Mirrors_Framework/PX4-Autopilot
1
0
Fork 0
mirror of https://github.com/PX4/PX4-Autopilot.git synced 2026-05-23 06:36:45 +08:00
Code Issues Actions 20 Packages Projects Releases Wiki Activity

ci(sbom): check out submodules recursively in PR license check

Browse Source 
The PR-time SBOM license check was using `submodules: false`, so when
generate_sbom.py ran the new submodule directory was empty. The script
treats uninitialized submodules as `(not checked out) -> NOASSERTION
(skipped)` rather than a failure, which let PR #27184 (adding
PX4-OpticalFlow as a submodule) pass without ever inspecting the actual
repo for a LICENSE file. The monthly audit then caught it (#27217)
because it uses `submodules: recursive`.

Switch the PR-time job to `submodules: recursive` so license issues
are caught at PR time rather than on the next monthly audit. The job
only runs when .gitmodules, license-overrides.yaml, or
generate_sbom.py change, so the extra clone cost is bounded.

Signed-off-by: Ramon Roche <mrpollo@gmail.com>
This commit is contained in:
Ramon Roche
2026-04-27 11:34:32 -06:00
parent bc080e3044
commit 7e6ccb3eb6
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github/workflows/sbom_license_check.yml
+1 -1
View File
@@ -33,7 +33,7 @@ jobs:
- uses: actions/checkout@v6
with:
fetch-depth: 1
submodules: false
submodules: recursive
- name: Install PyYAML
run: pip install pyyaml --break-system-packages