Skip to content

[feat] Add CI checks for OSS license compliance and telemetry tree-shaking #6777

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 4 commits into
base: main
Choose a base branch
from
Draft

[feat] Add CI checks for OSS license compliance and telemetry tree-shaking #6777

wants to merge 4 commits into from
+785 −0

Conversation

@snomiao
Copy link
Member

@snomiao snomiao commented Nov 20, 2025
edited by sync-by-unito bot
Loading

Summary

Implements automated verification to ensure the OSS distribution complies with licensing requirements and properly removes proprietary/telemetry code.

This PR addresses the requirements from the Notion task:

  • ✅ Verifies no proprietary licenses in production dependencies
  • ✅ Checks ABCROM font is tree-shaken from OSS builds
  • ✅ Verifies Mixpanel telemetry is tree-shaken from OSS builds

Changes

New Verification Scripts

  1. scripts/verify-licenses.js

    • Validates all production dependencies use approved open-source licenses
    • Checks against a list of OSI-approved licenses
    • Flags any non-compliant or unknown licenses

  2. scripts/verify-oss-build.js

    • Scans the dist/ directory for violations
    • Checks for proprietary font files (ABCROM)
    • Searches JavaScript files for telemetry code (Mixpanel)
    • Reports all violations with file locations and code samples

CI Workflow

.github/workflows/ci-oss-compliance.yaml

  • Runs on all pushes to main/dev branches and pull requests
  • Two jobs:
    1. license-check: Verifies dependency licenses
    2. oss-build-check: Builds OSS distribution and verifies compliance
  • Uploads build artifacts on failure for debugging

NPM Scripts

pnpm verify:licenses      # Check dependency licenses
pnpm verify:oss          # Verify OSS build compliance
pnpm verify:compliance   # Run all checks (licenses + build + verify)
pnpm build:oss           # Build OSS distribution

Documentation

docs/OSS_COMPLIANCE.md

  • Complete guide for understanding and using the compliance checks
  • Explains tree-shaking mechanism
  • Troubleshooting guide
  • Instructions for adding new cloud-specific code

How It Works

Tree-Shaking Mechanism

The build uses compile-time constants for dead code elimination:

// vite.config.mts
define: {
  __DISTRIBUTION__: JSON.stringify(DISTRIBUTION)
}

// src/platform/distribution/types.ts
const DISTRIBUTION: Distribution = __DISTRIBUTION__
export const isCloud = DISTRIBUTION === 'cloud'

// src/platform/telemetry/index.ts
if (isCloud) {
  _telemetryProvider = new MixpanelTelemetryProvider()
}

When building with DISTRIBUTION=localhost:

  • isCloud evaluates to false
  • Vite's tree-shaking removes all cloud-specific code
  • Mixpanel library is never imported or bundled

Verification Patterns

The OSS build verifier checks for:

Proprietary Fonts:

  • .woff, .woff2, .ttf, .otf files containing "ABCROM"

Telemetry Code:

  • mixpanel / MixpanelTelemetryProvider
  • Tracking methods: trackWorkflow, trackEvent, .track(
  • API endpoints: mp.comfy.org

Test Plan

  • License check passes on current dependencies
  • Scripts handle missing dist/ directory gracefully
  • Scripts provide clear error messages and exit codes
  • Documentation is comprehensive and accurate
  • CI workflow runs successfully on this PR
  • OSS build verification passes after build

Testing Locally

# Check licenses
pnpm verify:licenses

# Build OSS distribution and verify
pnpm build:oss
pnpm verify:oss

# Or run all checks
pnpm verify:compliance

Notes

  • The license checker currently passes with 343 production dependencies
  • The OSS build verification requires building first (CI handles this automatically)
  • Build artifacts are uploaded for 7 days when CI checks fail

🤖 Generated with Claude Code

Fixes #10204

┆Issue is synchronized with this Notion page by Unito

@snomiao @claude
[feat] Add CI checks for OSS license compliance and telemetry tree-sh…
8dcdcfc 
…aking

