Should the textual output of the reuse Action go into a GitHub issue?

[jeremiah]

Hi,

This GitHub action from reuse is awesome. I wonder the textual output from the Action should go into a GitHub issue. It's not a big deal since you can dig into the Action's output via the GitHub interface but I think that I'd prefer to have the message dumped into an issue, at least when the code is not compliant. This is the output I'm referring to;

* docs/_config.yml
* docs/index.html
* t/00-load.t

The following files have no copyright information:
* docs/roadmap.md

The following files have no licensing information:
* README.md
* license_database/GPL-3.0
* spdxl.tx


# SUMMARY

* Bad licenses:
* Deprecated licenses:
* Licenses without file extension:
* Missing licenses: CC-BY-4.0, GPL-3.0
* Unused licenses:
* Used licenses:
* Read errors: 0
* Files with copyright information: 5 / 19
* Files with license information: 3 / 19

Unfortunately, your project is not compliant with version 3.0 of the REUSE Specification :-(```

[mxmehl]

Interesting idea. However, I would see a few problematic questions:

• For every failed test, would it create a new issue?
• Only for tests in master, or also for every pull request, potentially by others?

Is there any action that does this kind of reporting already? I guess it should be configurable so it doesn't annoy maintainers and contributors.

[jeremiah]

Interesting idea. However, I would see a few problematic questions:

* For every failed test, would it create a new issue?

Fair question. I would say no, one issue for everything. (Or you could just put the summary into the issue if the action fails compliance.) Users can always create other issues from the initial issue and spamming them with multiple issues might be icky.

* Only for tests in master, or also for every pull request, potentially by others?

The ScanOSS Action does on every pull thought I don't know if it looks at branches. It's my (rather vague) understanding that actions run on every pull regardless of branch or location. This makes actions almost unusable for open source projects and GitHub warns you about this. Frankly I prefer Gitlab's ability to assign a runner with a token and wish GitHub had the same functionality.

Is there any action that does this kind of reporting already? I guess it should be configurable so it doesn't annoy maintainers and contributors.

The ScanOSS action dumps an issue into issues -> https://github.com/marketplace/scanoss-app
It has some fatal flaws;

1. They charge money for more than 5 scans a day
2. It creates really egregious false positives, like: scanoss.app initial scan results jeremiah/spdxl#20 In that issue they claim my perl module (SPDXL.pm) is copyright IP from StackOverflow. If you surf to SO in the link they provide you'll see that the snippet in question itself has been taken verbatim from the GPL.

[mxmehl]

With newer REUSE tool versions more and more "innovative" ways people are using for DEP5 files are becoming apparent, but we also create some false-positives and bugs ourselves (see yanked 2.0.0 release). All of this convinces me that this action creating wild issues would increase frustration which is the last thing we want. Also, it would multiply the maintenance of this action as it increases the complexity.

Therefore, I would like to close this although it may be helpful in some occasions.