From 7f47fd8f1888dcf05901eeac09a5e31256ab58ac Mon Sep 17 00:00:00 2001
From: Jon Ayers <jon@coder.com>
Date: Tue, 16 Apr 2024 23:04:36 +0000
Subject: [PATCH 01/25] chore: add license review to CI

---
 .github/workflows/ci.yaml | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 8aaaa7439802c..69c2b045607a6 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -896,3 +896,17 @@ jobs:
       - name: Setup and run sqlc vet
         run: |
           make sqlc-vet
+
+  # dependency-license-review checks that no license-incompatible dependencies have been introduced. 
+  # This action is not intended to do a vulnerability check since that is handled by a separate action.
+  dependency-license-review:
+    runs-on: ubuntu-latest
+    steps:
+      - name: 'Checkout Repository'
+        uses: actions/checkout@v4
+      - name: 'Dependency Review'
+        uses: actions/dependency-review-action@v4
+        with:
+          allow-licenses: Apache-2.0, BSD-2-Clause, BSD-3-Clause, CC0-1.0, ISC, MIT, MIT-0, MPL-2.0
+          license-check: true
+          vulnerability-check: false

From 8a8300ca10bfbc902b03d117ff139cbeb8051d8d Mon Sep 17 00:00:00 2001
From: Jon Ayers <jon@coder.com>
Date: Tue, 16 Apr 2024 23:10:42 +0000
Subject: [PATCH 02/25] report on invalid licenses

---
 .github/workflows/ci.yaml | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 69c2b045607a6..43d281568d110 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -640,6 +640,7 @@ jobs:
       - test-e2e
       - offlinedocs
       - sqlc-vet
+      - dependency-license-review
     # Allow this job to run even if the needed jobs fail, are skipped or
     # cancelled.
     if: always()
@@ -656,6 +657,7 @@ jobs:
           echo "- test-js: ${{ needs.test-js.result }}"
           echo "- test-e2e: ${{ needs.test-e2e.result }}"
           echo "- offlinedocs: ${{ needs.offlinedocs.result }}"
+          echo "- dependency-license-review: ${{ needs.dependency-license-review.result }}"
           echo
 
           # We allow skipped jobs to pass, but not failed or cancelled jobs.
@@ -905,8 +907,17 @@ jobs:
       - name: 'Checkout Repository'
         uses: actions/checkout@v4
       - name: 'Dependency Review'
+        id: review
         uses: actions/dependency-review-action@v4
         with:
           allow-licenses: Apache-2.0, BSD-2-Clause, BSD-3-Clause, CC0-1.0, ISC, MIT, MIT-0, MPL-2.0
           license-check: true
           vulnerability-check: false
+      - name: 'Report'
+        # make sure this step runs even if the previous failed
+        if: ${{ failure() && steps.review.conclusion == 'failure' }}
+        shell: bash
+        env: # store comment HTML data in an environment variable
+          COMMENT: ${{ steps.review.outputs.comment-content }}
+        run: | # do something with the comment:
+          echo "$COMMENT"

From 3775d6da08054f76807d20a17d7fe59ccca1454b Mon Sep 17 00:00:00 2001
From: Jon Ayers <jon@coder.com>
Date: Tue, 16 Apr 2024 23:13:14 +0000
Subject: [PATCH 03/25] test omitting MIT

---
 .github/workflows/ci.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 43d281568d110..cffd98c1d760f 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -910,7 +910,7 @@ jobs:
         id: review
         uses: actions/dependency-review-action@v4
         with:
-          allow-licenses: Apache-2.0, BSD-2-Clause, BSD-3-Clause, CC0-1.0, ISC, MIT, MIT-0, MPL-2.0
+          allow-licenses: Apache-2.0, BSD-2-Clause, BSD-3-Clause, CC0-1.0, ISC, # MIT, MIT-0, MPL-2.0
           license-check: true
           vulnerability-check: false
       - name: 'Report'

From b7e7bb9844860e549bc7fe407005c4edf7405cbf Mon Sep 17 00:00:00 2001
From: Jon Ayers <jon@coder.com>
Date: Tue, 16 Apr 2024 23:15:54 +0000
Subject: [PATCH 04/25] whoops

---
 .github/workflows/ci.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index cffd98c1d760f..196ed15673160 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -910,7 +910,7 @@ jobs:
         id: review
         uses: actions/dependency-review-action@v4
         with:
-          allow-licenses: Apache-2.0, BSD-2-Clause, BSD-3-Clause, CC0-1.0, ISC, # MIT, MIT-0, MPL-2.0
+          allow-licenses: Apache-2.0, BSD-2-Clause, BSD-3-Clause, CC0-1.0, ISC #, MIT, MIT-0, MPL-2.0
           license-check: true
           vulnerability-check: false
       - name: 'Report'

From c5c6ffaf4b517e5831a00112aa34d845f1edc8e5 Mon Sep 17 00:00:00 2001
From: Jon Ayers <jon@coder.com>
Date: Tue, 16 Apr 2024 23:20:01 +0000
Subject: [PATCH 05/25] try omitting apache

---
 .github/workflows/ci.yaml | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 196ed15673160..7b1fe132ffefd 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -910,7 +910,8 @@ jobs:
         id: review
         uses: actions/dependency-review-action@v4
         with:
-          allow-licenses: Apache-2.0, BSD-2-Clause, BSD-3-Clause, CC0-1.0, ISC #, MIT, MIT-0, MPL-2.0
+          #allow-licenses: Apache-2.0, BSD-2-Clause, BSD-3-Clause, CC0-1.0, ISC, MIT, MIT-0, MPL-2.0
+          allow-licenses: BSD-2-Clause, BSD-3-Clause, CC0-1.0, ISC, MIT, MIT-0, MPL-2.0
           license-check: true
           vulnerability-check: false
       - name: 'Report'
@@ -918,6 +919,6 @@ jobs:
         if: ${{ failure() && steps.review.conclusion == 'failure' }}
         shell: bash
         env: # store comment HTML data in an environment variable
-          COMMENT: ${{ steps.review.outputs.comment-content }}
-        run: | # do something with the comment:
-          echo "$COMMENT"
+          VULNERABLE_CHANGES: ${{ steps.review.outputs.invalid-license-changes }}
+        run: |
+          echo "$VULNERABLE_CHANGES" | jq

From 58e39ee69d69ba52463b6a2dea841be894ae0565 Mon Sep 17 00:00:00 2001
From: Jon Ayers <jon@coder.com>
Date: Tue, 16 Apr 2024 23:27:49 +0000
Subject: [PATCH 06/25] attempt adding a GPL go pkg

---
 .github/workflows/ci.yaml | 11 +++++------
 cmd/coder/main.go         |  2 ++
 go.mod                    |  1 +
 go.sum                    |  2 ++
 4 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 7b1fe132ffefd..b3e7be73c5c36 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -899,22 +899,21 @@ jobs:
         run: |
           make sqlc-vet
 
-  # dependency-license-review checks that no license-incompatible dependencies have been introduced. 
+  # dependency-license-review checks that no license-incompatible dependencies have been introduced.
   # This action is not intended to do a vulnerability check since that is handled by a separate action.
   dependency-license-review:
     runs-on: ubuntu-latest
     steps:
-      - name: 'Checkout Repository'
+      - name: "Checkout Repository"
         uses: actions/checkout@v4
-      - name: 'Dependency Review'
+      - name: "Dependency Review"
         id: review
         uses: actions/dependency-review-action@v4
         with:
-          #allow-licenses: Apache-2.0, BSD-2-Clause, BSD-3-Clause, CC0-1.0, ISC, MIT, MIT-0, MPL-2.0
-          allow-licenses: BSD-2-Clause, BSD-3-Clause, CC0-1.0, ISC, MIT, MIT-0, MPL-2.0
+          allow-licenses: Apache-2.0, BSD-2-Clause, BSD-3-Clause, CC0-1.0, ISC #, MIT, MIT-0, MPL-2.0
           license-check: true
           vulnerability-check: false
-      - name: 'Report'
+      - name: "Report"
         # make sure this step runs even if the previous failed
         if: ${{ failure() && steps.review.conclusion == 'failure' }}
         shell: bash
diff --git a/cmd/coder/main.go b/cmd/coder/main.go
index 7d41563c18e68..05295c5b6d323 100644
--- a/cmd/coder/main.go
+++ b/cmd/coder/main.go
@@ -4,6 +4,8 @@ import (
 	_ "time/tzdata"
 
 	"github.com/coder/coder/v2/cli"
+
+	_ "github.com/basgys/go-gpl/gpl"
 )
 
 func main() {
diff --git a/go.mod b/go.mod
index 9346fc742717c..22f1b338f8a46 100644
--- a/go.mod
+++ b/go.mod
@@ -215,6 +215,7 @@ require (
 require go.uber.org/mock v0.4.0
 
 require (
+	github.com/basgys/go-gpl v0.0.0-20230209111130-4e0087feed95
 	github.com/benbjohnson/clock v1.3.5
 	github.com/coder/serpent v0.7.0
 	github.com/gomarkdown/markdown v0.0.0-20231222211730-1d6d20845b47
diff --git a/go.sum b/go.sum
index 10e0890965bc5..62ea977b49377 100644
--- a/go.sum
+++ b/go.sum
@@ -124,6 +124,8 @@ github.com/aymanbagabas/go-osc52/v2 v2.0.1 h1:HwpRHbFMcZLEVr42D4p7XBqjyuxQH5SMiE
 github.com/aymanbagabas/go-osc52/v2 v2.0.1/go.mod h1:uYgXzlJ7ZpABp8OJ+exZzJJhRNQ2ASbcXHWsFqH8hp8=
 github.com/aymerick/douceur v0.2.0 h1:Mv+mAeH1Q+n9Fr+oyamOlAkUNPWPlA8PPGR0QAaYuPk=
 github.com/aymerick/douceur v0.2.0/go.mod h1:wlT5vV2O3h55X9m7iVYN0TBM0NH/MmbLnd30/FjWUq4=
+github.com/basgys/go-gpl v0.0.0-20230209111130-4e0087feed95 h1:K9X3r6eO+Fa1sbcoyWEz5s6R6z3GlpIe9KC5qfcTUX4=
+github.com/basgys/go-gpl v0.0.0-20230209111130-4e0087feed95/go.mod h1:XY/3nkvH5NfeP5X7QNqbwhdXwwD6TCA+NgUHI+UrUPY=
 github.com/benbjohnson/clock v1.3.5 h1:VvXlSJBzZpA/zum6Sj74hxwYI2DIxRWuNIoXAzHZz5o=
 github.com/benbjohnson/clock v1.3.5/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=

From 6d7a0dc9ddc89152c143a9eb43ed5f0a90a20cd4 Mon Sep 17 00:00:00 2001
From: Jon Ayers <jon@coder.com>
Date: Tue, 16 Apr 2024 23:49:03 +0000
Subject: [PATCH 07/25] Revert "attempt adding a GPL go pkg"

This reverts commit 58e39ee69d69ba52463b6a2dea841be894ae0565.
---
 .github/workflows/ci.yaml | 11 ++++++-----
 cmd/coder/main.go         |  2 --
 go.mod                    |  1 -
 go.sum                    |  2 --
 4 files changed, 6 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index b3e7be73c5c36..7b1fe132ffefd 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -899,21 +899,22 @@ jobs:
         run: |
           make sqlc-vet
 
-  # dependency-license-review checks that no license-incompatible dependencies have been introduced.
+  # dependency-license-review checks that no license-incompatible dependencies have been introduced. 
   # This action is not intended to do a vulnerability check since that is handled by a separate action.
   dependency-license-review:
     runs-on: ubuntu-latest
     steps:
-      - name: "Checkout Repository"
+      - name: 'Checkout Repository'
         uses: actions/checkout@v4
-      - name: "Dependency Review"
+      - name: 'Dependency Review'
         id: review
         uses: actions/dependency-review-action@v4
         with:
-          allow-licenses: Apache-2.0, BSD-2-Clause, BSD-3-Clause, CC0-1.0, ISC #, MIT, MIT-0, MPL-2.0
+          #allow-licenses: Apache-2.0, BSD-2-Clause, BSD-3-Clause, CC0-1.0, ISC, MIT, MIT-0, MPL-2.0
+          allow-licenses: BSD-2-Clause, BSD-3-Clause, CC0-1.0, ISC, MIT, MIT-0, MPL-2.0
           license-check: true
           vulnerability-check: false
-      - name: "Report"
+      - name: 'Report'
         # make sure this step runs even if the previous failed
         if: ${{ failure() && steps.review.conclusion == 'failure' }}
         shell: bash
diff --git a/cmd/coder/main.go b/cmd/coder/main.go
index 05295c5b6d323..7d41563c18e68 100644
--- a/cmd/coder/main.go
+++ b/cmd/coder/main.go
@@ -4,8 +4,6 @@ import (
 	_ "time/tzdata"
 