Implements automated verification to ensure the OSS distribution:
1. Only includes open-source licensed dependencies
2. Properly tree-shakes proprietary fonts (ABCROM)
3. Removes telemetry code (Mixpanel) from OSS builds

New scripts:
- scripts/verify-licenses.js - Validates production dependency licenses
- scripts/verify-oss-build.js - Checks dist/ for violations

New CI workflow:
- .github/workflows/ci-oss-compliance.yaml - Runs compliance checks

New npm scripts:
- pnpm verify:licenses - Check dependency licenses
- pnpm verify:oss - Verify OSS build compliance
- pnpm verify:compliance - Run all checks
- pnpm build:oss - Build OSS distribution

Documentation:
- docs/OSS_COMPLIANCE.md - Complete guide for compliance checks

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
@github-actions
Copy link

github-actions bot commented Nov 20, 2025
edited
Loading

🎨 Storybook Build Status

Build completed successfully!

⏰ Completed at: 12/03/2025, 10:45:51 AM UTC

🔗 Links

🎉 Your Storybook is ready for review!

@github-actions
Copy link

github-actions bot commented Nov 20, 2025
edited
Loading

🎭 Playwright Test Results

⚠️ Tests passed with flaky tests

⏰ Completed at: 12/03/2025, 10:55:35 AM UTC

📈 Summary

  • Total Tests: 495
  • Passed: 482 ✅
  • Failed: 0
  • Flaky: 3 ⚠️
  • Skipped: 10 ⏭️

📊 Test Reports by Browser

  • chromium: View Report • ✅ 473 / ❌ 0 / ⚠️ 3 / ⏭️ 10
  • chromium-2x: View Report • ✅ 2 / ❌ 0 / ⚠️ 0 / ⏭️ 0
  • chromium-0.5x: View Report • ✅ 1 / ❌ 0 / ⚠️ 0 / ⏭️ 0
  • mobile-chrome: View Report • ✅ 6 / ❌ 0 / ⚠️ 0 / ⏭️ 0

🎉 Click on the links above to view detailed test results for each browser configuration.

@github-actions
Copy link

github-actions bot commented Nov 20, 2025
edited
Loading

Bundle Size Report

Summary

  • Raw size: 17 MB baseline 17 MB — ⚪ 0 B
  • Gzip: 3.38 MB baseline 3.38 MB — ⚪ 0 B
  • Brotli: 2.59 MB baseline 2.59 MB — ⚪ 0 B
  • Bundles: 97 current • 97 baseline

Category Glance
Vendor & Third-Party ⚪ 0 B (8.56 MB) · Other ⚪ 0 B (3.81 MB) · App Entry Points ⚪ 0 B (3.2 MB) · Graph Workspace ⚪ 0 B (971 kB) · Panels & Settings ⚪ 0 B (298 kB) · UI Components ⚪ 0 B (169 kB) · + 3 more

Per-category breakdown
App Entry Points — 3.2 MB (baseline 3.2 MB) • ⚪ 0 B

Main entry bundles and manifests

File Before After Δ Raw Δ Gzip Δ Brotli
assets/index-Cf__4Z-P.js 345 B 345 B ⚪ 0 B ⚪ 0 B ⚪ 0 B
assets/index-DEdg9DBw.js 2.97 MB 2.97 MB ⚪ 0 B ⚪ 0 B ⚪ 0 B
assets/index-DvsIp2U2.js 223 kB 223 kB ⚪ 0 B ⚪ 0 B ⚪ 0 B
Graph Workspace — 971 kB (baseline 971 kB) • ⚪ 0 B

Graph editor runtime, canvas, workflow orchestration

File Before After Δ Raw Δ Gzip Δ Brotli
assets/GraphView-TBg3dt8M.js 971 kB 971 kB ⚪ 0 B ⚪ 0 B ⚪ 0 B
Views & Navigation — 6.54 kB (baseline 6.54 kB) • ⚪ 0 B

Top-level views, pages, and routed surfaces

File Before After Δ Raw Δ Gzip Δ Brotli
assets/UserSelectView-Bs2mt5WB.js 6.54 kB 6.54 kB ⚪ 0 B ⚪ 0 B ⚪ 0 B
Panels & Settings — 298 kB (baseline 298 kB) • ⚪ 0 B

Configuration panels, inspectors, and settings screens

File Before After Δ Raw Δ Gzip Δ Brotli
assets/AboutPanel-C1CJXtbE.js 9.16 kB 9.16 kB ⚪ 0 B ⚪ 0 B ⚪ 0 B
assets/CreditsPanel-BjhEcMZo.js 21.4 kB 21.4 kB ⚪ 0 B ⚪ 0 B ⚪ 0 B
assets/ExtensionPanel-DX-QTkxT.js 10.8 kB 10.8 kB ⚪ 0 B ⚪ 0 B ⚪ 0 B
assets/KeybindingPanel-DPEmufkL.js 13.6 kB 13.6 kB ⚪ 0 B ⚪ 0 B ⚪ 0 B
assets/ServerConfigPanel-oKEVC-cG.js 6.56 kB 6.56 kB ⚪ 0 B ⚪ 0 B ⚪ 0 B
assets/settings-BhbWhsRg.js 101 B 101 B ⚪ 0 B ⚪ 0 B ⚪ 0 B
assets/settings-BXTtSH4O.js 33.3 kB 33.3 kB ⚪ 0 B ⚪ 0 B ⚪ 0 B
assets/settings-C9Pzn-NG.js 25.2 kB 25.2 kB ⚪ 0 B ⚪ 0 B ⚪ 0 B
assets/settings-CCy2fA_h.js 27.3 kB 27.3 kB ⚪ 0 B ⚪ 0 B ⚪ 0 B
assets/settings-CQpqEFfl.js 26.6 kB 26.6 kB ⚪ 0 B ⚪ 0 B ⚪ 0 B
assets/settings-DHcnxypw.js 21.7 kB 21.7 kB ⚪ 0 B ⚪ 0 B ⚪ 0 B
assets/settings-DhFTK9fY.js 25.1 kB 25.1 kB ⚪ 0 B ⚪ 0 B ⚪ 0 B
assets/settings-DlT4t_ui.js 25.9 kB 25.9 kB ⚪ 0 B ⚪ 0 B ⚪ 0 B
assets/settings-DRgSrIdD.js 24.2 kB 24.2 kB ⚪ 0 B ⚪ 0 B ⚪ 0 B
assets/settings-tjkeqiZq.js 21.1 kB 21.1 kB ⚪ 0 B ⚪ 0 B ⚪ 0 B
assets/UserPanel-DvvIwd9i.js 6.23 kB 6.23 kB ⚪ 0 B ⚪ 0 B ⚪ 0 B
UI Components — 169 kB (baseline 169 kB) • ⚪ 0 B

Reusable component library chunks

File Before After Δ Raw Δ Gzip Δ Brotli
assets/ComfyQueueButton-CxYWRhFc.js 8.44 kB 8.44 kB ⚪ 0 B ⚪ 0 B ⚪ 0 B
assets/LazyImage.vue_vue_type_script_setup_true_lang-CURaTibX.js 39.4 kB 39.4 kB ⚪ 0 B ⚪ 0 B ⚪ 0 B
assets/Load3D.vue_vue_type_script_setup_true_lang-DsttmT1j.js 53.9 kB 53.9 kB ⚪ 0 B ⚪ 0 B ⚪ 0 B
assets/MediaTitle.vue_vue_type_script_setup_true_lang-B1PrziiA.js 897 B 897 B ⚪ 0 B ⚪ 0 B ⚪ 0 B
assets/UserAvatar.vue_vue_type_script_setup_true_lang-DRxvgpU7.js 1.34 kB 1.34 kB ⚪ 0 B ⚪ 0 B ⚪ 0 B
assets/WidgetButton-DBkWxjh1.js 2.04 kB 2.04 kB ⚪ 0 B ⚪ 0 B ⚪ 0 B
assets/WidgetInputNumber.vue_vue_type_script_setup_true_lang-BYxlDPNB.js 12.9 kB 12.9 kB ⚪ 0 B ⚪ 0 B ⚪ 0 B
assets/WidgetLayoutField.vue_vue_type_script_setup_true_lang-VhqMWCTd.js 2.16 kB 2.16 kB ⚪ 0 B ⚪ 0 B ⚪ 0 B
assets/WidgetSelect.vue_vue_type_script_setup_true_lang-Vf0dgbnk.js 47.6 kB 47.6 kB ⚪ 0 B ⚪ 0 B ⚪ 0 B
Data & Services — 12.5 kB (baseline 12.5 kB) • ⚪ 0 B

