Skip to content

Fix license validation CI and improve developer docs#187

Merged
leoromanovsky merged 5 commits intomainfrom
openfeature-js-client
Feb 27, 2026
Merged

Fix license validation CI and improve developer docs#187
leoromanovsky merged 5 commits intomainfrom
openfeature-js-client

Conversation

@leoromanovsky
Copy link
Copy Markdown
Collaborator

@leoromanovsky leoromanovsky commented Feb 27, 2026
edited
Loading

Motivation

The Validate Licenses CI workflow has been failing on every commit since Feb 19 (commit #182). This blocks all PRs from getting a green license check.

Two root causes:

  1. A stale yarn.lock entry introduced by an automated bot that edited the lockfile by hand instead of running yarn install.
  2. The validation script called dd-license-attribution to regenerate and compare, but that tool produces different output on macOS vs Linux (different copyright strings and even license identifiers like tar: ISC → BlueOak-1.0.0). This made the regenerate-and-diff approach inherently unreliable across environments.

Changes

  • Fixed yarn.lock: Removed a stale combined resolution key (@datadog/flagging-core@npm:1.0.0) that no dependency references anymore. The automated bot changed the dependency from 1.0.0 to 0.3.3 but only edited one line, leaving the resolution key dangling.
  • Rewrote licenses-validate.sh: Now a lightweight check that verifies every npm package in yarn.lock has a corresponding entry in LICENSE-3rdparty.csv. No external tools needed — no Python, Go, dd-license-attribution, or GITHUB_TOKEN.
  • Simplified the CI workflow from 7 steps (checkout, setup Python, setup Node, setup Go, clone tool, install tool, validate) down to 2 steps (checkout, validate).
  • Replaced --frozen-lockfile with --immutable in all three CI workflows (ci.yaml, licenses.yaml, release.yaml). Yarn 4.x deprecated --frozen-lockfile and prints a warning on every run; --immutable is the correct equivalent.
  • Regenerated LICENSE-3rdparty.csv to bring it up to date with current dependencies.
  • Expanded the CONTRIBUTING.md licensing section: Added a prerequisites table, gh auth token shortcut, step-by-step instructions for generating and validating licenses locally, and links to internal docs.

Decisions

  • Lightweight validation over regenerate-and-diff: dd-license-attribution is non-deterministic across OS (macOS vs Linux CI). Checked how dd-sdk-ios and dd-sdk-android handle this — both use simpler approaches (source header checks and a Gradle plugin respectively). The new script checks that every lockfile package has a CSV entry, which catches the main failure case (deps added without updating licenses) without any external tooling.
  • Kept dd-license-attribution for generation: Auto-generation from the lockfile is the right trade-off for a JS monorepo where transitive dependency churn is high. Generation remains a local dev workflow; validation is what runs in CI.
  • Documented gh auth token: Most contributors already have GitHub CLI authenticated — this avoids needing to create and manage a separate fine-grained PAT.

@leoromanovsky
Fix license validation CI and improve developer docs
1f48602 
The Validate Licenses workflow has been failing on every commit since
Feb 19 due to a stale yarn.lock entry introduced by an automated bot.
The validation script itself also had a logic flaw (line-count comparison
only) and all workflows used the deprecated --frozen-lockfile flag.
@leoromanovsky
Regenerate LICENSE-3rdparty.csv
9abbae2 
Run yarn licenses:generate to bring the file up to date with
current dependencies.
@leoromanovsky
Document gh auth token shortcut for license generation
c2f0e87
@leoromanovsky
Make license validation lightweight and OS-independent
74a320c 
dd-license-attribution produces different output on macOS vs Linux
(different copyright strings and even license identifiers), making
regenerate-and-diff validation inherently unreliable across environments.

Replace with a lightweight check that verifies every npm package in
yarn.lock has a corresponding entry in LICENSE-3rdparty.csv. This needs
no external tools (Python, Go, dd-license-attribution, GITHUB_TOKEN)
and runs identically on all platforms.

The CI workflow is simplified from 7 steps to 2 (checkout + validate).
Full regeneration remains a local dev workflow for when deps change.
@leoromanovsky
Fix CONTRIBUTING.md formatting
04bf4ee
@leoromanovsky leoromanovsky marked this pull request as ready for review February 27, 2026 11:56
@leoromanovsky leoromanovsky requested a review from a team as a code owner February 27, 2026 11:56
greghuels
greghuels reviewed Feb 27, 2026
View reviewed changes
.github/workflows/ci.yaml

- name: Install dependencies
run: yarn install --frozen-lockfile
run: yarn install --immutable
Copy link
Copy Markdown
Collaborator

@greghuels greghuels Feb 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should be the same thing as frozen-lockfile, but it's the newer terminology for it, so probably good to keep it.

@leoromanovsky leoromanovsky merged commit 0fa8ec8 into main Feb 27, 2026
4 checks passed
@leoromanovsky leoromanovsky deleted the openfeature-js-client branch February 27, 2026 12:39
@leoromanovsky leoromanovsky mentioned this pull request Mar 2, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@greghuels greghuels greghuels approved these changes

@typotter typotter Awaiting requested review from typotter typotter is a code owner automatically assigned from DataDog/feature-flagging-and-experimentation-sdk

@dd-oleksii dd-oleksii Awaiting requested review from dd-oleksii dd-oleksii is a code owner automatically assigned from DataDog/feature-flagging-and-experimentation-sdk

Assignees

@greghuels greghuels

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@leoromanovsky @greghuels