 	"github.com/coder/coder/v2/cli"
-
-	_ "github.com/basgys/go-gpl/gpl"
 )
 
 func main() {
diff --git a/go.mod b/go.mod
index 22f1b338f8a46..9346fc742717c 100644
--- a/go.mod
+++ b/go.mod
@@ -215,7 +215,6 @@ require (
 require go.uber.org/mock v0.4.0
 
 require (
-	github.com/basgys/go-gpl v0.0.0-20230209111130-4e0087feed95
 	github.com/benbjohnson/clock v1.3.5
 	github.com/coder/serpent v0.7.0
 	github.com/gomarkdown/markdown v0.0.0-20231222211730-1d6d20845b47
diff --git a/go.sum b/go.sum
index 62ea977b49377..10e0890965bc5 100644
--- a/go.sum
+++ b/go.sum
@@ -124,8 +124,6 @@ github.com/aymanbagabas/go-osc52/v2 v2.0.1 h1:HwpRHbFMcZLEVr42D4p7XBqjyuxQH5SMiE
 github.com/aymanbagabas/go-osc52/v2 v2.0.1/go.mod h1:uYgXzlJ7ZpABp8OJ+exZzJJhRNQ2ASbcXHWsFqH8hp8=
 github.com/aymerick/douceur v0.2.0 h1:Mv+mAeH1Q+n9Fr+oyamOlAkUNPWPlA8PPGR0QAaYuPk=
 github.com/aymerick/douceur v0.2.0/go.mod h1:wlT5vV2O3h55X9m7iVYN0TBM0NH/MmbLnd30/FjWUq4=
-github.com/basgys/go-gpl v0.0.0-20230209111130-4e0087feed95 h1:K9X3r6eO+Fa1sbcoyWEz5s6R6z3GlpIe9KC5qfcTUX4=
-github.com/basgys/go-gpl v0.0.0-20230209111130-4e0087feed95/go.mod h1:XY/3nkvH5NfeP5X7QNqbwhdXwwD6TCA+NgUHI+UrUPY=
 github.com/benbjohnson/clock v1.3.5 h1:VvXlSJBzZpA/zum6Sj74hxwYI2DIxRWuNIoXAzHZz5o=
 github.com/benbjohnson/clock v1.3.5/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=

From 4404ea100f52cb4bf104189f5f0db5fa7c84e15f Mon Sep 17 00:00:00 2001
From: Jon Ayers <jon@coder.com>
Date: Tue, 16 Apr 2024 23:49:52 +0000
Subject: [PATCH 08/25] fmt

---
 .github/workflows/ci.yaml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 7b1fe132ffefd..765e1865ecf46 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -899,14 +899,14 @@ jobs:
         run: |
           make sqlc-vet
 
-  # dependency-license-review checks that no license-incompatible dependencies have been introduced. 
+  # dependency-license-review checks that no license-incompatible dependencies have been introduced.
   # This action is not intended to do a vulnerability check since that is handled by a separate action.
   dependency-license-review:
     runs-on: ubuntu-latest
     steps:
-      - name: 'Checkout Repository'
+      - name: "Checkout Repository"
         uses: actions/checkout@v4
-      - name: 'Dependency Review'
+      - name: "Dependency Review"
         id: review
         uses: actions/dependency-review-action@v4
         with:
@@ -914,7 +914,7 @@ jobs:
           allow-licenses: BSD-2-Clause, BSD-3-Clause, CC0-1.0, ISC, MIT, MIT-0, MPL-2.0
           license-check: true
           vulnerability-check: false
-      - name: 'Report'
+      - name: "Report"
         # make sure this step runs even if the previous failed
         if: ${{ failure() && steps.review.conclusion == 'failure' }}
         shell: bash

From 444db54d0ce95d7490bf23d4cdbb4f93ed849555 Mon Sep 17 00:00:00 2001
From: Jon Ayers <jon@coder.com>
Date: Tue, 16 Apr 2024 23:50:56 +0000
Subject: [PATCH 09/25] gpl npm

---
 package.json | 1 +
 1 file changed, 1 insertion(+)

diff --git a/package.json b/package.json
index b290e5990874d..1fda3f061495e 100644
--- a/package.json
+++ b/package.json
@@ -10,6 +10,7 @@
     "prettier": "3.0.0"
   },
   "dependencies": {
+    "@automattic/calypso-config": "^1.2.0",
     "exec": "^0.2.1"
   },
   "packageManager": "pnpm@8.14.0+sha1.bb42032ff80dba5f9245bc1b03470d2fa0b7fb2f"

From fcde457e97596f8fe4edcd1ebcaf8d10429e3e82 Mon Sep 17 00:00:00 2001
From: Jon Ayers <jon@coder.com>
Date: Wed, 17 Apr 2024 00:05:14 +0000
Subject: [PATCH 10/25] always run report

---
 .github/workflows/ci.yaml | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 765e1865ecf46..44c8c1c460516 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -916,9 +916,15 @@ jobs:
           vulnerability-check: false
       - name: "Report"
         # make sure this step runs even if the previous failed
-        if: ${{ failure() && steps.review.conclusion == 'failure' }}
+        if: always()
         shell: bash
-        env: # store comment HTML data in an environment variable
+        env:
           VULNERABLE_CHANGES: ${{ steps.review.outputs.invalid-license-changes }}
         run: |
-          echo "$VULNERABLE_CHANGES" | jq
+          if [ -n "$VULNERABLE_CHANGES ]; then
+            echo "Invalid or unknown licenses detected, contact sreya to ensure your added dependency falls under one of our allowed licenses."
+            echo "$VULNERABLE_CHANGES" | jq
+            exit 1
+          else
+            echo "No incompatible licenses detected"
+          fi

From d9e72adf88c278d03c5e254d9cf7b9f89bf499e1 Mon Sep 17 00:00:00 2001
From: Jon Ayers <jon@coder.com>
Date: Wed, 17 Apr 2024 00:13:51 +0000
Subject: [PATCH 11/25] quote

---
 .github/workflows/ci.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 44c8c1c460516..78fb9fc951b20 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -921,7 +921,7 @@ jobs:
         env:
           VULNERABLE_CHANGES: ${{ steps.review.outputs.invalid-license-changes }}
         run: |
-          if [ -n "$VULNERABLE_CHANGES ]; then
+          if [ -n "$VULNERABLE_CHANGES" ]; then
             echo "Invalid or unknown licenses detected, contact sreya to ensure your added dependency falls under one of our allowed licenses."
             echo "$VULNERABLE_CHANGES" | jq
             exit 1

From d7ad1e85c673e20e7ae63eb0d558b11f8ff2c431 Mon Sep 17 00:00:00 2001
From: Jon Ayers <jon@coder.com>
Date: Wed, 17 Apr 2024 00:16:21 +0000
Subject: [PATCH 12/25] add nested dependency

---
 site/package.json   | 1 +
 site/pnpm-lock.yaml | 9 +++++++++
 2 files changed, 10 insertions(+)

diff --git a/site/package.json b/site/package.json
index 24ba4d5262902..66ec2d95e3079 100644
--- a/site/package.json
+++ b/site/package.json
@@ -30,6 +30,7 @@
     "deadcode": "ts-prune | grep -v \".stories\\|.config\\|e2e\\|__mocks__\\|used in module\\|testHelpers\\|typesGenerated\" || echo \"No deadcode found.\""
   },
   "dependencies": {
+    "@automattic/calypso-config": "github:automattic/calypso-config",
     "@emoji-mart/data": "1.1.2",
     "@emoji-mart/react": "1.1.1",
     "@emotion/css": "11.11.2",
diff --git a/site/pnpm-lock.yaml b/site/pnpm-lock.yaml
index b723b4cf25e56..bcb4f4fe5a04c 100644
--- a/site/pnpm-lock.yaml
+++ b/site/pnpm-lock.yaml
@@ -9,6 +9,9 @@ overrides:
   semver: 7.5.3
 
 dependencies:
+  '@automattic/calypso-config':
+    specifier: github:automattic/calypso-config
+    version: github.com/automattic/calypso-config/d46f829b57fe7110ae098ac5221b4c4e2a9533b2
   '@emoji-mart/data':
     specifier: 1.1.2
     version: 1.1.2
@@ -13264,3 +13267,9 @@ packages:
 