Stores, services, APIs, and repositories

File Before After Δ Raw Δ Gzip Δ Brotli
assets/audioService-CURg7Yov.js 2.2 kB 2.2 kB ⚪ 0 B ⚪ 0 B ⚪ 0 B
assets/keybindingService-DA_xRrK2.js 7.51 kB 7.51 kB ⚪ 0 B ⚪ 0 B ⚪ 0 B
assets/serverConfigStore-BIb40oOr.js 2.83 kB 2.83 kB ⚪ 0 B ⚪ 0 B ⚪ 0 B
Utilities & Hooks — 2.94 kB (baseline 2.94 kB) • ⚪ 0 B

Helpers, composables, and utility bundles

File Before After Δ Raw Δ Gzip Δ Brotli
assets/audioUtils-BCU8XQ-i.js 1.41 kB 1.41 kB ⚪ 0 B ⚪ 0 B ⚪ 0 B
assets/mathUtil-CTARWQ-l.js 1.07 kB 1.07 kB ⚪ 0 B ⚪ 0 B ⚪ 0 B
assets/nodeFilterUtil-CXKCRJ-m.js 460 B 460 B ⚪ 0 B ⚪ 0 B ⚪ 0 B
Vendor & Third-Party — 8.56 MB (baseline 8.56 MB) • ⚪ 0 B

External libraries and shared vendor chunks

File Before After Δ Raw Δ Gzip Δ Brotli
assets/vendor-chart-DWRkrNy1.js 452 kB 452 kB ⚪ 0 B ⚪ 0 B ⚪ 0 B
assets/vendor-other-BZzgsWym.js 3.98 MB 3.98 MB ⚪ 0 B ⚪ 0 B ⚪ 0 B
assets/vendor-primevue-3gHexYD_.js 1.96 MB 1.96 MB ⚪ 0 B ⚪ 0 B ⚪ 0 B
assets/vendor-three-aR6ntw5X.js 1.37 MB 1.37 MB ⚪ 0 B ⚪ 0 B ⚪ 0 B
assets/vendor-tiptap-Dw558Ulu.js 232 kB 232 kB ⚪ 0 B ⚪ 0 B ⚪ 0 B
assets/vendor-vue-CoO6TOrn.js 160 kB 160 kB ⚪ 0 B ⚪ 0 B ⚪ 0 B
assets/vendor-xterm-BZLod3g9.js 407 kB 407 kB ⚪ 0 B ⚪ 0 B ⚪ 0 B
Other — 3.81 MB (baseline 3.81 MB) • ⚪ 0 B

Bundles that do not match a named category

File Before After Δ Raw Δ Gzip Δ Brotli
assets/AudioPreviewPlayer-BJfU_odj.js 13.5 kB 13.5 kB ⚪ 0 B ⚪ 0 B ⚪ 0 B
assets/commands-_s-RvhJR.js 13.6 kB 13.6 kB ⚪ 0 B ⚪ 0 B ⚪ 0 B
assets/commands-BuUILW6P.js 13 kB 13 kB ⚪ 0 B ⚪ 0 B ⚪ 0 B
assets/commands-BV4R6fLx.js 14.9 kB 14.9 kB ⚪ 0 B ⚪ 0 B ⚪ 0 B
assets/commands-BWp4HdfU.js 101 B 101 B ⚪ 0 B ⚪ 0 B ⚪ 0 B
assets/commands-CLwPdnT6.js 14.2 kB 14.2 kB ⚪ 0 B ⚪ 0 B ⚪ 0 B
assets/commands-CWMchBmd.js 15.9 kB 15.9 kB ⚪ 0 B ⚪ 0 B ⚪ 0 B
assets/commands-DazTQhtc.js 12.9 kB 12.9 kB ⚪ 0 B ⚪ 0 B ⚪ 0 B
assets/commands-DmWrOe93.js 13.7 kB 13.7 kB ⚪ 0 B ⚪ 0 B ⚪ 0 B
assets/commands-DwiH7Kr6.js 13.8 kB 13.8 kB ⚪ 0 B ⚪ 0 B ⚪ 0 B
assets/commands-mS3LCNPn.js 14.5 kB 14.5 kB ⚪ 0 B ⚪ 0 B ⚪ 0 B
assets/Load3D-_y2rDEPF.js 424 B 424 B ⚪ 0 B ⚪ 0 B ⚪ 0 B
assets/main-B1JflQcI.js 72.2 kB 72.2 kB ⚪ 0 B ⚪ 0 B ⚪ 0 B
assets/main-B2lyXe48.js 114 kB 114 kB ⚪ 0 B ⚪ 0 B ⚪ 0 B
assets/main-B9XEQ-pc.js 94 kB 94 kB ⚪ 0 B ⚪ 0 B ⚪ 0 B
assets/main-BErKFzc-.js 73.1 kB 73.1 kB ⚪ 0 B ⚪ 0 B ⚪ 0 B
assets/main-Bf7Tze-u.js 83.4 kB 83.4 kB ⚪ 0 B ⚪ 0 B ⚪ 0 B
assets/main-BhGMcO4Q.js 84.3 kB 84.3 kB ⚪ 0 B ⚪ 0 B ⚪ 0 B
assets/main-CPZUloNQ.js 99 kB 99 kB ⚪ 0 B ⚪ 0 B ⚪ 0 B
assets/main-Cw9RZWRY.js 89 B 89 B ⚪ 0 B ⚪ 0 B ⚪ 0 B
assets/main-Dva0z-T2.js 86.5 kB 86.5 kB ⚪ 0 B ⚪ 0 B ⚪ 0 B
assets/main-un0K9wDS.js 81.8 kB 81.8 kB ⚪ 0 B ⚪ 0 B ⚪ 0 B
assets/Media3DBottom-BxDVzMC3.js 1.5 kB 1.5 kB ⚪ 0 B ⚪ 0 B ⚪ 0 B
assets/Media3DTop-DIquBjFa.js 1.49 kB 1.49 kB ⚪ 0 B ⚪ 0 B ⚪ 0 B
assets/MediaAudioBottom-DI0UGV_L.js 1.52 kB 1.52 kB ⚪ 0 B ⚪ 0 B ⚪ 0 B
assets/MediaAudioTop-DX0t5RN3.js 1.46 kB 1.46 kB ⚪ 0 B ⚪ 0 B ⚪ 0 B
assets/MediaImageBottom-C2JdHVMF.js 1.57 kB 1.57 kB ⚪ 0 B ⚪ 0 B ⚪ 0 B
