ci: merge binary license checks into build workflow#4597
Merged
Yicong-Huang merged 6 commits intoMay 1, 2026
Conversation
aglinxinyuan
reviewed
May 1, 2026
| - name: Check bundled npm packages against LICENSE-binary | ||
| if: matrix.os == 'ubuntu-latest' | ||
| run: ./bin/licensing/check_binary_deps.py npm frontend/dist/3rdpartylicenses.json | ||
| - name: Run frontend unit tests |
Contributor
There was a problem hiding this comment.
Why do we want to change the order of the frontend unit tests here?
| if [ -f amber/operator-requirements.txt ]; then pip install -r amber/operator-requirements.txt; fi | ||
| if [ "${{ matrix.python-version }}" = "3.12" ]; then pip install pip-licenses; fi | ||
| - name: Generate pip-licenses manifest | ||
| if: matrix.python-version == '3.12' |
Contributor
Author
There was a problem hiding this comment.
we pick one Python to check. could be any one. 3.13 is too slow (CI). so maybe we can keep 3.12?
Contributor
Author
There was a problem hiding this comment.
we could also check all pythons. WDYT?
Contributor
There was a problem hiding this comment.
I am fine with just using 3.12.
Yicong-Huang
added a commit
that referenced
this pull request
May 1, 2026
Backport of #4597 to `release/v1.1.0-incubating`. ### What changes were proposed in this PR? This PR merges the standalone binary dependency license checks into the existing `Build` workflow. Instead of running a separate `Check binary dependency licenses` workflow with four extra jobs, the license checks now run inside the existing build jobs: - npm license validation runs in the Linux `frontend` job after the production build. - JVM license validation runs in the `scala` job after backend tests. - Python license validation runs in the Python 3.12 matrix entry. - agent-service license validation runs in the Linux `agent-service` job. The dedicated `.github/workflows/check-binary-licenses.yml` workflow is removed so PR checks are less noisy while keeping the underlying validations. ### Any related issues, documentation, discussions? Cherry-pick of c4adf7f from #4597. Closes #4596 ### How was this PR tested? CI on the release branch. ### Was this PR authored or co-authored using generative AI tooling? Generated-by: Codex GPT-5
This was referenced May 2, 2026
Yicong-Huang
pushed a commit
to Yicong-Huang/texera
that referenced
this pull request
May 2, 2026
apache#4521 had the python dep install in the scala and python matrix jobs on `uv pip install --system` for speed. apache#4597 unintentionally rewrote those lines back to stock pip while inlining the binary license checks; the regression has been carried forward by every subsequent rebase. Restore uv for speed. The python job's 3.12 leg is the only one that drives the binary license check (`pip-licenses` -> `check_binary_deps.py python`). Keep stock pip on that leg so the resolved versions match `amber/LICENSE-binary-python`, which is generated with pip and tracks what the production image installs. uv and pip can resolve unpinned transitives differently; without this carve-out the check would false- positive on resolver drift, and we'd be forced to update LICENSE- binary-python to chase the CI side (production still uses pip). Other python legs (3.10, 3.11, 3.13) use uv. The scala job's binary license check is jar-only, so it uses uv too. Dev deps install runs post-snapshot so it can use uv on all legs. Closes apache#4635
Yicong-Huang
added a commit
that referenced
this pull request
May 3, 2026
…4636) ## What changes were proposed in this PR? #4521 had the python dep install in the scala and python matrix jobs on `uv pip install --system` for install-speed. #4597 unintentionally rewrote those lines back to stock `pip install` while inlining the binary license checks, and the regression has been carried forward by every subsequent rebase. Restore uv — but with a targeted carve-out for the leg that drives the binary license check. ### Why the carve-out The python job's `3.12` matrix entry is the only leg that runs `pip-licenses` and feeds the result into `bin/licensing/check_binary_deps.py python`. That tool compares the installed Python tree against `amber/LICENSE-binary-python`, which is generated **with pip** and tracks what the production image installs. uv and pip resolvers can land on different versions of unpinned transitives — if the 3.12 leg installs with uv, `check_binary_deps.py` would false-positive on resolver drift, forcing us to chase those drifts in `LICENSE-binary-python` (and diverge from production). So: stock `pip install` on the 3.12 leg only; uv everywhere else. ### Per-step shape - **scala job → Install dependencies**: `uv pip install --system`. Its license check is jar-only, so Python resolver differences don't matter here. - **python job → Install dependencies**: branches on `matrix.python-version`. `3.12` keeps `pip install`; `3.10`, `3.11`, `3.13` use `uv pip install --system`. - **python job → Install dev dependencies**: `uv pip install --system`. Runs post-snapshot, so uv is safe on all legs. No behaviour change for the license check itself. Other legs gain install speed. ## Any related issues, documentation, discussions? Closes #4635. Restores #4521. Regression introduced by #4597. ## How was this PR tested? Will be exercised by this PR's own scala and python matrices. The expected signal: - [x] scala job: install step uses uv, tests still run. - [x] python 3.10 / 3.11 / 3.13 legs: install step uses uv. - [x] python 3.12 leg: install step uses pip; pip-licenses manifest unchanged; `check_binary_deps.py python` passes. ## Was this PR authored or co-authored using generative AI tooling? Generated-by: Claude Opus 4.7 (Claude Code)
Yicong-Huang
added a commit
that referenced
this pull request
May 3, 2026
…4636) ## What changes were proposed in this PR? #4521 had the python dep install in the scala and python matrix jobs on `uv pip install --system` for install-speed. #4597 unintentionally rewrote those lines back to stock `pip install` while inlining the binary license checks, and the regression has been carried forward by every subsequent rebase. Restore uv — but with a targeted carve-out for the leg that drives the binary license check. ### Why the carve-out The python job's `3.12` matrix entry is the only leg that runs `pip-licenses` and feeds the result into `bin/licensing/check_binary_deps.py python`. That tool compares the installed Python tree against `amber/LICENSE-binary-python`, which is generated **with pip** and tracks what the production image installs. uv and pip resolvers can land on different versions of unpinned transitives — if the 3.12 leg installs with uv, `check_binary_deps.py` would false-positive on resolver drift, forcing us to chase those drifts in `LICENSE-binary-python` (and diverge from production). So: stock `pip install` on the 3.12 leg only; uv everywhere else. ### Per-step shape - **scala job → Install dependencies**: `uv pip install --system`. Its license check is jar-only, so Python resolver differences don't matter here. - **python job → Install dependencies**: branches on `matrix.python-version`. `3.12` keeps `pip install`; `3.10`, `3.11`, `3.13` use `uv pip install --system`. - **python job → Install dev dependencies**: `uv pip install --system`. Runs post-snapshot, so uv is safe on all legs. No behaviour change for the license check itself. Other legs gain install speed. ## Any related issues, documentation, discussions? Closes #4635. Restores #4521. Regression introduced by #4597. ## How was this PR tested? Will be exercised by this PR's own scala and python matrices. The expected signal: - [x] scala job: install step uses uv, tests still run. - [x] python 3.10 / 3.11 / 3.13 legs: install step uses uv. - [x] python 3.12 leg: install step uses pip; pip-licenses manifest unchanged; `check_binary_deps.py python` passes. ## Was this PR authored or co-authored using generative AI tooling? (backported from commit a3d43db) Generated-by: Claude Opus 4.7 (Claude Code)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What changes were proposed in this PR?
This PR merges the standalone binary dependency license checks into the existing
Buildworkflow.Instead of running a separate
Check binary dependency licensesworkflow with four extra jobs, the license checks now run inside the existing build jobs:frontendjob afterformat:ciand the production build, before frontend unit tests.scalajob after the required database setup and dist build, before the remaining Scala compile/test steps.agent-servicejob after a production-only install, before the full development install and the lint/typecheck/test steps.The dedicated
.github/workflows/check-binary-licenses.ymlworkflow is removed so PR checks are less noisy while keeping the underlying validations.Any related issues, documentation, discussions?
Closes #4596
How was this PR tested?
CI
Was this PR authored or co-authored using generative AI tooling?
Generated-by: Codex GPT-5