   /zwitch@2.0.4:
     resolution: {integrity: sha512-bXE4cR/kVZhKZX/RjPEflHaKVhUVl85noU3v6b8apfQEc1x4A+zBxjZ4lN8LqGd6WZ3dl98pY4o717VFmoPp+A==}
+
+  github.com/automattic/calypso-config/d46f829b57fe7110ae098ac5221b4c4e2a9533b2:
+    resolution: {tarball: https://codeload.github.com/automattic/calypso-config/tar.gz/d46f829b57fe7110ae098ac5221b4c4e2a9533b2}
+    name: '@automattic/calypso-config'
+    version: 1.2.0
+    dev: false

From bce711596d99a8189dce2fbf36296df6cd20f54a Mon Sep 17 00:00:00 2001
From: Jon Ayers <jon@coder.com>
Date: Wed, 17 Apr 2024 00:16:37 +0000
Subject: [PATCH 13/25] Revert "gpl npm"

This reverts commit 444db54d0ce95d7490bf23d4cdbb4f93ed849555.
---
 package.json | 1 -
 1 file changed, 1 deletion(-)

diff --git a/package.json b/package.json
index 1fda3f061495e..b290e5990874d 100644
--- a/package.json
+++ b/package.json
@@ -10,7 +10,6 @@
     "prettier": "3.0.0"
   },
   "dependencies": {
-    "@automattic/calypso-config": "^1.2.0",
     "exec": "^0.2.1"
   },
   "packageManager": "pnpm@8.14.0+sha1.bb42032ff80dba5f9245bc1b03470d2fa0b7fb2f"

From c252fb164b4d5e6989e48ba5c52a25162d742d5e Mon Sep 17 00:00:00 2001
From: Jon Ayers <jon@coder.com>
Date: Wed, 17 Apr 2024 00:17:41 +0000
Subject: [PATCH 14/25] add a gpl go package to be sure we detect both

---
 cmd/coder/main.go | 2 ++
 go.mod            | 1 +
 go.sum            | 2 ++
 3 files changed, 5 insertions(+)

diff --git a/cmd/coder/main.go b/cmd/coder/main.go
index 7d41563c18e68..05295c5b6d323 100644
--- a/cmd/coder/main.go
+++ b/cmd/coder/main.go
@@ -4,6 +4,8 @@ import (
 	_ "time/tzdata"
 
 	"github.com/coder/coder/v2/cli"
+
+	_ "github.com/basgys/go-gpl/gpl"
 )
 
 func main() {
diff --git a/go.mod b/go.mod
index 9346fc742717c..22f1b338f8a46 100644
--- a/go.mod
+++ b/go.mod
@@ -215,6 +215,7 @@ require (
 require go.uber.org/mock v0.4.0
 
 require (
+	github.com/basgys/go-gpl v0.0.0-20230209111130-4e0087feed95
 	github.com/benbjohnson/clock v1.3.5
 	github.com/coder/serpent v0.7.0
 	github.com/gomarkdown/markdown v0.0.0-20231222211730-1d6d20845b47
diff --git a/go.sum b/go.sum
index 10e0890965bc5..62ea977b49377 100644
--- a/go.sum
+++ b/go.sum
@@ -124,6 +124,8 @@ github.com/aymanbagabas/go-osc52/v2 v2.0.1 h1:HwpRHbFMcZLEVr42D4p7XBqjyuxQH5SMiE
 github.com/aymanbagabas/go-osc52/v2 v2.0.1/go.mod h1:uYgXzlJ7ZpABp8OJ+exZzJJhRNQ2ASbcXHWsFqH8hp8=
 github.com/aymerick/douceur v0.2.0 h1:Mv+mAeH1Q+n9Fr+oyamOlAkUNPWPlA8PPGR0QAaYuPk=
 github.com/aymerick/douceur v0.2.0/go.mod h1:wlT5vV2O3h55X9m7iVYN0TBM0NH/MmbLnd30/FjWUq4=
+github.com/basgys/go-gpl v0.0.0-20230209111130-4e0087feed95 h1:K9X3r6eO+Fa1sbcoyWEz5s6R6z3GlpIe9KC5qfcTUX4=
+github.com/basgys/go-gpl v0.0.0-20230209111130-4e0087feed95/go.mod h1:XY/3nkvH5NfeP5X7QNqbwhdXwwD6TCA+NgUHI+UrUPY=
 github.com/benbjohnson/clock v1.3.5 h1:VvXlSJBzZpA/zum6Sj74hxwYI2DIxRWuNIoXAzHZz5o=
 github.com/benbjohnson/clock v1.3.5/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=

From 71e692442ce82dfd252b29904ae7c61f981199f1 Mon Sep 17 00:00:00 2001
From: Jon Ayers <jon@coder.com>
Date: Wed, 17 Apr 2024 00:21:41 +0000
Subject: [PATCH 15/25] Revert "add a gpl go package to be sure we detect both"

This reverts commit c252fb164b4d5e6989e48ba5c52a25162d742d5e.
---
 cmd/coder/main.go | 2 --
 go.mod            | 1 -
 go.sum            | 2 --
 3 files changed, 5 deletions(-)

diff --git a/cmd/coder/main.go b/cmd/coder/main.go
index 05295c5b6d323..7d41563c18e68 100644
--- a/cmd/coder/main.go
+++ b/cmd/coder/main.go
@@ -4,8 +4,6 @@ import (
 	_ "time/tzdata"
 
 	"github.com/coder/coder/v2/cli"
-
-	_ "github.com/basgys/go-gpl/gpl"
 )
 
 func main() {
diff --git a/go.mod b/go.mod
index 22f1b338f8a46..9346fc742717c 100644
--- a/go.mod
+++ b/go.mod
@@ -215,7 +215,6 @@ require (
 require go.uber.org/mock v0.4.0
 
