Skip to content

feat(release): publish THIRD_PARTY_NOTICES.md as a release asset#722

Merged
mchmarny merged 1 commit into
mainfrom
feat/release-third-party-notices
Apr 30, 2026
Merged

feat(release): publish THIRD_PARTY_NOTICES.md as a release asset#722
mchmarny merged 1 commit into
mainfrom
feat/release-third-party-notices

Conversation

@ayuskauskas

Copy link
Copy Markdown
Contributor

Summary

Generate an aggregated THIRD_PARTY_NOTICES.md from every Go module linked into the released aicr/aicrd/validator binaries and upload it as a top-level GitHub release artifact, so downstream redistributors have a single self-contained file with each dependency's verbatim license text.

Motivation / Context

Downstream redistributors of the released binaries need a single, self-contained file enumerating every transitively-linked Go module and its license text to satisfy attribution requirements. Today there is no such artifact published with the release.

Fixes: N/A
Related: N/A

Type of Change

  • New feature (non-breaking change that adds functionality)
  • Build/CI/tooling

Component(s) Affected

  • Other: Release pipeline (Makefile, .goreleaser.yaml, .github/actions/go-build-release, .github/workflows/on-tag.yaml, tools/generate-notices, RELEASING.md)

Implementation Notes

  • tools/generate-notices: new shell script that drives go-licenses save + go-licenses csv on ./..., excludes the Go stdlib and the local module, and composes THIRD_PARTY_NOTICES.md (index table + per-dependency sections with license text inline).
  • Makefile: adds make notices; make release depends on it so the file is produced before goreleaser runs. Output lives at the repo root because goreleaser release --clean wipes dist/ at the start of a release run, and goreleaser's pipeline order makes before.hooks an unworkable place for dist/-resident artifacts. make clean and LICENSE_IGNORES updated; help-full lists the new target.
  • .goreleaser.yaml: release.extra_files uploads the file to the GitHub release alongside binaries/SBOM/checksums.
  • .github/actions/go-build-release: installs go-licenses (version pinned in .settings.yaml linting.go_licenses) before invoking make release; new go_licenses_version input.
  • .github/workflows/on-tag.yaml: passes go_licenses_version through from the load-versions composite.
  • .gitignore: ignores generated THIRD_PARTY_NOTICES.md and the .licenses-cache/ working directory.
  • RELEASING.md: documents the new artifact under Supply Chain.

Testing

make qualify

Local make notices produces a well-formed THIRD_PARTY_NOTICES.md; release artifact upload verified by inspecting .goreleaser.yaml release.extra_files.

Risk Assessment

  • Low — Isolated change to the release pipeline; no runtime/binary behavior change. The artifact is purely additive.

Rollout notes: Effective on the next tag-driven release. No migration steps required.

Checklist

  • Tests pass locally (`make test` with `-race`)
  • Linter passes (`make lint`)
  • I did not skip/disable tests to make CI green
  • I added/updated tests for new functionality (release-pipeline shell script; covered via release dry-run)
  • I updated docs if user-facing behavior changed (`RELEASING.md`)
  • Changes follow existing patterns in the codebase
  • Commits are cryptographically signed (`git commit -S`)

@coderabbitai

This comment was marked as resolved.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@RELEASING.md`:
- Around line 142-144: Update the "Third-party notices" bullet so it doesn't
promise full license texts for every dependency: change the description
referencing `THIRD_PARTY_NOTICES.md` (generated by `make notices` via
`go-licenses`) to say it "includes dependency notices and available license
text" (or equivalent) to reflect that some entries may only contain notices or
fallbacks when full texts are unavailable.

In `@tools/generate-notices`:
- Around line 39-40: Add a safety guard before the rm -rf "${LICENSES_DIR}"
call: validate LICENSES_DIR is non-empty, not "/" or empty string, does not
equal "." or "..", and (optionally) ensure it is inside an expected parent
(e.g., under a known workspace or the repository root) or matches a safe
relative-path pattern; if the check fails, exit with an error instead of
deleting. Locate the rm -rf usage in tools/generate-notices and implement the
checks around the LICENSES_DIR variable to abort on unsafe values before
performing removal.
- Around line 121-134: The script currently captures only the first discovered
license file using license_file and find ... -print -quit; replace this by
collecting all matching files into an array (e.g., license_files) via find
without -quit (or globbing), then change the output logic in the block that
references license_file to iterate over license_files and for each lf print the
'```text' fence, cat "${lf}", a blank line and the closing '```' (with an extra
blank line between entries); if license_files is empty fall back to the existing
"License text unavailable..." printf. Ensure you update references to
license_file (and its test -f) to instead check the license_files array length
and loop accordingly.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Enterprise

Run ID: e26cf765-0da1-4219-9306-27a2f7165179

📥 Commits

Reviewing files that changed from the base of the PR and between 8843981 and 5895046.

📒 Files selected for processing (7)
  • .github/actions/go-build-release/action.yml
  • .github/workflows/on-tag.yaml
  • .gitignore
  • .goreleaser.yaml
  • Makefile
  • RELEASING.md
  • tools/generate-notices

Comment thread RELEASING.md Outdated
Comment thread tools/generate-notices
Comment thread tools/generate-notices Outdated
@github-actions

github-actions Bot commented Apr 30, 2026

Copy link
Copy Markdown
Contributor

Coverage Report ✅

Metric Value
Coverage 75.2%
Threshold 70%
Status Pass
Coverage Badge
![Coverage](https://img.shields.io/badge/coverage-75.2%25-green)

No Go source files changed in this PR.

Generate an aggregated third-party notices file from every Go module
linked into the released aicr/aicrd/validator binaries and upload it
as a top-level GitHub release artifact, so downstream redistributors
have a single self-contained file with each dependency's verbatim
license text.

- tools/generate-notices: new shell script that drives 'go-licenses
  save' + 'go-licenses csv' on ./..., excludes stdlib and the local
  module, and composes THIRD_PARTY_NOTICES.md (index table + per-dep
  sections with license text inline).
- Makefile: 'make notices' target; 'make release' depends on it so
  the file is produced before goreleaser runs. Output lives at the
  repo root because 'goreleaser release --clean' wipes dist/ at the
  start of a release run, and goreleaser's pipeline order makes
  before.hooks an unworkable place for dist/-resident artifacts.
  'make clean' and LICENSE_IGNORES updated; help-full lists the
  new target.
- .goreleaser.yaml: release.extra_files uploads the file to the
  GitHub release alongside binaries/SBOM/checksums.
- .github/actions/go-build-release: installs go-licenses (version
  pinned in .settings.yaml linting.go_licenses) before invoking
  'make release'; new go_licenses_version input.
- .github/workflows/on-tag.yaml: passes go_licenses_version through
  from the load-versions composite.
- .gitignore: ignores generated THIRD_PARTY_NOTICES.md and the
  .licenses-cache/ working directory.
- RELEASING.md: documents the new artifact under Supply Chain.
@ayuskauskas ayuskauskas force-pushed the feat/release-third-party-notices branch from 5895046 to 5be070c Compare April 30, 2026 19:57
@github-actions github-actions Bot added size/L and removed size/M labels Apr 30, 2026
@mchmarny mchmarny enabled auto-merge (squash) April 30, 2026 19:59
@mchmarny mchmarny merged commit c1703eb into main Apr 30, 2026
30 checks passed
@mchmarny mchmarny deleted the feat/release-third-party-notices branch April 30, 2026 20:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants