| 1 | #!/usr/bin/env bash |
| 2 | # SPDX-License-Identifier: AGPL-3.0-or-later |
| 3 | # |
| 4 | # Generate THIRD_PARTY_NOTICES.md from the go.mod dependency |
| 5 | # graph. Uses `go-licenses` for the SPDX classification and |
| 6 | # license-text retrieval; we postprocess into a stable markdown |
| 7 | # layout so the file diffs cleanly across releases. |
| 8 | # |
| 9 | # Run: ./scripts/gen-third-party-notices.sh > THIRD_PARTY_NOTICES.md |
| 10 | # |
| 11 | # CI verifies the committed file is byte-identical to a fresh |
| 12 | # generation. If you bump a dependency, re-run this and commit |
| 13 | # the result in the same PR. |
| 14 | |
| 15 | set -euo pipefail |
| 16 | |
| 17 | # Require go-licenses; install via `go install |
| 18 | # github.com/google/go-licenses@latest`. We don't auto-install in |
| 19 | # CI to keep the script deterministic. |
| 20 | if ! command -v go-licenses >/dev/null 2>&1; then |
| 21 | echo "fatal: go-licenses not on PATH; install with 'go install github.com/google/go-licenses@latest'" >&2 |
| 22 | exit 2 |
| 23 | fi |
| 24 | |
| 25 | ROOT="$(cd "$(dirname "$0")/.." && pwd)" |
| 26 | cd "$ROOT" |
| 27 | |
| 28 | cat <<'HEADER' |
| 29 | # Third-party notices |
| 30 | |
| 31 | shithub depends on the open-source software listed below. Each |
| 32 | entry includes the module path, the license SPDX identifier as |
| 33 | detected by go-licenses, and a link upstream. The full license |
| 34 | texts are bundled with each Go module under your `$GOPATH/pkg/mod/` |
| 35 | checkout when you build from source; this file is the index, not |
| 36 | the corpus. |
| 37 | |
| 38 | This file is generated by `scripts/gen-third-party-notices.sh` |
| 39 | from the active `go.mod`. Do not edit by hand; re-run the script |
| 40 | when bumping dependencies and commit the result in the same PR. |
| 41 | |
| 42 | CI verifies that the committed file is byte-identical to a fresh |
| 43 | generation. |
| 44 | |
| 45 | ## Modules |
| 46 | |
| 47 | HEADER |
| 48 | |
| 49 | # go-licenses csv emits "<module>,<license_url>,<license_type>". |
| 50 | # We sort and reformat into a markdown table. |
| 51 | go-licenses csv ./... 2>/dev/null \ |
| 52 | | sort -u \ |
| 53 | | awk -F, ' |
| 54 | BEGIN { |
| 55 | printf "| Module | License | Source |\n" |
| 56 | printf "|---|---|---|\n" |
| 57 | } |
| 58 | { |
| 59 | mod=$1; url=$2; lic=$3 |
| 60 | # Skip our own module path |
| 61 | if (mod ~ /tenseleyFlow\/shithub/) next |
| 62 | printf "| `%s` | %s | [link](%s) |\n", mod, lic, url |
| 63 | } |
| 64 | ' |
| 65 | |
| 66 | cat <<'FOOTER' |
| 67 | |
| 68 | ## Notes |
| 69 | |
| 70 | - Modules under `golang.org/x/...` are subject to the |
| 71 | [Go BSD-style license](https://go.dev/LICENSE) unless noted |
| 72 | otherwise. |
| 73 | - The Go standard library and toolchain are licensed under the |
| 74 | [Go BSD-style license](https://go.dev/LICENSE) and are not |
| 75 | enumerated here. |
| 76 | - A small number of dependencies expose multiple licenses in |
| 77 | their repository (e.g., a base license plus an alternate for |
| 78 | bundled vendor code). go-licenses reports the one applying to |
| 79 | the imported package; full license materials are in each |
| 80 | module's distribution. |
| 81 | FOOTER |