 require (
-	github.com/basgys/go-gpl v0.0.0-20230209111130-4e0087feed95
 	github.com/benbjohnson/clock v1.3.5
 	github.com/coder/serpent v0.7.0
 	github.com/gomarkdown/markdown v0.0.0-20231222211730-1d6d20845b47
diff --git a/go.sum b/go.sum
index 62ea977b49377..10e0890965bc5 100644
--- a/go.sum
+++ b/go.sum
@@ -124,8 +124,6 @@ github.com/aymanbagabas/go-osc52/v2 v2.0.1 h1:HwpRHbFMcZLEVr42D4p7XBqjyuxQH5SMiE
 github.com/aymanbagabas/go-osc52/v2 v2.0.1/go.mod h1:uYgXzlJ7ZpABp8OJ+exZzJJhRNQ2ASbcXHWsFqH8hp8=
 github.com/aymerick/douceur v0.2.0 h1:Mv+mAeH1Q+n9Fr+oyamOlAkUNPWPlA8PPGR0QAaYuPk=
 github.com/aymerick/douceur v0.2.0/go.mod h1:wlT5vV2O3h55X9m7iVYN0TBM0NH/MmbLnd30/FjWUq4=
-github.com/basgys/go-gpl v0.0.0-20230209111130-4e0087feed95 h1:K9X3r6eO+Fa1sbcoyWEz5s6R6z3GlpIe9KC5qfcTUX4=
-github.com/basgys/go-gpl v0.0.0-20230209111130-4e0087feed95/go.mod h1:XY/3nkvH5NfeP5X7QNqbwhdXwwD6TCA+NgUHI+UrUPY=
 github.com/benbjohnson/clock v1.3.5 h1:VvXlSJBzZpA/zum6Sj74hxwYI2DIxRWuNIoXAzHZz5o=
 github.com/benbjohnson/clock v1.3.5/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=

From eed768fc74abc8dc82e688db4b87561f64c1e7f3 Mon Sep 17 00:00:00 2001
From: Jon Ayers <jon@coder.com>
Date: Wed, 17 Apr 2024 00:21:52 +0000
Subject: [PATCH 16/25] Revert "add nested dependency"

This reverts commit d7ad1e85c673e20e7ae63eb0d558b11f8ff2c431.
---
 site/package.json   | 1 -
 site/pnpm-lock.yaml | 9 ---------
 2 files changed, 10 deletions(-)

diff --git a/site/package.json b/site/package.json
index 66ec2d95e3079..24ba4d5262902 100644
--- a/site/package.json
+++ b/site/package.json
@@ -30,7 +30,6 @@
     "deadcode": "ts-prune | grep -v \".stories\\|.config\\|e2e\\|__mocks__\\|used in module\\|testHelpers\\|typesGenerated\" || echo \"No deadcode found.\""
   },
   "dependencies": {
-    "@automattic/calypso-config": "github:automattic/calypso-config",
     "@emoji-mart/data": "1.1.2",
     "@emoji-mart/react": "1.1.1",
     "@emotion/css": "11.11.2",
diff --git a/site/pnpm-lock.yaml b/site/pnpm-lock.yaml
index bcb4f4fe5a04c..b723b4cf25e56 100644
--- a/site/pnpm-lock.yaml
+++ b/site/pnpm-lock.yaml
@@ -9,9 +9,6 @@ overrides:
   semver: 7.5.3
 
 dependencies:
-  '@automattic/calypso-config':
-    specifier: github:automattic/calypso-config
-    version: github.com/automattic/calypso-config/d46f829b57fe7110ae098ac5221b4c4e2a9533b2
   '@emoji-mart/data':
     specifier: 1.1.2
     version: 1.1.2
@@ -13267,9 +13264,3 @@ packages:
 
   /zwitch@2.0.4:
     resolution: {integrity: sha512-bXE4cR/kVZhKZX/RjPEflHaKVhUVl85noU3v6b8apfQEc1x4A+zBxjZ4lN8LqGd6WZ3dl98pY4o717VFmoPp+A==}
-
-  github.com/automattic/calypso-config/d46f829b57fe7110ae098ac5221b4c4e2a9533b2:
-    resolution: {tarball: https://codeload.github.com/automattic/calypso-config/tar.gz/d46f829b57fe7110ae098ac5221b4c4e2a9533b2}
-    name: '@automattic/calypso-config'
-    version: 1.2.0
-    dev: false

From a227f0fc02c5ddf0118345a2219ef93178ba547a Mon Sep 17 00:00:00 2001
From: Jon Ayers <jon@coder.com>
Date: Wed, 17 Apr 2024 00:23:09 +0000
Subject: [PATCH 17/25] update license list

---
 .github/workflows/ci.yaml | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 78fb9fc951b20..ad1ec9f00a605 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -910,8 +910,7 @@ jobs:
         id: review
         uses: actions/dependency-review-action@v4
         with:
-          #allow-licenses: Apache-2.0, BSD-2-Clause, BSD-3-Clause, CC0-1.0, ISC, MIT, MIT-0, MPL-2.0
-          allow-licenses: BSD-2-Clause, BSD-3-Clause, CC0-1.0, ISC, MIT, MIT-0, MPL-2.0
+          allow-licenses: Apache-2.0, BSD-2-Clause, BSD-3-Clause, CC0-1.0, ISC, MIT, MIT-0, MPL-2.0
           license-check: true
           vulnerability-check: false
       - name: "Report"
@@ -922,7 +921,7 @@ jobs:
           VULNERABLE_CHANGES: ${{ steps.review.outputs.invalid-license-changes }}
         run: |
           if [ -n "$VULNERABLE_CHANGES" ]; then
-            echo "Invalid or unknown licenses detected, contact sreya to ensure your added dependency falls under one of our allowed licenses."
+            echo "Invalid or unknown licenses detected, contact @sreya to ensure your added dependency falls under one of our allowed licenses."
             echo "$VULNERABLE_CHANGES" | jq
             exit 1
           else

From 37833aa899d93d26fa9c11e0fe85845eb1f8af26 Mon Sep 17 00:00:00 2001
From: Jon Ayers <jon@coder.com>
Date: Wed, 17 Apr 2024 00:25:03 +0000
Subject: [PATCH 18/25] try a valid dependency

---
 cmd/coder/main.go | 2 ++
 go.mod            | 1 +
 go.sum            | 8 ++++++++
 3 files changed, 11 insertions(+)

diff --git a/cmd/coder/main.go b/cmd/coder/main.go
index 7d41563c18e68..5f491bd9d4287 100644
--- a/cmd/coder/main.go
+++ b/cmd/coder/main.go
@@ -4,6 +4,8 @@ import (
 	_ "time/tzdata"
 
