Comfy-Org/ComfyUI_frontend
1
0
Fork 0
mirror of https://github.com/Comfy-Org/ComfyUI_frontend.git synced 2026-02-02 14:27:40 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
e474eaef1640e43a419dd6db05fb07aceacb4b76
ComfyUI_frontend/docs/OSS_COMPLIANCE.md
snomiao 8dcdcfce5b [feat] Add CI checks for OSS license compliance and telemetry tree-shaking 
Implements automated verification to ensure the OSS distribution:
1. Only includes open-source licensed dependencies
2. Properly tree-shakes proprietary fonts (ABCROM)
3. Removes telemetry code (Mixpanel) from OSS builds

New scripts:
- scripts/verify-licenses.js - Validates production dependency licenses
- scripts/verify-oss-build.js - Checks dist/ for violations

New CI workflow:
- .github/workflows/ci-oss-compliance.yaml - Runs compliance checks

New npm scripts:
- pnpm verify:licenses - Check dependency licenses
- pnpm verify:oss - Verify OSS build compliance
- pnpm verify:compliance - Run all checks
- pnpm build:oss - Build OSS distribution

Documentation:
- docs/OSS_COMPLIANCE.md - Complete guide for compliance checks

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-20 06:12:36 +00:00

5.1 KiB
Raw Blame History

OSS Compliance Verification

This document describes the automated compliance checks that ensure the OSS (Open Source Software) distribution of ComfyUI Frontend meets licensing and privacy requirements.

Overview

The OSS build verification system consists of two main components:

  1. License Compliance Check - Ensures all production dependencies use approved open-source licenses
  2. OSS Build Verification - Ensures the OSS distribution doesn't contain proprietary code or telemetry

Quick Start

Run All Compliance Checks

pnpm verify:compliance

This command will:

  1. Check all production dependency licenses
  2. Build the OSS distribution
  3. Verify the build output doesn't contain violations

Individual Checks

# Check licenses only
pnpm verify:licenses

# Build OSS distribution
pnpm build:oss

# Verify OSS build (requires build first)
pnpm verify:oss

License Compliance

Purpose

Verifies that all production dependencies use licenses compatible with ComfyUI's GPL-3.0-only license.

Script Location

scripts/verify-licenses.js

Approved Licenses

The following licenses are approved for use:

  • Permissive: MIT, Apache-2.0, BSD-2-Clause, BSD-3-Clause, ISC
  • Copyleft: GPL-2.0, GPL-3.0, LGPL-2.1, LGPL-3.0, MPL-2.0
  • Public Domain: CC0-1.0, Unlicense, WTFPL
  • And other OSI-approved licenses

How It Works

  1. Runs pnpm licenses list --json --prod to get all production dependencies
  2. Checks each license against the approved list
  3. Flags any non-compliant or unknown licenses
  4. Exits with error code 1 if violations are found

Adding New Approved Licenses

If a legitimate open-source license is being flagged, edit scripts/verify-licenses.js and add it to the APPROVED_LICENSES set.

OSS Build Verification

Purpose

Ensures the OSS distribution (DISTRIBUTION=localhost) doesn't contain:

  1. Proprietary licensed assets (e.g., ABCROM font files)
  2. Telemetry code (e.g., Mixpanel tracking)

Script Location

scripts/verify-oss-build.js

What Gets Checked

Proprietary Font Files

  • Searches for .woff, .woff2, .ttf, .otf files containing "ABCROM"
  • These fonts are proprietary and licensed only for cloud distribution

Telemetry Code

Searches JavaScript files for:

  • mixpanel references
  • MixpanelTelemetryProvider class
  • Tracking method calls (trackWorkflow, trackEvent)
  • Mixpanel API endpoints (mp.comfy.org)

How It Works

  1. Recursively scans the dist/ directory
  2. Checks font files by filename
  3. Checks JavaScript files for telemetry code patterns
  4. Reports all violations with file locations and matches
  5. Exits with error code 1 if violations are found

Tree-Shaking Mechanism

The codebase uses compile-time constants for tree-shaking:

// src/platform/distribution/types.ts
const DISTRIBUTION: Distribution = __DISTRIBUTION__
export const isCloud = DISTRIBUTION === 'cloud'

// src/platform/telemetry/index.ts
if (isCloud) {
  _telemetryProvider = new MixpanelTelemetryProvider()
}

When building with DISTRIBUTION=localhost:

  • isCloud evaluates to false
  • Dead code elimination removes all cloud-specific code
  • Mixpanel library is never imported or bundled

CI Integration

GitHub Actions Workflow

.github/workflows/ci-oss-compliance.yaml

The workflow runs on all pushes to main/dev branches and pull requests:

  1. license-check job

    • Installs dependencies
    • Runs license verification

  2. oss-build-check job

    • Installs dependencies
    • Builds OSS distribution
    • Runs build verification
    • Uploads artifacts on failure for debugging

When Checks Run

  • On push to: main, master, dev*, core/*, desktop/*
  • On pull requests (except wip/*, draft/*, temp/*)

Troubleshooting

License Check Fails

  1. Review the flagged packages
  2. Check if the license is genuinely non-compliant
  3. If it's a false positive, add the license to APPROVED_LICENSES
  4. If it's truly non-compliant, find an alternative package

OSS Build Check Fails

  1. Review the violations in the output
  2. Check if cloud-specific code is being included
  3. Verify tree-shaking is working:
    • Check vite.config.mts for define configuration
    • Ensure DISTRIBUTION is set correctly
    • Check that cloud imports are conditionally loaded

Build Artifacts

If the OSS build check fails in CI, artifacts are uploaded for 7 days:

  1. Go to the failed workflow run
  2. Download "oss-build-artifacts"
  3. Inspect the files to identify violations

Adding New Cloud-Specific Code

When adding code that should only be in cloud builds:

  1. Place it in src/platform/cloud/ - Recommended approach
  2. Use conditional imports: 
    if (isCloud) {
  const { CloudFeature } = await import('./cloud/CloudFeature')
  // Use CloudFeature
}
  3. Test locally: 
    pnpm build:oss
pnpm verify:oss

References