Skip to content

chore: add REUSE license compliance checks#90

Open
jacobo-doist wants to merge 1 commit into
mainfrom
chore/reuse-license-compliance
Open

chore: add REUSE license compliance checks#90
jacobo-doist wants to merge 1 commit into
mainfrom
chore/reuse-license-compliance

Conversation

@jacobo-doist

Copy link
Copy Markdown
Contributor

Why

PR #89 vendors Tom Select assets in the cohort form. The assets are Apache-2.0 licensed, so releases need the full license text and a repeatable way to preserve and verify third-party licensing metadata.

What changed

  • Add REUSE/SPDX metadata for Bitmapist and the vendored Tom Select files.
  • Package canonical BSD-3-Clause and Apache-2.0 texts in both wheels and source distributions.
  • Run the documented REUSE pre-commit hook at v6.2.0.
  • Lock REUSE 6.2.0 and its dependencies in uv.lock, then run it from the locked environment in CI.
  • Verify every built artifact includes every canonical license file in LICENSES/.

Validation

  • uv sync --locked
  • uv run --locked reuse lint
  • uv run ruff check .
  • uv run ruff format --check .
  • uv run pytest -q
  • Fresh wheel and sdist build plus license-artifact verification

@doistbot doistbot left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This PR adds REUSE/SPDX license compliance tooling, canonical license texts, CI verification, and a distribution artifact verification script to ensure vendored Tom Select assets are properly licensed and checked.

Few things worth tightening:

  • The new lint and artifact-verification workflow only runs on pushes to main and PRs, but releases are published on tag pushes via publish.yml — consider adding the same verification to the publish build job or triggering this workflow for tags so the actual release artifacts are checked.
  • The packaged BSD-3-Clause license text is missing the required first-line sentence "All rights reserved." — add it so the distributed file matches the canonical SPDX text identified by its filename and metadata.

Share FeedbackReview Logs

pull_request:

jobs:
license-compliance:

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 This workflow only runs for pushes to main and pull requests, while releases are built and published by publish.yml on tag pushes. A tag can therefore publish artifacts without reuse lint or the distribution-license verification running. Add the verification to the publish build job (or trigger this job for tags) so the release artifact itself is checked.

Comment thread LICENSES/BSD-3-Clause.txt
@@ -0,0 +1,11 @@
Copyright (c) <year> <owner>.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 This is not the canonical SPDX BSD-3-Clause text: the first line must read Copyright (c) <year> <owner>. All rights reserved. Add the omitted sentence so the distributed file matches the license identified by its SPDX filename and metadata.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants