chore: add REUSE license compliance checks#90
Open
jacobo-doist wants to merge 1 commit into
Open
Conversation
doistbot
reviewed
Jul 10, 2026
doistbot
left a comment
Member
There was a problem hiding this comment.
This PR adds REUSE/SPDX license compliance tooling, canonical license texts, CI verification, and a distribution artifact verification script to ensure vendored Tom Select assets are properly licensed and checked.
Few things worth tightening:
- The new lint and artifact-verification workflow only runs on pushes to
mainand PRs, but releases are published on tag pushes viapublish.yml— consider adding the same verification to the publish build job or triggering this workflow for tags so the actual release artifacts are checked. - The packaged BSD-3-Clause license text is missing the required first-line sentence "All rights reserved." — add it so the distributed file matches the canonical SPDX text identified by its filename and metadata.
| pull_request: | ||
|
|
||
| jobs: | ||
| license-compliance: |
Member
There was a problem hiding this comment.
This workflow only runs for pushes to
main and pull requests, while releases are built and published by publish.yml on tag pushes. A tag can therefore publish artifacts without reuse lint or the distribution-license verification running. Add the verification to the publish build job (or trigger this job for tags) so the release artifact itself is checked.
| @@ -0,0 +1,11 @@ | |||
| Copyright (c) <year> <owner>. | |||
Member
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
PR #89 vendors Tom Select assets in the cohort form. The assets are Apache-2.0 licensed, so releases need the full license text and a repeatable way to preserve and verify third-party licensing metadata.
What changed
v6.2.0.6.2.0and its dependencies inuv.lock, then run it from the locked environment in CI.LICENSES/.Validation
uv sync --lockeduv run --locked reuse lintuv run ruff check .uv run ruff format --check .uv run pytest -q