diff --git a/.github/workflows/code-scanning.yml b/.github/workflows/code-scanning.yml
index 7dda8c9bd..468f425ae 100644
--- a/.github/workflows/code-scanning.yml
+++ b/.github/workflows/code-scanning.yml
@@ -46,6 +46,9 @@ jobs:
           queries: "" # Default query suite
           packs: github/ccr-${{ matrix.language }}-queries
           config: |
+            paths-ignore:
+              - third-party
+              - third-party-licenses.*.md
             default-setup:
               org:
                 model-packs: [ ${{ github.event.inputs.code_scanning_codeql_packs }} ]
diff --git a/.github/workflows/license-check.yml b/.github/workflows/license-check.yml
index d9cb59fb7..a2638eb1f 100644
--- a/.github/workflows/license-check.yml
+++ b/.github/workflows/license-check.yml
@@ -1,9 +1,22 @@
-# Create a github action that runs the license check script and fails if it exits with a non-zero status
+# Automatically fix license files on PRs that need updates
+# Tries to auto-commit the fix, or comments with instructions if push fails
 
 name: License Check
-on: [push, pull_request]
+on:
+  pull_request:
+    branches:
+      - main  # Only run when PR targets main
+    paths:
+      - "**.go"
+      - go.mod
+      - go.sum
+      - ".github/licenses.tmpl"
+      - "script/licenses*"
+      - "third-party-licenses.*.md"
+      - "third-party/**"
 permissions:
-  contents: read
+  contents: write
+  pull-requests: write
 
 jobs:
   license-check:
@@ -12,10 +25,87 @@ jobs:
     steps:
       - name: Check out code
         uses: actions/checkout@v6
+        with:
+          ref: ${{ github.head_ref }}
 
       - name: Set up Go
         uses: actions/setup-go@v6
         with:
           go-version-file: "go.mod"
-      - name: check licenses
-        run: ./script/licenses-check
+
+      # actions/setup-go does not setup the installed toolchain to be preferred over the system install,
+      # which causes go-licenses to raise "Package ... does not have module info" errors.
+      # For more information, https://github.com/google/go-licenses/issues/244#issuecomment-1885098633
+      - name: Regenerate licenses
+        env:
+          CI: "true"
+        run: |
+          export GOROOT=$(go env GOROOT)
+          export PATH=${GOROOT}/bin:$PATH
+          ./script/licenses
+
+      - name: Check for changes
+        id: changes
+        continue-on-error: true
+        run: script/licenses-check
+
+      - name: Commit and push fixes
+        if: steps.changes.outcome == 'failure'
+        continue-on-error: true
+        id: push
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+          git add third-party-licenses.*.md third-party/
+          git commit -m "chore: regenerate license files
+
+Auto-generated by license-check workflow"
+          git push
+
+      - name: Check if already commented
+        if: steps.changes.outcome == 'failure' && steps.push.outcome == 'failure'
+        id: check_comment
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const { data: comments } = await github.rest.issues.listComments({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: context.issue.number
+            });
+            
+            const alreadyCommented = comments.some(comment => 
+              comment.user.login === 'github-actions[bot]' &&
+              comment.body.includes('## ⚠️ License files need updating')
+            );
+            
+            core.setOutput('already_commented', alreadyCommented ? 'true' : 'false');
+
+      - name: Comment with instructions if cannot push
+        if: steps.changes.outcome == 'failure' && steps.push.outcome == 'failure' && steps.check_comment.outputs.already_commented == 'false'
+        uses: actions/github-script@v7
+        with:
+          script: |
+            await github.rest.issues.createComment({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: context.issue.number,
+              body: `## ⚠️ License files need updating
+
+The license files are out of date. I tried to fix them automatically but don't have permission to push to this branch.
+
+**Please run:**
+\`\`\`bash
+script/licenses
+git add third-party-licenses.*.md third-party/
+git commit -m "chore: regenerate license files"
+git push
+\`\`\`
+
+Alternatively, enable "Allow edits by maintainers" in the PR settings so I can fix it automatically.`
+            });
+
+      - name: Fail check if changes needed
+        if: steps.changes.outcome == 'failure'
+        run: exit 1
+
diff --git a/script/licenses b/script/licenses
index 214efa435..5aa8ec16b 100755
--- a/script/licenses
+++ b/script/licenses
@@ -16,10 +16,23 @@
 #
 #       Normally these warnings are packages containing non go code, which may or may not require explicit attribution,
 #       depending on the license.
-
 set -e
 
-go install github.com/google/go-licenses@latest
+# Pinned version for CI reproducibility, latest for local development
+# See: https://github.com/cli/cli/pull/11161
+if [ "$CI" = "true" ]; then
+    go install github.com/google/go-licenses@5348b744d0983d85713295ea08a20cca1654a45e # v2.0.1
+else
+    go install github.com/google/go-licenses@latest
+fi
+
+# actions/setup-go does not setup the installed toolchain to be preferred over the system install,
+# which causes go-licenses to raise "Package ... does not have module info" errors in CI.
+# For more information, https://github.com/google/go-licenses/issues/244#issuecomment-1885098633
+if [ "$CI" = "true" ]; then
+    export GOROOT=$(go env GOROOT)
+    export PATH=${GOROOT}/bin:$PATH
+fi
 
 # actions/setup-go does not setup the installed toolchain to be preferred over the system install,
 # which causes go-licenses to raise "Package ... does not have module info" errors in CI.