 	"github.com/coder/coder/v2/cli"
+
+	_ "github.com/klingtnet/go-project-template/meta"
 )
 
 func main() {
diff --git a/go.mod b/go.mod
index 9346fc742717c..9729cf3162107 100644
--- a/go.mod
+++ b/go.mod
@@ -218,6 +218,7 @@ require (
 	github.com/benbjohnson/clock v1.3.5
 	github.com/coder/serpent v0.7.0
 	github.com/gomarkdown/markdown v0.0.0-20231222211730-1d6d20845b47
+	github.com/klingtnet/go-project-template v0.0.0-20191128080832-2739e890ea62
 )
 
 require (
diff --git a/go.sum b/go.sum
index 10e0890965bc5..7cf3a4cde7225 100644
--- a/go.sum
+++ b/go.sum
@@ -602,6 +602,10 @@ github.com/klauspost/compress v1.17.6 h1:60eq2E/jlfwQXtvZEeBUYADs+BwKBWURIY+Gj2e
 github.com/klauspost/compress v1.17.6/go.mod h1:/dCuZOvVtNoHsyb+cuJD3itjs3NbnF6KH9zAO4BDxPM=
 github.com/klauspost/cpuid/v2 v2.2.5 h1:0E5MSMDEoAulmXNFquVs//DdoomxaoTY1kUhbc/qbZg=
 github.com/klauspost/cpuid/v2 v2.2.5/go.mod h1:Lcz8mBdAVJIBVzewtcLocK12l3Y+JytZYpaMropDUws=
+github.com/klingtnet/go-project-template v0.0.0-20191128080832-2739e890ea62 h1:C9nll1vr6hryxf3gxvkmWoiWto1lt+LCxEkJXmPOSPs=
+github.com/klingtnet/go-project-template v0.0.0-20191128080832-2739e890ea62/go.mod h1:ht5r0scmg0s/UXgOoIeiRzh6sucrl9qpvbLO4GuQQb8=
+github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
+github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/kortschak/wol v0.0.0-20200729010619-da482cc4850a h1:+RR6SqnTkDLWyICxS1xpjCi/3dhyV+TgZwA6Ww3KncQ=
 github.com/kortschak/wol v0.0.0-20200729010619-da482cc4850a/go.mod h1:YTtCCM3ryyfiu4F7t8HQ1mxvp1UBdWM2r6Xa+nGWvDk=
 github.com/kr/fs v0.1.0 h1:Jskdu9ieNAYnjxsi0LbQp1ulIKZV1LAFgK1tWhpZgl8=
@@ -809,6 +813,7 @@ github.com/secure-systems-lab/go-securesystemslib v0.7.0/go.mod h1:/2gYnlnHVQ6xe
 github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo=
 github.com/sergi/go-diff v1.3.1 h1:xkr+Oxo4BOQKmkn/B9eMK0g5Kg/983T9DqqPHwYqD+8=
 github.com/sergi/go-diff v1.3.1/go.mod h1:aMJSSKb2lpPvRNec0+w3fl7LP9IOFzdc9Pa4NFbPK1I=
+github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
 github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
 github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
@@ -827,6 +832,7 @@ github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An
 github.com/sqlc-dev/pqtype v0.3.0 h1:b09TewZ3cSnO5+M1Kqq05y0+OjqIptxELaSayg7bmqk=
 github.com/sqlc-dev/pqtype v0.3.0/go.mod h1:oyUjp5981ctiL9UYvj1bVvCKi8OXkCa0u645hce7CAs=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
 github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY=
@@ -1064,9 +1070,11 @@ golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5h
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190502175342-a43fa875dd82/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191127021746-63cb32ae39b2/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200217220822-9197077df867/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=

From 84de36a78fe3cbfbae8a0fe096a93c6230753b81 Mon Sep 17 00:00:00 2001
From: Jon Ayers <jon@coder.com>
Date: Wed, 17 Apr 2024 00:35:02 +0000
Subject: [PATCH 19/25] update action to support checking all fields in the
 payload

---
 .github/workflows/ci.yaml | 23 ++++++++++++++++-------
 1 file changed, 16 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index ad1ec9f00a605..7c99ee11d8498 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -920,10 +920,19 @@ jobs:
         env:
           VULNERABLE_CHANGES: ${{ steps.review.outputs.invalid-license-changes }}
         run: |
-          if [ -n "$VULNERABLE_CHANGES" ]; then
-            echo "Invalid or unknown licenses detected, contact @sreya to ensure your added dependency falls under one of our allowed licenses."
-            echo "$VULNERABLE_CHANGES" | jq
-            exit 1
-          else
-            echo "No incompatible licenses detected"
-          fi
+          fields=( "unlicensed" "unresolved" "forbidden" )
+
+          # This is unfortunate that we have to do this but the action does not support failing on
+          # an unknown license. The unknown dependency could easily have a GPL license which
+          # would be problematic for us.
+          # Track https://github.com/actions/dependency-review-action/issues/672 for when
+          # we can remove this brittle workaround.
+          for field in "${fields[@]}"; do
+            # Use jq to check if the array is not empty
+            if [[ $(echo "$VULNERABLE_CHANGES" | jq ".${field} | length") -ne 0 ]]; then
+              echo "Invalid or unknown licenses detected, contact @sreya to ensure your added dependency falls under one of our allowed licenses."
+              echo "$VULNERABLE_CHANGES"
+              exit 1
+            fi
+          done
+          echo "No incompatible licenses detected"

From 419f1e8d63ff1f6692841737d9eba50f3164d1d7 Mon Sep 17 00:00:00 2001
From: Jon Ayers <jon@coder.com>
Date: Wed, 17 Apr 2024 00:36:55 +0000
Subject: [PATCH 20/25] Reapply "add nested dependency"

This reverts commit eed768fc74abc8dc82e688db4b87561f64c1e7f3.
---
 site/package.json   | 1 +
 site/pnpm-lock.yaml | 9 +++++++++
 2 files changed, 10 insertions(+)

diff --git a/site/package.json b/site/package.json
index 24ba4d5262902..66ec2d95e3079 100644
--- a/site/package.json
+++ b/site/package.json
@@ -30,6 +30,7 @@
     "deadcode": "ts-prune | grep -v \".stories\\|.config\\|e2e\\|__mocks__\\|used in module\\|testHelpers\\|typesGenerated\" || echo \"No deadcode found.\""
   },
   "dependencies": {
+    "@automattic/calypso-config": "github:automattic/calypso-config",
     "@emoji-mart/data": "1.1.2",
     "@emoji-mart/react": "1.1.1",
     "@emotion/css": "11.11.2",
diff --git a/site/pnpm-lock.yaml b/site/pnpm-lock.yaml
index b723b4cf25e56..bcb4f4fe5a04c 100644
--- a/site/pnpm-lock.yaml
+++ b/site/pnpm-lock.yaml
@@ -9,6 +9,9 @@ overrides:
   semver: 7.5.3
 
 dependencies:
+  '@automattic/calypso-config':
+    specifier: github:automattic/calypso-config
+    version: github.com/automattic/calypso-config/d46f829b57fe7110ae098ac5221b4c4e2a9533b2
   '@emoji-mart/data':
     specifier: 1.1.2
     version: 1.1.2
@@ -13264,3 +13267,9 @@ packages:
 
   /zwitch@2.0.4:
     resolution: {integrity: sha512-bXE4cR/kVZhKZX/RjPEflHaKVhUVl85noU3v6b8apfQEc1x4A+zBxjZ4lN8LqGd6WZ3dl98pY4o717VFmoPp+A==}
+
+  github.com/automattic/calypso-config/d46f829b57fe7110ae098ac5221b4c4e2a9533b2:
+    resolution: {tarball: https://codeload.github.com/automattic/calypso-config/tar.gz/d46f829b57fe7110ae098ac5221b4c4e2a9533b2}
+    name: '@automattic/calypso-config'
+    version: 1.2.0
+    dev: false

From bd799d6d10c6e4d1b661e96af00a0d6550fb778c Mon Sep 17 00:00:00 2001
From: Jon Ayers <jon@coder.com>
Date: Wed, 17 Apr 2024 00:41:04 +0000
Subject: [PATCH 21/25] format output

---
 .github/workflows/ci.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 7c99ee11d8498..dc30004878268 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -931,7 +931,7 @@ jobs:
             # Use jq to check if the array is not empty
             if [[ $(echo "$VULNERABLE_CHANGES" | jq ".${field} | length") -ne 0 ]]; then
               echo "Invalid or unknown licenses detected, contact @sreya to ensure your added dependency falls under one of our allowed licenses."
-              echo "$VULNERABLE_CHANGES"
+              echo "$VULNERABLE_CHANGES" | jq
               exit 1
             fi
           done

From 7d7220f6ab7f4827adf6daa2db5c274e055d9d29 Mon Sep 17 00:00:00 2001
From: Jon Ayers <jon@coder.com>
Date: Wed, 17 Apr 2024 00:41:26 +0000
Subject: [PATCH 22/25] Revert "Reapply "add nested dependency""

This reverts commit 419f1e8d63ff1f6692841737d9eba50f3164d1d7.
---
 site/package.json   | 1 -
 site/pnpm-lock.yaml | 9 ---------
 2 files changed, 10 deletions(-)

diff --git a/site/package.json b/site/package.json
index 66ec2d95e3079..24ba4d5262902 100644
--- a/site/package.json
+++ b/site/package.json
@@ -30,7 +30,6 @@
     "deadcode": "ts-prune | grep -v \".stories\\|.config\\|e2e\\|__mocks__\\|used in module\\|testHelpers\\|typesGenerated\" || echo \"No deadcode found.\""
   },
   "dependencies": {
-    "@automattic/calypso-config": "github:automattic/calypso-config",
     "@emoji-mart/data": "1.1.2",
     "@emoji-mart/react": "1.1.1",
     "@emotion/css": "11.11.2",
diff --git a/site/pnpm-lock.yaml b/site/pnpm-lock.yaml
index bcb4f4fe5a04c..b723b4cf25e56 100644
--- a/site/pnpm-lock.yaml
+++ b/site/pnpm-lock.yaml
@@ -9,9 +9,6 @@ overrides:
   semver: 7.5.3
 
 dependencies:
-  '@automattic/calypso-config':
-    specifier: github:automattic/calypso-config
-    version: github.com/automattic/calypso-config/d46f829b57fe7110ae098ac5221b4c4e2a9533b2
   '@emoji-mart/data':
     specifier: 1.1.2
     version: 1.1.2
@@ -13267,9 +13264,3 @@ packages:
 
   /zwitch@2.0.4:
     resolution: {integrity: sha512-bXE4cR/kVZhKZX/RjPEflHaKVhUVl85noU3v6b8apfQEc1x4A+zBxjZ4lN8LqGd6WZ3dl98pY4o717VFmoPp+A==}
-
-  github.com/automattic/calypso-config/d46f829b57fe7110ae098ac5221b4c4e2a9533b2:
-    resolution: {tarball: https://codeload.github.com/automattic/calypso-config/tar.gz/d46f829b57fe7110ae098ac5221b4c4e2a9533b2}
-    name: '@automattic/calypso-config'
-    version: 1.2.0
-    dev: false

From 428ac03adb7b0c59a199b6b6bdef2594e7113245 Mon Sep 17 00:00:00 2001
From: Jon Ayers <jon@coder.com>
Date: Wed, 17 Apr 2024 00:42:04 +0000
Subject: [PATCH 23/25] Revert "try a valid dependency"

This reverts commit 37833aa899d93d26fa9c11e0fe85845eb1f8af26.
---
 cmd/coder/main.go | 2 --
 go.mod            | 1 -
 go.sum            | 8 --------
 3 files changed, 11 deletions(-)

diff --git a/cmd/coder/main.go b/cmd/coder/main.go
index 5f491bd9d4287..7d41563c18e68 100644
--- a/cmd/coder/main.go
+++ b/cmd/coder/main.go
@@ -4,8 +4,6 @@ import (
 	_ "time/tzdata"
 
 	"github.com/coder/coder/v2/cli"
-
-	_ "github.com/klingtnet/go-project-template/meta"
 )
 
 func main() {
diff --git a/go.mod b/go.mod
index 9729cf3162107..9346fc742717c 100644
--- a/go.mod
+++ b/go.mod
@@ -218,7 +218,6 @@ require (
 	github.com/benbjohnson/clock v1.3.5
 	github.com/coder/serpent v0.7.0
 	github.com/gomarkdown/markdown v0.0.0-20231222211730-1d6d20845b47
-	github.com/klingtnet/go-project-template v0.0.0-20191128080832-2739e890ea62
 )
 
 require (
diff --git a/go.sum b/go.sum
index 7cf3a4cde7225..10e0890965bc5 100644
--- a/go.sum
+++ b/go.sum
@@ -602,10 +602,6 @@ github.com/klauspost/compress v1.17.6 h1:60eq2E/jlfwQXtvZEeBUYADs+BwKBWURIY+Gj2e
 github.com/klauspost/compress v1.17.6/go.mod h1:/dCuZOvVtNoHsyb+cuJD3itjs3NbnF6KH9zAO4BDxPM=
 github.com/klauspost/cpuid/v2 v2.2.5 h1:0E5MSMDEoAulmXNFquVs//DdoomxaoTY1kUhbc/qbZg=
 github.com/klauspost/cpuid/v2 v2.2.5/go.mod h1:Lcz8mBdAVJIBVzewtcLocK12l3Y+JytZYpaMropDUws=
-github.com/klingtnet/go-project-template v0.0.0-20191128080832-2739e890ea62 h1:C9nll1vr6hryxf3gxvkmWoiWto1lt+LCxEkJXmPOSPs=
-github.com/klingtnet/go-project-template v0.0.0-20191128080832-2739e890ea62/go.mod h1:ht5r0scmg0s/UXgOoIeiRzh6sucrl9qpvbLO4GuQQb8=
-github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
-github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/kortschak/wol v0.0.0-20200729010619-da482cc4850a h1:+RR6SqnTkDLWyICxS1xpjCi/3dhyV+TgZwA6Ww3KncQ=
 github.com/kortschak/wol v0.0.0-20200729010619-da482cc4850a/go.mod h1:YTtCCM3ryyfiu4F7t8HQ1mxvp1UBdWM2r6Xa+nGWvDk=
 github.com/kr/fs v0.1.0 h1:Jskdu9ieNAYnjxsi0LbQp1ulIKZV1LAFgK1tWhpZgl8=
@@ -813,7 +809,6 @@ github.com/secure-systems-lab/go-securesystemslib v0.7.0/go.mod h1:/2gYnlnHVQ6xe
 github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo=
 github.com/sergi/go-diff v1.3.1 h1:xkr+Oxo4BOQKmkn/B9eMK0g5Kg/983T9DqqPHwYqD+8=
 github.com/sergi/go-diff v1.3.1/go.mod h1:aMJSSKb2lpPvRNec0+w3fl7LP9IOFzdc9Pa4NFbPK1I=
-github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
 github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
 github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
@@ -832,7 +827,6 @@ github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An
 github.com/sqlc-dev/pqtype v0.3.0 h1:b09TewZ3cSnO5+M1Kqq05y0+OjqIptxELaSayg7bmqk=
 github.com/sqlc-dev/pqtype v0.3.0/go.mod h1:oyUjp5981ctiL9UYvj1bVvCKi8OXkCa0u645hce7CAs=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
 github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY=
@@ -1070,11 +1064,9 @@ golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5h
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190502175342-a43fa875dd82/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20191127021746-63cb32ae39b2/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200217220822-9197077df867/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=

