide.md reflects the correct required checks

@github-actions
ci: add license compliance workflow and CI Testing Pipeline gate job
eeeb68b 
Add SHIELD license compliance scan workflow that checks dependencies
against an allowlist of permissive licenses on dependency changes,
weekly schedule, and manual dispatch.

Add CI Testing Pipeline aggregation job to ci.yml so branch protection
can require a single check instead of every matrix combination.

Update admin-guide.md with the new required status checks.
@greptile-apps
Copy link
Contributor

greptile-apps bot commented Feb 22, 2026

Greptile Summary

Adds license compliance scanning workflow and consolidates CI status checks into a single required gate job. The new [SHIELD] Open Source Licenses workflow scans npm dependencies against a permissive license allowlist (MIT, BSD, Apache, ISC, etc.) and fails if restrictive licenses (GPL, AGPL, LGPL, SSPL, BSL) are detected. The CI Testing Pipeline aggregation job simplifies branch protection by requiring one status check instead of every matrix combination.

Key changes:

  • New license compliance workflow triggers on dependency file changes, weekly schedule, and manual dispatch
  • Generates JSON/CSV reports and provides detailed GitHub step summaries with license distribution
  • CI pipeline gate job consolidates lint, test, and rust-check results with if: always() and needs dependency
  • Updated admin guide reflects new required status checks: CI Testing Pipeline and License Compliance Scan

Minor issue:

  • License workflow uses actions/checkout@v6 and actions/setup-node@v6 while most repository workflows use v4 (consider standardizing for consistency)

Confidence Score: 4/5

  • Safe to merge with one minor style inconsistency that can be addressed in follow-up
  • Well-implemented CI infrastructure improvements with proper error handling and comprehensive license scanning. The aggregation job correctly uses if: always() with needs dependencies. Only minor issue is action version inconsistency (v6 vs v4) which doesn't affect functionality but breaks consistency with existing workflows.
  • Consider standardizing action versions in .github/workflows/shield-license-compliance.yml to match repository conventions (v4 instead of v6)

Important Files Changed

Filename Overview
.github/workflows/ci.yml Added CI Testing Pipeline aggregation job to consolidate matrix results into single required status check
.github/workflows/shield-license-compliance.yml New workflow for license compliance scanning with permissive license allowlist, runs on dependency changes and weekly schedule
docs/admin-guide.md Updated required status checks to reference new CI Testing Pipeline and License Compliance Scan jobs

Last reviewed commit: eeeb68b

greptile-apps[bot]
greptile-apps bot reviewed Feb 22, 2026
View reviewed changes
Copy link
Contributor

@greptile-apps greptile-apps bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

3 files reviewed, 1 comment

Edit Code Review Agent Settings | Greptile

.github/workflows/shield-license-compliance.yml
Comment on lines +26 to +29
uses: actions/checkout@v6

- name: Setup Node.js
uses: actions/setup-node@v6
Copy link
Contributor

@greptile-apps greptile-apps bot Feb 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Inconsistent action versions with rest of repository workflows — most workflows use actions/checkout@v4 and actions/setup-node@v4, but this uses v6 for both

Suggested change
uses: actions/checkout@v6
- name: Setup Node.js
uses: actions/setup-node@v6
- name: Checkout code
uses: actions/checkout@v4
- name: Setup Node.js
uses: actions/setup-node@v4

Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!

@carlos-alm carlos-alm merged commit aeec793 into main Feb 22, 2026
15 checks passed
@claude claude bot mentioned this pull request Feb 24, 2026
Merged
5 tasks
@greptile-apps greptile-apps bot mentioned this pull request Mar 23, 2026
Merged
3 tasks
carlos-alm added a commit that referenced this pull request Mar 23, 2026
@carlos-alm
fix: remove duplicate vs-glimpse section and correct role names in vs…
20cc4b7 
…-arbor (#559)

The duplicate vs-glimpse block (stale rank #10) was left behind when
vs-arbor was inserted. Removed it — the correct version exists at #11.
Also fixed role vocabulary in vs-arbor: bridge → adapter, added entry.
carlos-alm added a commit that referenced this pull request Mar 23, 2026
@carlos-alm
docs: update competitive analysis for v3.2.0 and March 2026 landscape (
1109003 
…#559)

* docs: update competitive analysis for v3.2.0 and March 2026 landscape

Re-rank codegraph from #8 (4.0) to #5 (4.5) reflecting v3.2.0 features:
41 CLI commands, 32 MCP tools, dataflow across all 11 languages, CFG,
sequence diagrams, architecture boundaries, unified graph model.

Add new competitors: GitNexus (#1, 18k stars), DeusData/codebase-memory-mcp
(#6, 793 stars in 25 days). Update star counts and feature status across
all 85+ ranked projects. Mark 7 roadmap items as DONE. Flag stagnant
projects. Update joern.md (3,021 stars, 75 contributors, 4 community MCP
wrappers) and narsil-mcp.md (129 stars, SPA frontend, +36 security rules,
development paused since Feb 25).

* docs: fix narsil SPA version attribution in competitive analysis overview

Line 18 incorrectly stated "v1.6.1" as the version when the SPA feature
was introduced. The SPA frontend was added in v1.6.0; v1.6.1 is the
current release. Updated to "added v1.6.0, current v1.6.1" to match the
detailed narsil-mcp.md entry.

* docs: remove hardcoded star count from joern comparison table

The "32 stars, growing" value in the Community & maturity row hardcodes
a stale star count. Other comparison tables use "Growing" consistently
for codegraph's community status. Updated to match.

* fix: correct GitNexus score, Tier 2 rank numbering, and jelly star count

- GitNexus overall score corrected from 4.7 to 4.5 to match the
  arithmetic mean of its six sub-scores (5+5+4+4+4+5)/6 = 4.5
- Tier 2 renumbered starting at #38 (was duplicating #37 with Tier 1);
  also resolves the pre-existing duplicate #43 (Bikach/ChrisRoyse now
  #44/#45), with all subsequent entries incremented accordingly
- jelly section header updated from 417 to 423 stars to match the
  ranking table

* fix: correct aider rank and codegraph star count per review feedback

* fix: align scoring breakdown sub-scores with overall rankings for stagnant projects

glimpse: Community 4→2 (stagnant since Jan 2026), avg now 3.83≈3.8 matching ranking.
autodev-codebase: Community 3→1 (stagnant since Jan 2026), avg now 3.33, ranking updated 3.4→3.3.

* fix: align ranking scores with sub-score averages for colbymchenry and axon

* fix: correct ranking inversion at positions #23/#24 (#559)

autodev-codebase (3.3) was ranked #23 above Claude-code-memory (3.4)
at #24. Swapped to maintain descending score order.

* fix: correct score mismatches for code-graph-rag (4.5→4.2) and arbor (3.7→4.2) (#559)

* fix: sync breakdown table row order with ranking table for #23/#24 (#559)

* fix: correct ranking inversions and stale rank references (#559)

* fix: correct sub-score/overall-score mismatches for codexray, loregrep, MATE

* fix: correct score mismatches and aider header rank

* fix: update narsil-mcp Key Metrics to reflect development stagnation (#559)

* fix: add missing "vs arbor" comparison section (#559)

* fix: remove duplicate vs-glimpse section and correct role names in vs-arbor (#559)

The duplicate vs-glimpse block (stale rank #10) was left behind when
vs-arbor was inserted. Removed it — the correct version exists at #11.
Also fixed role vocabulary in vs-arbor: bridge → adapter, added entry.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@carlos-alm