fix: resolve licenses for versioned modules and module-only roots

[adamwalach]

Summary

Replace the module-path string munging in list-licenses with a go list -deps walk that picks one importable package per direct module and feeds those to go-licenses report.

Calling go-licenses report <module> directly does not work for two common patterns:

• Versioned modules carry a /vN suffix that must be present verbatim. The previous awk truncated paths like github.com/dgraph-io/ristretto/v2 to github.com/dgraph-io/ristretto, which is not a valid module path for v2+ modules.
• Module roots with no Go file of their own, where only sub-packages are importable. cloud.google.com/go/secretmanager is an example: only apiv1/... exists as a package, so go list on the root returns no required module provides package and go-licenses exits fatally.

Walking the actual import graph sidesteps both problems and removes the workaround referenced in the old comment (google/go-licenses#307).

Behavior change

The old script reported one row per direct module using the module's root LICENSE. The new script reports one row per imported package, which inherits the same LICENSE in nearly all cases but more accurately reflects what is actually linked into the binary.

Test plan

• Ran the patched script against several Go modules locally; license-engine reports Licenses are okay. for each.
• Confirmed the patched script resolves the regression for modules with /vN suffixes and for modules whose root is not an importable package.

Summary by CodeRabbit

• Chores
  • Updated license enumeration logic to comprehensively include all transitive dependencies in license reports.

[coderabbitai]

Warning

Review limit reached

@adamwalach, we couldn't start this review because you've used your available PR reviews for now.

Your plan includes 1 review of capacity. Refill in 29 minutes and 44 seconds.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more review capacity refills, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than trial, open-source, and free plans. In all cases, review capacity refills continuously over time.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: fd336431-fdb5-43a1-a9db-9832f1617cf1

📥 Commits

Reviewing files that changed from the base of the PR and between ba39e41 and ba00095.

📒 Files selected for processing (1)

• licenses/install

📝 Walkthrough

Walkthrough

The shell script's Go license enumeration logic is rewritten to discover dependencies via the full import graph using go list -deps instead of direct modules via go list -m, filtering out main and indirect modules before reporting licenses with the same template.

Changes

Go License Discovery

Layer / File(s)	Summary
Go dependency discovery via full import graph licenses/list-licenses	Dependency discovery logic replaces go list -m direct module enumeration with go list -deps full import graph traversal, extracting module path and import path pairs while filtering main and indirect modules, then feeding results to go-licenses report with existing template and output filtering.

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: fixing license resolution for versioned modules and module-only roots by switching from module-path string munging to go list -deps traversal.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch adam/fix-list-licenses-versioned-modules

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

licenses/list-licenses (1)

35-35: 💤 Low value

Consider removing unnecessary sh -c wrapper.

The sh -c wrapper appears unnecessary since the command doesn't use any shell features. Direct execution via xargs would be simpler and slightly more efficient.

♻️ Simplified command without sh -c

-		echo "$go_packages" | xargs -I {} sh -c '.bin/go-licenses report --template .bin/license-template-go.tpl {}' | grep -v '^$'
+		echo "$go_packages" | xargs -I {} .bin/go-licenses report --template .bin/license-template-go.tpl {} | grep -v '^$'

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@licenses/list-licenses` at line 35, The xargs invocation in the
licenses/list-licenses script uses an unnecessary sh -c wrapper; replace the
xargs -I {} sh -c '.bin/go-licenses report --template
.bin/license-template-go.tpl {}' invocation with a direct xargs execution of
.bin/go-licenses (i.e., call .bin/go-licenses report --template
.bin/license-template-go.tpl {} directly via xargs) to remove the shell wrapper
and simplify the pipeline while keeping the final grep -v '^$' filter intact.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@licenses/list-licenses`:
- Line 29: Replace the non-deterministic "sort -u -t'|' -k1,1" step in
licenses/list-licenses with a two-step approach: first sort deterministically by
module then package (use sort -t'|' -k1,1 -k2,2) so package selection is stable,
then perform module-only deduplication by keeping the first occurrence per
module (e.g. use an awk filter with FS='|' and '!seen[$1]++' to emit only the
first package per module). In short, remove the -u flag from the sort command
and add a secondary sort key -k2,2, then pipe the result into an awk-based
module-only uniquing step to guarantee one deterministic package per module.

---

Nitpick comments:
In `@licenses/list-licenses`:
- Line 35: The xargs invocation in the licenses/list-licenses script uses an
unnecessary sh -c wrapper; replace the xargs -I {} sh -c '.bin/go-licenses
report --template .bin/license-template-go.tpl {}' invocation with a direct
xargs execution of .bin/go-licenses (i.e., call .bin/go-licenses report
--template .bin/license-template-go.tpl {} directly via xargs) to remove the
shell wrapper and simplify the pipeline while keeping the final grep -v '^$'
filter intact.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 162bf99d-fddc-4973-ba6f-719e330a3406

📥 Commits

Reviewing files that changed from the base of the PR and between 7b6da9a and ba39e41.

📒 Files selected for processing (1)

• licenses/list-licenses

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Test whether sort -u -k1,1 produces deterministic output

# Create test data with multiple packages per module
test_data="moduleA|packageZ
moduleA|packageA
moduleB|packageY
moduleB|packageB"

echo "Testing current sort command:"
echo "$test_data" | sort -u -t'|' -k1,1 | cut -d'|' -f2

echo -e "\nTesting with secondary key:"
echo "$test_data" | sort -u -t'|' -k1,1 -k2,2 | cut -d'|' -f2

Repository: ory/ci

Length of output: 163

---

Fix deterministic per-module package selection in licenses/list-licenses

sort -u -t'|' -k1,1 keeps “one line per module key”, but the retained package isn’t guaranteed because there’s no deterministic secondary key. The proposed change to sort -u ... -k1,1 -k2,2 also breaks module-only deduplication by making uniqueness effectively (module, package), which can output multiple packages per module.

Use deterministic ordering + module-only dedupe instead:

🔧 Proposed fix

-		sort -u -t'|' -k1,1 |
+		sort -t'|' -k1,1 -k2,2 | awk -F'|' '!seen[$1]++' |

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	sort -u -t'|' -k1,1 |
	sort -t'|' -k1,1 -k2,2 | awk -F'|' '!seen[$1]++' |

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@licenses/list-licenses` at line 29, Replace the non-deterministic "sort -u
-t'|' -k1,1" step in licenses/list-licenses with a two-step approach: first sort
deterministically by module then package (use sort -t'|' -k1,1 -k2,2) so package
selection is stable, then perform module-only deduplication by keeping the first
occurrence per module (e.g. use an awk filter with FS='|' and '!seen[$1]++' to
emit only the first package per module). In short, remove the -u flag from the
sort command and add a secondary sort key -k2,2, then pipe the result into an
awk-based module-only uniquing step to guarantee one deterministic package per
module.