From e450103095b7c0e6b49776160385e11fc66021be Mon Sep 17 00:00:00 2001
From: Jon Ayers <jon@coder.com>
Date: Wed, 17 Apr 2024 00:42:08 +0000
Subject: [PATCH 24/25] Reapply "add a gpl go package to be sure we detect
 both"

This reverts commit 71e692442ce82dfd252b29904ae7c61f981199f1.
---
 cmd/coder/main.go | 2 ++
 go.mod            | 1 +
 go.sum            | 2 ++
 3 files changed, 5 insertions(+)

diff --git a/cmd/coder/main.go b/cmd/coder/main.go
index 7d41563c18e68..05295c5b6d323 100644
--- a/cmd/coder/main.go
+++ b/cmd/coder/main.go
@@ -4,6 +4,8 @@ import (
 	_ "time/tzdata"
 
 	"github.com/coder/coder/v2/cli"
+
+	_ "github.com/basgys/go-gpl/gpl"
 )
 
 func main() {
diff --git a/go.mod b/go.mod
index 9346fc742717c..22f1b338f8a46 100644
--- a/go.mod
+++ b/go.mod
@@ -215,6 +215,7 @@ require (
 require go.uber.org/mock v0.4.0
 
 require (
+	github.com/basgys/go-gpl v0.0.0-20230209111130-4e0087feed95
 	github.com/benbjohnson/clock v1.3.5
 	github.com/coder/serpent v0.7.0
 	github.com/gomarkdown/markdown v0.0.0-20231222211730-1d6d20845b47
diff --git a/go.sum b/go.sum
index 10e0890965bc5..62ea977b49377 100644
--- a/go.sum
+++ b/go.sum
@@ -124,6 +124,8 @@ github.com/aymanbagabas/go-osc52/v2 v2.0.1 h1:HwpRHbFMcZLEVr42D4p7XBqjyuxQH5SMiE
 github.com/aymanbagabas/go-osc52/v2 v2.0.1/go.mod h1:uYgXzlJ7ZpABp8OJ+exZzJJhRNQ2ASbcXHWsFqH8hp8=
 github.com/aymerick/douceur v0.2.0 h1:Mv+mAeH1Q+n9Fr+oyamOlAkUNPWPlA8PPGR0QAaYuPk=
 github.com/aymerick/douceur v0.2.0/go.mod h1:wlT5vV2O3h55X9m7iVYN0TBM0NH/MmbLnd30/FjWUq4=
+github.com/basgys/go-gpl v0.0.0-20230209111130-4e0087feed95 h1:K9X3r6eO+Fa1sbcoyWEz5s6R6z3GlpIe9KC5qfcTUX4=
+github.com/basgys/go-gpl v0.0.0-20230209111130-4e0087feed95/go.mod h1:XY/3nkvH5NfeP5X7QNqbwhdXwwD6TCA+NgUHI+UrUPY=
 github.com/benbjohnson/clock v1.3.5 h1:VvXlSJBzZpA/zum6Sj74hxwYI2DIxRWuNIoXAzHZz5o=
 github.com/benbjohnson/clock v1.3.5/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=

From 245d44e815d877b16fe80d07148f3c538d7e4271 Mon Sep 17 00:00:00 2001
From: Jon Ayers <jon@coder.com>
Date: Wed, 17 Apr 2024 00:44:39 +0000
Subject: [PATCH 25/25] Revert "Reapply "add a gpl go package to be sure we
 detect both""

This reverts commit e450103095b7c0e6b49776160385e11fc66021be.
---
 cmd/coder/main.go | 2 --
 go.mod            | 1 -
 go.sum            | 2 --
 3 files changed, 5 deletions(-)

diff --git a/cmd/coder/main.go b/cmd/coder/main.go
index 05295c5b6d323..7d41563c18e68 100644
--- a/cmd/coder/main.go
+++ b/cmd/coder/main.go
@@ -4,8 +4,6 @@ import (
 	_ "time/tzdata"
 
 	"github.com/coder/coder/v2/cli"
-
-	_ "github.com/basgys/go-gpl/gpl"
 )
 
 func main() {
diff --git a/go.mod b/go.mod
index 22f1b338f8a46..9346fc742717c 100644
--- a/go.mod
+++ b/go.mod
@@ -215,7 +215,6 @@ require (
 require go.uber.org/mock v0.4.0
 
 require (
-	github.com/basgys/go-gpl v0.0.0-20230209111130-4e0087feed95
 	github.com/benbjohnson/clock v1.3.5
 	github.com/coder/serpent v0.7.0
 	github.com/gomarkdown/markdown v0.0.0-20231222211730-1d6d20845b47
diff --git a/go.sum b/go.sum
index 62ea977b49377..10e0890965bc5 100644
--- a/go.sum
+++ b/go.sum
@@ -124,8 +124,6 @@ github.com/aymanbagabas/go-osc52/v2 v2.0.1 h1:HwpRHbFMcZLEVr42D4p7XBqjyuxQH5SMiE
 github.com/aymanbagabas/go-osc52/v2 v2.0.1/go.mod h1:uYgXzlJ7ZpABp8OJ+exZzJJhRNQ2ASbcXHWsFqH8hp8=
 github.com/aymerick/douceur v0.2.0 h1:Mv+mAeH1Q+n9Fr+oyamOlAkUNPWPlA8PPGR0QAaYuPk=
 github.com/aymerick/douceur v0.2.0/go.mod h1:wlT5vV2O3h55X9m7iVYN0TBM0NH/MmbLnd30/FjWUq4=
-github.com/basgys/go-gpl v0.0.0-20230209111130-4e0087feed95 h1:K9X3r6eO+Fa1sbcoyWEz5s6R6z3GlpIe9KC5qfcTUX4=
-github.com/basgys/go-gpl v0.0.0-20230209111130-4e0087feed95/go.mod h1:XY/3nkvH5NfeP5X7QNqbwhdXwwD6TCA+NgUHI+UrUPY=
 github.com/benbjohnson/clock v1.3.5 h1:VvXlSJBzZpA/zum6Sj74hxwYI2DIxRWuNIoXAzHZz5o=
 github.com/benbjohnson/clock v1.3.5/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=