From 7c0fa59022cc1ba1038a3a6131cce54133e4a2e2 Mon Sep 17 00:00:00 2001
From: Adrian Dombeck <adrian.dombeck@canonical.com>
Date: Wed, 14 Jan 2026 13:19:07 +0100
Subject: [PATCH] gh-actions/build-debian: Run licenserecon

We've had an upload of authd to the archive rejected because of issues
in the debian/copyright file reported by licenserecon aka lrc. Let's
avoid that in the future by running lrc as part of the build-debian
action.

I had to change the package built in the tests to get them to pass,
because lrc reports issues in the hello package. It also found issues in
cowsay and some other packages I tried. The first package which passed
was debianutils.
---
 .github/workflows/test-build-deb.yaml      | 19 +++++++++-------
 gh-actions/common/build-debian/action.yaml | 26 ++++++++++++++++++++++
 2 files changed, 37 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/test-build-deb.yaml b/.github/workflows/test-build-deb.yaml
index 0b96a107..0447158b 100644
--- a/.github/workflows/test-build-deb.yaml
+++ b/.github/workflows/test-build-deb.yaml
@@ -42,10 +42,11 @@ jobs:
           set -eu
 
           echo "::group::Get source"
-          pull-lp-source --download-only hello
-          dpkg-source -x hello*.dsc hello-src
-          rm -rf hello_*
-          mv -v hello-src/* .
+          PKG=debianutils
+          pull-lp-source --download-only "$PKG"
+          dpkg-source -x "$PKG"*.dsc pkg-src
+          rm -rf "${PKG}_"*
+          cd pkg-src
           echo "::endgroup::"
 
           echo "::group::Mark package as a native package"
@@ -63,6 +64,7 @@ jobs:
         uses: ./.source/gh-actions/common/build-debian
         with:
           docker-image: ${{ env.UBUNTU_IMAGE }}
+          source-dir: pkg-src
           eatmydata: false
 
 
@@ -118,9 +120,10 @@ jobs:
           # Get package source
           set -eu
 
-          pull-lp-source --download-only hello
-          dpkg-source -x hello*.dsc hello-src
-          rm -rfv hello_*.{dsc,debian.}*
+          PKG=debianutils
+          pull-lp-source --download-only "$PKG"
+          dpkg-source -x "$PKG"*.dsc pkg-src
+          rm -rfv "${PKG}_"*.{dsc,debian.}*
 
       - name: Checkout code
         uses: actions/checkout@v4
@@ -132,7 +135,7 @@ jobs:
         with:
           docker-image: ${{ env.UBUNTU_IMAGE }}
           sources-only: true
-          source-dir: ./hello-src
+          source-dir: pkg-src
           lintian: skip
 
 
diff --git a/gh-actions/common/build-debian/action.yaml b/gh-actions/common/build-debian/action.yaml
index 07cfab23..d7555e67 100644
--- a/gh-actions/common/build-debian/action.yaml
+++ b/gh-actions/common/build-debian/action.yaml
@@ -59,6 +59,11 @@ inputs:
     description: Arguments to pass to lintian, if any. Set to `skip` to skip the lintian check.
     default: ''
 
+  lrc:
+    required: false
+    description: Arguments to pass to licenserecon, if any. Set to `skip` to skip the licenserecon check.
+    default: ''
+
 
 # The process:
 # 1. We build the source package in a docker container. If ca-certificates are
@@ -150,6 +155,27 @@ runs:
           echo "SOURCE_DIR=${srcdir}" >> "${GITHUB_ENV}"
           echo "::endgroup::"
 
+    - name: Check licenses
+      if: ${{ inputs.lrc != 'skip' }}
+      uses: kohlerdominik/docker-run-action@v2.0.0
+      with:
+        # Use ubuntu:devel to have a recent version of licenserecon, because we
+        # found older versions to report false positives (e.g. GPL-2 vs GPL-2+).
+        image: ubuntu:devel
+        volumes: |
+          ${{ github.workspace }}:${{ github.workspace }}
+        workdir: ${{ env.SOURCE_DIR }}
+        shell: bash
+        run: |
+          echo "::group::Install licenserecon"
+          apt-get update
+          apt-get install -y --no-install-recommends licenserecon
+          echo "::endgroup::"
+
+          echo "::group::Run licenserecon"
+          lrc ${{ inputs.lrc }}
+          echo "::endgroup::"
+
     - name: Prepare source package
       uses: kohlerdominik/docker-run-action@v2.0.0
       with: