tenseleyflow/shithub / 0104569

Browse files

S38: THIRD_PARTY_NOTICES + go-licenses generator

Authored by espadonne
SHA
010456944a05dc1a1bccdaca74c2f65945bfe47e
Parents
9931683
Tree
a36c0bc

2 changed files

StatusFile+-
A THIRD_PARTY_NOTICES.md 61 0
A scripts/gen-third-party-notices.sh 81 0
THIRD_PARTY_NOTICES.mdadded
@@ -0,0 +1,61 @@ 
1
+# Third-party notices
2
+
3
+shithub depends on the open-source software listed below. Each
4
+entry includes the module path, the license SPDX identifier as
5
+detected by go-licenses, and a link upstream. The full license
6
+texts are bundled with each Go module under your `$GOPATH/pkg/mod/`
7
+checkout when you build from source; this file is the index, not
8
+the corpus.
9
+
10
+This file is generated by `scripts/gen-third-party-notices.sh`
11
+from the active `go.mod`. Do not edit by hand; re-run the script
12
+when bumping dependencies and commit the result in the same PR.
13
+
14
+CI verifies that the committed file is byte-identical to a fresh
15
+generation.
16
+
17
+## Modules
18
+
19
+| Module | License | Source |
20
+|---|---|---|
21
+| `github.com/alecthomas/chroma/v2` | MIT | [link](https://github.com/alecthomas/chroma) |
22
+| `github.com/bluekeyes/go-gitdiff` | MIT | [link](https://github.com/bluekeyes/go-gitdiff) |
23
+| `github.com/boombuler/barcode` | MIT | [link](https://github.com/boombuler/barcode) |
24
+| `github.com/BurntSushi/toml` | MIT | [link](https://github.com/BurntSushi/toml) |
25
+| `github.com/getsentry/sentry-go` | MIT | [link](https://github.com/getsentry/sentry-go) |
26
+| `github.com/go-chi/chi/v5` | MIT | [link](https://github.com/go-chi/chi) |
27
+| `github.com/jackc/pgx/v5` | MIT | [link](https://github.com/jackc/pgx) |
28
+| `github.com/justinas/nosurf` | MIT | [link](https://github.com/justinas/nosurf) |
29
+| `github.com/microcosm-cc/bluemonday` | BSD-3-Clause | [link](https://github.com/microcosm-cc/bluemonday) |
30
+| `github.com/minio/minio-go/v7` | Apache-2.0 | [link](https://github.com/minio/minio-go) |
31
+| `github.com/pquerna/otp` | Apache-2.0 | [link](https://github.com/pquerna/otp) |
32
+| `github.com/pressly/goose/v3` | MIT | [link](https://github.com/pressly/goose) |
33
+| `github.com/prometheus/client_golang` | Apache-2.0 | [link](https://github.com/prometheus/client_golang) |
34
+| `github.com/spf13/cobra` | Apache-2.0 | [link](https://github.com/spf13/cobra) |
35
+| `github.com/yuin/goldmark` | MIT | [link](https://github.com/yuin/goldmark) |
36
+| `go.opentelemetry.io/otel` | Apache-2.0 | [link](https://github.com/open-telemetry/opentelemetry-go) |
37
+| `go.opentelemetry.io/otel/exporters/otlp/otlptrace` | Apache-2.0 | [link](https://github.com/open-telemetry/opentelemetry-go) |
38
+| `go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp` | Apache-2.0 | [link](https://github.com/open-telemetry/opentelemetry-go) |
39
+| `go.opentelemetry.io/otel/sdk` | Apache-2.0 | [link](https://github.com/open-telemetry/opentelemetry-go) |
40
+| `go.opentelemetry.io/otel/trace` | Apache-2.0 | [link](https://github.com/open-telemetry/opentelemetry-go) |
41
+| `golang.org/x/crypto` | BSD-3-Clause | [link](https://cs.opensource.google/go/x/crypto) |
42
+| `golang.org/x/image` | BSD-3-Clause | [link](https://cs.opensource.google/go/x/image) |
43
+| `golang.org/x/sync` | BSD-3-Clause | [link](https://cs.opensource.google/go/x/sync) |
44
+
45
+## Notes
46
+
47
+- Modules under `golang.org/x/...` are subject to the
48
+  [Go BSD-style license](https://go.dev/LICENSE) unless noted
49
+  otherwise.
50
+- The Go standard library and toolchain are licensed under the
51
+  [Go BSD-style license](https://go.dev/LICENSE) and are not
52
+  enumerated here.
53
+- A small number of dependencies expose multiple licenses in
54
+  their repository (e.g., a base license plus an alternate for
55
+  bundled vendor code). go-licenses reports the one applying to
56
+  the imported package; full license materials are in each
57
+  module's distribution.
58
+- Indirect (transitive) dependencies are subject to their own
59
+  licenses. Run `go mod graph` for the full dependency tree;
60
+  `go-licenses csv ./...` enumerates licenses for everything
61
+  imported by build, not just the direct `require` block.
scripts/gen-third-party-notices.shadded
@@ -0,0 +1,81 @@ 
1
+#!/usr/bin/env bash
2
+# SPDX-License-Identifier: AGPL-3.0-or-later
3
+#
4
+# Generate THIRD_PARTY_NOTICES.md from the go.mod dependency
5
+# graph. Uses `go-licenses` for the SPDX classification and
6
+# license-text retrieval; we postprocess into a stable markdown
7
+# layout so the file diffs cleanly across releases.
8
+#
9
+# Run: ./scripts/gen-third-party-notices.sh > THIRD_PARTY_NOTICES.md
10
+#
11
+# CI verifies the committed file is byte-identical to a fresh
12
+# generation. If you bump a dependency, re-run this and commit
13
+# the result in the same PR.
14
+
15
+set -euo pipefail
16
+
17
+# Require go-licenses; install via `go install
18
+# github.com/google/go-licenses@latest`. We don't auto-install in
19
+# CI to keep the script deterministic.
20
+if ! command -v go-licenses >/dev/null 2>&1; then
21
+  echo "fatal: go-licenses not on PATH; install with 'go install github.com/google/go-licenses@latest'" >&2
22
+  exit 2
23
+fi
24
+
25
+ROOT="$(cd "$(dirname "$0")/.." && pwd)"
26
+cd "$ROOT"
27
+
28
+cat <<'HEADER'
29
+# Third-party notices
30
+
31
+shithub depends on the open-source software listed below. Each
32
+entry includes the module path, the license SPDX identifier as
33
+detected by go-licenses, and a link upstream. The full license
34
+texts are bundled with each Go module under your `$GOPATH/pkg/mod/`
35
+checkout when you build from source; this file is the index, not
36
+the corpus.
37
+
38
+This file is generated by `scripts/gen-third-party-notices.sh`
39
+from the active `go.mod`. Do not edit by hand; re-run the script
40
+when bumping dependencies and commit the result in the same PR.
41
+
42
+CI verifies that the committed file is byte-identical to a fresh
43
+generation.
44
+
45
+## Modules
46
+
47
+HEADER
48
+
49
+# go-licenses csv emits "<module>,<license_url>,<license_type>".
50
+# We sort and reformat into a markdown table.
51
+go-licenses csv ./... 2>/dev/null \
52
+  | sort -u \
53
+  | awk -F, '
54
+      BEGIN {
55
+          printf "| Module | License | Source |\n"
56
+          printf "|---|---|---|\n"
57
+      }
58
+      {
59
+          mod=$1; url=$2; lic=$3
60
+          # Skip our own module path
61
+          if (mod ~ /tenseleyFlow\/shithub/) next
62
+          printf "| `%s` | %s | [link](%s) |\n", mod, lic, url
63
+      }
64
+  '
65
+
66
+cat <<'FOOTER'
67
+
68
+## Notes
69
+
70
+- Modules under `golang.org/x/...` are subject to the
71
+  [Go BSD-style license](https://go.dev/LICENSE) unless noted
72
+  otherwise.
73
+- The Go standard library and toolchain are licensed under the
74
+  [Go BSD-style license](https://go.dev/LICENSE) and are not
75
+  enumerated here.
76
+- A small number of dependencies expose multiple licenses in
77
+  their repository (e.g., a base license plus an alternate for
78
+  bundled vendor code). go-licenses reports the one applying to
79
+  the imported package; full license materials are in each
80
+  module's distribution.
81
+FOOTER