feat(release): publish THIRD_PARTY_NOTICES.md as a release asset#722
Merged
Conversation
This comment was marked as resolved.
This comment was marked as resolved.
There was a problem hiding this comment.
Actionable comments posted: 3
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@RELEASING.md`:
- Around line 142-144: Update the "Third-party notices" bullet so it doesn't
promise full license texts for every dependency: change the description
referencing `THIRD_PARTY_NOTICES.md` (generated by `make notices` via
`go-licenses`) to say it "includes dependency notices and available license
text" (or equivalent) to reflect that some entries may only contain notices or
fallbacks when full texts are unavailable.
In `@tools/generate-notices`:
- Around line 39-40: Add a safety guard before the rm -rf "${LICENSES_DIR}"
call: validate LICENSES_DIR is non-empty, not "/" or empty string, does not
equal "." or "..", and (optionally) ensure it is inside an expected parent
(e.g., under a known workspace or the repository root) or matches a safe
relative-path pattern; if the check fails, exit with an error instead of
deleting. Locate the rm -rf usage in tools/generate-notices and implement the
checks around the LICENSES_DIR variable to abort on unsafe values before
performing removal.
- Around line 121-134: The script currently captures only the first discovered
license file using license_file and find ... -print -quit; replace this by
collecting all matching files into an array (e.g., license_files) via find
without -quit (or globbing), then change the output logic in the block that
references license_file to iterate over license_files and for each lf print the
'```text' fence, cat "${lf}", a blank line and the closing '```' (with an extra
blank line between entries); if license_files is empty fall back to the existing
"License text unavailable..." printf. Ensure you update references to
license_file (and its test -f) to instead check the license_files array length
and loop accordingly.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Enterprise
Run ID: e26cf765-0da1-4219-9306-27a2f7165179
📒 Files selected for processing (7)
.github/actions/go-build-release/action.yml.github/workflows/on-tag.yaml.gitignore.goreleaser.yamlMakefileRELEASING.mdtools/generate-notices
Contributor
Coverage Report ✅
Coverage BadgeNo Go source files changed in this PR. |
Generate an aggregated third-party notices file from every Go module linked into the released aicr/aicrd/validator binaries and upload it as a top-level GitHub release artifact, so downstream redistributors have a single self-contained file with each dependency's verbatim license text. - tools/generate-notices: new shell script that drives 'go-licenses save' + 'go-licenses csv' on ./..., excludes stdlib and the local module, and composes THIRD_PARTY_NOTICES.md (index table + per-dep sections with license text inline). - Makefile: 'make notices' target; 'make release' depends on it so the file is produced before goreleaser runs. Output lives at the repo root because 'goreleaser release --clean' wipes dist/ at the start of a release run, and goreleaser's pipeline order makes before.hooks an unworkable place for dist/-resident artifacts. 'make clean' and LICENSE_IGNORES updated; help-full lists the new target. - .goreleaser.yaml: release.extra_files uploads the file to the GitHub release alongside binaries/SBOM/checksums. - .github/actions/go-build-release: installs go-licenses (version pinned in .settings.yaml linting.go_licenses) before invoking 'make release'; new go_licenses_version input. - .github/workflows/on-tag.yaml: passes go_licenses_version through from the load-versions composite. - .gitignore: ignores generated THIRD_PARTY_NOTICES.md and the .licenses-cache/ working directory. - RELEASING.md: documents the new artifact under Supply Chain.
5895046 to
5be070c
Compare
mchmarny
approved these changes
Apr 30, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Generate an aggregated
THIRD_PARTY_NOTICES.mdfrom every Go module linked into the releasedaicr/aicrd/validatorbinaries and upload it as a top-level GitHub release artifact, so downstream redistributors have a single self-contained file with each dependency's verbatim license text.Motivation / Context
Downstream redistributors of the released binaries need a single, self-contained file enumerating every transitively-linked Go module and its license text to satisfy attribution requirements. Today there is no such artifact published with the release.
Fixes: N/A
Related: N/A
Type of Change
Component(s) Affected
Makefile,.goreleaser.yaml,.github/actions/go-build-release,.github/workflows/on-tag.yaml,tools/generate-notices,RELEASING.md)Implementation Notes
tools/generate-notices: new shell script that drivesgo-licenses save+go-licenses csvon./..., excludes the Go stdlib and the local module, and composesTHIRD_PARTY_NOTICES.md(index table + per-dependency sections with license text inline).Makefile: addsmake notices;make releasedepends on it so the file is produced before goreleaser runs. Output lives at the repo root becausegoreleaser release --cleanwipesdist/at the start of a release run, and goreleaser's pipeline order makesbefore.hooksan unworkable place fordist/-resident artifacts.make cleanandLICENSE_IGNORESupdated;help-fulllists the new target..goreleaser.yaml:release.extra_filesuploads the file to the GitHub release alongside binaries/SBOM/checksums..github/actions/go-build-release: installsgo-licenses(version pinned in.settings.yamllinting.go_licenses) before invokingmake release; newgo_licenses_versioninput..github/workflows/on-tag.yaml: passesgo_licenses_versionthrough from the load-versions composite..gitignore: ignores generatedTHIRD_PARTY_NOTICES.mdand the.licenses-cache/working directory.RELEASING.md: documents the new artifact under Supply Chain.Testing
Local
make noticesproduces a well-formedTHIRD_PARTY_NOTICES.md; release artifact upload verified by inspecting.goreleaser.yamlrelease.extra_files.Risk Assessment
Rollout notes: Effective on the next tag-driven release. No migration steps required.
Checklist