Comfy-Org/ComfyUI_frontend
1
0
Fork 0
mirror of https://github.com/Comfy-Org/ComfyUI_frontend.git synced 2026-02-05 07:30:11 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
e474eaef1640e43a419dd6db05fb07aceacb4b76
ComfyUI_frontend/docs/OSS_COMPLIANCE.md
snomiao 8dcdcfce5b [feat] Add CI checks for OSS license compliance and telemetry tree-shaking 
Implements automated verification to ensure the OSS distribution:
1. Only includes open-source licensed dependencies
2. Properly tree-shakes proprietary fonts (ABCROM)
3. Removes telemetry code (Mixpanel) from OSS builds

New scripts:
- scripts/verify-licenses.js - Validates production dependency licenses
- scripts/verify-oss-build.js - Checks dist/ for violations

New CI workflow:
- .github/workflows/ci-oss-compliance.yaml - Runs compliance checks

New npm scripts:
- pnpm verify:licenses - Check dependency licenses
- pnpm verify:oss - Verify OSS build compliance
- pnpm verify:compliance - Run all checks
- pnpm build:oss - Build OSS distribution

Documentation:
- docs/OSS_COMPLIANCE.md - Complete guide for compliance checks

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-20 06:12:36 +00:00

195 lines
5.1 KiB
Markdown
Raw Blame History

# OSS Compliance Verification
This document describes the automated compliance checks that ensure the OSS (Open Source Software) distribution of ComfyUI Frontend meets licensing and privacy requirements.
## Overview
The OSS build verification system consists of two main components:
1. **License Compliance Check** - Ensures all production dependencies use approved open-source licenses
2. **OSS Build Verification** - Ensures the OSS distribution doesn't contain proprietary code or telemetry
## Quick Start
### Run All Compliance Checks
```bash
pnpm verify:compliance
```
This command will:
1. Check all production dependency licenses
2. Build the OSS distribution
3. Verify the build output doesn't contain violations
### Individual Checks
```bash
# Check licenses only
pnpm verify:licenses
# Build OSS distribution
pnpm build:oss
# Verify OSS build (requires build first)
pnpm verify:oss
```
## License Compliance
### Purpose
Verifies that all production dependencies use licenses compatible with ComfyUI's GPL-3.0-only license.
### Script Location
`scripts/verify-licenses.js`
### Approved Licenses
The following licenses are approved for use:
- **Permissive**: MIT, Apache-2.0, BSD-2-Clause, BSD-3-Clause, ISC
- **Copyleft**: GPL-2.0, GPL-3.0, LGPL-2.1, LGPL-3.0, MPL-2.0
- **Public Domain**: CC0-1.0, Unlicense, WTFPL
- And other OSI-approved licenses
### How It Works
1. Runs `pnpm licenses list --json --prod` to get all production dependencies
2. Checks each license against the approved list
3. Flags any non-compliant or unknown licenses
4. Exits with error code 1 if violations are found
### Adding New Approved Licenses
If a legitimate open-source license is being flagged, edit `scripts/verify-licenses.js` and add it to the `APPROVED_LICENSES` set.
## OSS Build Verification
### Purpose
Ensures the OSS distribution (DISTRIBUTION=localhost) doesn't contain:
1. **Proprietary licensed assets** (e.g., ABCROM font files)
2. **Telemetry code** (e.g., Mixpanel tracking)
### Script Location
`scripts/verify-oss-build.js`
### What Gets Checked
#### Proprietary Font Files
- Searches for `.woff`, `.woff2`, `.ttf`, `.otf` files containing "ABCROM"
- These fonts are proprietary and licensed only for cloud distribution
#### Telemetry Code
Searches JavaScript files for:
- `mixpanel` references
- `MixpanelTelemetryProvider` class
- Tracking method calls (`trackWorkflow`, `trackEvent`)
- Mixpanel API endpoints (`mp.comfy.org`)
### How It Works
1. Recursively scans the `dist/` directory
2. Checks font files by filename
3. Checks JavaScript files for telemetry code patterns
4. Reports all violations with file locations and matches
5. Exits with error code 1 if violations are found
### Tree-Shaking Mechanism
The codebase uses compile-time constants for tree-shaking:
```typescript
// src/platform/distribution/types.ts
const DISTRIBUTION: Distribution = __DISTRIBUTION__
export const isCloud = DISTRIBUTION === 'cloud'
// src/platform/telemetry/index.ts
if (isCloud) {
_telemetryProvider = new MixpanelTelemetryProvider()
}
```
When building with `DISTRIBUTION=localhost`:
- `isCloud` evaluates to `false`
- Dead code elimination removes all cloud-specific code
- Mixpanel library is never imported or bundled
## CI Integration
### GitHub Actions Workflow
`.github/workflows/ci-oss-compliance.yaml`
The workflow runs on all pushes to main/dev branches and pull requests:
1. **license-check** job
- Installs dependencies
- Runs license verification
2. **oss-build-check** job
- Installs dependencies
- Builds OSS distribution
- Runs build verification
- Uploads artifacts on failure for debugging
### When Checks Run
- On push to: `main`, `master`, `dev*`, `core/*`, `desktop/*`
- On pull requests (except `wip/*`, `draft/*`, `temp/*`)
## Troubleshooting
### License Check Fails
1. Review the flagged packages
2. Check if the license is genuinely non-compliant
3. If it's a false positive, add the license to `APPROVED_LICENSES`
4. If it's truly non-compliant, find an alternative package
### OSS Build Check Fails
1. Review the violations in the output
2. Check if cloud-specific code is being included
3. Verify tree-shaking is working:
- Check `vite.config.mts` for `define` configuration
- Ensure `DISTRIBUTION` is set correctly
- Check that cloud imports are conditionally loaded
### Build Artifacts
If the OSS build check fails in CI, artifacts are uploaded for 7 days:
1. Go to the failed workflow run
2. Download "oss-build-artifacts"
3. Inspect the files to identify violations
## Adding New Cloud-Specific Code
When adding code that should only be in cloud builds:
1. **Place it in `src/platform/cloud/`** - Recommended approach
2. **Use conditional imports**:
```typescript
if (isCloud) {
const { CloudFeature } = await import('./cloud/CloudFeature')
// Use CloudFeature
}
```
3. **Test locally**:
```bash
pnpm build:oss
pnpm verify:oss
```
## References
- [Vite Tree-Shaking](https://vitejs.dev/guide/features.html#build-optimizations)
- [GPL-3.0 License](https://www.gnu.org/licenses/gpl-3.0.en.html)
- [OSI Approved Licenses](https://opensource.org/licenses/)
Reference in New Issue View Git Blame Copy Permalink