assets/MediaImageTop-BN0aEMtg.js 1.75 kB 1.75 kB ⚪ 0 B ⚪ 0 B ⚪ 0 B
assets/MediaVideoBottom-CKKuDxU7.js 1.52 kB 1.52 kB ⚪ 0 B ⚪ 0 B ⚪ 0 B
assets/MediaVideoTop-BpvqEylZ.js 2.76 kB 2.76 kB ⚪ 0 B ⚪ 0 B ⚪ 0 B
assets/nodeDefs-8e6QYQW0.js 283 kB 283 kB ⚪ 0 B ⚪ 0 B ⚪ 0 B
assets/nodeDefs-A_9dx4yn.js 304 kB 304 kB ⚪ 0 B ⚪ 0 B ⚪ 0 B
assets/nodeDefs-BbD3HDi7.js 307 kB 307 kB ⚪ 0 B ⚪ 0 B ⚪ 0 B
assets/nodeDefs-BOJhIPft.js 369 kB 369 kB ⚪ 0 B ⚪ 0 B ⚪ 0 B
assets/nodeDefs-Bw_Jitw_.js 101 B 101 B ⚪ 0 B ⚪ 0 B ⚪ 0 B
assets/nodeDefs-C-Pw33mW.js 317 kB 317 kB ⚪ 0 B ⚪ 0 B ⚪ 0 B
assets/nodeDefs-ChLyG0UJ.js 285 kB 285 kB ⚪ 0 B ⚪ 0 B ⚪ 0 B
assets/nodeDefs-CUVPxA4l.js 342 kB 342 kB ⚪ 0 B ⚪ 0 B ⚪ 0 B
assets/nodeDefs-Dx5Y4xrW.js 310 kB 310 kB ⚪ 0 B ⚪ 0 B ⚪ 0 B
assets/nodeDefs-JqO5mNmW.js 306 kB 306 kB ⚪ 0 B ⚪ 0 B ⚪ 0 B
assets/WidgetAudioUI-CO8Xwpqd.js 2.82 kB 2.82 kB ⚪ 0 B ⚪ 0 B ⚪ 0 B
assets/WidgetChart-DsbKXC7D.js 2.48 kB 2.48 kB ⚪ 0 B ⚪ 0 B ⚪ 0 B
assets/WidgetColorPicker-BIcqK16M.js 3.41 kB 3.41 kB ⚪ 0 B ⚪ 0 B ⚪ 0 B
assets/WidgetGalleria-C2rRHaUB.js 4.1 kB 4.1 kB ⚪ 0 B ⚪ 0 B ⚪ 0 B
assets/WidgetImageCompare-nVNi67CU.js 2.21 kB 2.21 kB ⚪ 0 B ⚪ 0 B ⚪ 0 B
assets/WidgetInputNumber-CTDJdfB2.js 595 B 595 B ⚪ 0 B ⚪ 0 B ⚪ 0 B
assets/WidgetInputText-BCJqA32s.js 1.99 kB 1.99 kB ⚪ 0 B ⚪ 0 B ⚪ 0 B
assets/WidgetLegacy-DKnHzQXL.js 364 B 364 B ⚪ 0 B ⚪ 0 B ⚪ 0 B
assets/WidgetMarkdown-C9cEe2Po.js 3.08 kB 3.08 kB ⚪ 0 B ⚪ 0 B ⚪ 0 B
assets/widgetPropFilter-BIbGSUAt.js 1.28 kB 1.28 kB ⚪ 0 B ⚪ 0 B ⚪ 0 B
assets/WidgetRecordAudio-9ACKT6e5.js 20.4 kB 20.4 kB ⚪ 0 B ⚪ 0 B ⚪ 0 B
assets/WidgetSelect-Dhm0DIpQ.js 655 B 655 B ⚪ 0 B ⚪ 0 B ⚪ 0 B
assets/WidgetTextarea-CYPMnprw.js 2.79 kB 2.79 kB ⚪ 0 B ⚪ 0 B ⚪ 0 B
assets/WidgetToggleSwitch-DkvdXJVp.js 1.58 kB 1.58 kB ⚪ 0 B ⚪ 0 B ⚪ 0 B

@coderabbitai
Copy link
Contributor

coderabbitai bot commented Dec 3, 2025

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

✨ Finishing touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch sno-license-check

Comment @coderabbitai help to get the list of available commands and usage tips.

snomiao and others added 2 commits December 3, 2025 10:43
@snomiao @claude
[fix] Refine OSS build verification patterns to reduce false positives
e474eae 
- Make telemetry detection patterns more specific
- Target actual Mixpanel API calls instead of generic patterns
- Avoid flagging benign code like `.track()` from other libraries
- Focus on MixpanelTelemetryProvider and actual tracking methods

This reduces false positives while maintaining security.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
@snomiao @claude
[feat] Add automated PR comment on OSS compliance failure
c9c1f4e 
- Post informative comment when OSS compliance checks fail
- Include links to workflow logs and documentation
- Guide developers on how to fix issues
- Only comment on pull requests, not pushes

Helps PR authors quickly understand and fix compliance issues.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
@github-actions
Copy link

github-actions bot commented Dec 3, 2025

⚠️ OSS Compliance Check Failed

The OSS build verification has failed. This usually means:

Possible Issues:

  1. ✗ Proprietary font files (ABCROM) detected in build output
  2. ✗ Telemetry code (Mixpanel) detected in OSS build
  3. ✗ Non-compliant dependency licenses detected

What to do:

  1. Review the workflow logs for details
  2. Check the uploaded build artifacts for inspection
  3. Ensure tree-shaking is working correctly for cloud-specific code
  4. See OSS Compliance docs for guidance

Build artifacts have been uploaded for 7 days for your inspection.

This is an automated message from the OSS Compliance workflow

@snomiao
Copy link
Member Author

snomiao commented Dec 3, 2025

📝 PR Review Summary

✅ Changes Reviewed

  1. OSS License Compliance Infrastructure - Automated checks for dependency licenses
  2. OSS Build Verification - Validates tree-shaking of proprietary assets
  3. CI/CD Integration - Workflow automation with failure notifications
  4. Documentation - Comprehensive compliance guide

🔍 Current CI Status

Failing Check: OSS Build Verification

Root Causes:

  1. ABCROM Font Files (2 files) - Proprietary fonts being bundled in localhost build
  2. Cloud Components - Tree-shaking not fully eliminating cloud-specific code

🛠️ Recent Improvements

I've made two commits to improve this PR:

  1. Refined Verification Patterns (commit e474eae)

    • Made telemetry detection more specific
    • Reduced false positives from generic patterns like .track(
    • Now targets actual Mixpanel API usage

  2. Added CI Failure Notifications (commit c9c1f4e)

    • Automatically posts helpful comment when OSS compliance fails
    • Links to logs and documentation
    • Guides developers on fixing issues

🎯 Remaining Issues

The fundamental issue is that tree-shaking isn't fully working for cloud-specific code:

Problem in src/router.ts:19:

import { cloudOnboardingRoutes } from './platform/cloud/onboarding/onboardingCloudRoutes'

This import happens unconditionally, causing Vite to include the cloud routes module and its dependencies (including fonts) even when DISTRIBUTION=localhost.

Why it happens:

  • The spread operator ...(isCloud ? cloudOnboardingRoutes : []) (line 46) is a runtime check
  • Vite's tree-shaking can't eliminate the import because it's at the module level
  • The fonts are imported in CloudTemplate.vue → fonts.css → font files

💡 Recommended Solutions

Option 1: Dynamic Import (Best)

const routes = [
  ...(isCloud ? (await import('./platform/cloud/onboarding/onboardingCloudRoutes')).cloudOnboardingRoutes : []),
  // ... other routes
]

Option 2: Vite Plugin
Create a Vite plugin that strips cloud-specific imports during OSS builds

Option 3: Separate Entry Points
Build separate bundles for cloud vs OSS distributions

Option 4: Accept Current Behavior

  • Document that lazy-loaded cloud code exists but never executes
  • Update verification to warn rather than fail for lazy-loaded code
  • The runtime check ensures cloud code paths are never reached

📊 Impact Assessment

  • Security: ✅ No execution of cloud code in OSS builds (runtime guards work)
  • License: ⚠️ Proprietary assets present but unused
  • Bundle Size: ⚠️ Slightly larger OSS build due to dead code
  • User Experience: ✅ No functional impact

The code is secure (cloud paths never execute), but not ideal for distribution hygiene.

🎬 Next Steps

@snomiao - Please review the architectural options above and decide on the preferred approach. I recommend Option 1 (Dynamic Import) as it's the cleanest solution.

Would you like me to implement one of these solutions?

🤖 Generated with Claude Code

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Awaiting requested review from Copilot Copilot will automatically review once the pull request is marked ready for review

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@snomiao