#!/usr/bin/env bash
# SPDX-License-Identifier: AGPL-3.0-or-later
#
# Generate THIRD_PARTY_NOTICES.md from the go.mod dependency
# graph. Uses `go-licenses` for the SPDX classification and
# license-text retrieval; we postprocess into a stable markdown
# layout so the file diffs cleanly across releases.
#
# Run: ./scripts/gen-third-party-notices.sh > THIRD_PARTY_NOTICES.md
#
# CI verifies the committed file is byte-identical to a fresh
# generation. If you bump a dependency, re-run this and commit
# the result in the same PR.

set -euo pipefail

# Require go-licenses; install via `go install
# github.com/google/go-licenses@latest`. We don't auto-install in
# CI to keep the script deterministic.
if ! command -v go-licenses >/dev/null 2>&1; then
  echo "fatal: go-licenses not on PATH; install with 'go install github.com/google/go-licenses@latest'" >&2
  exit 2
fi

ROOT="$(cd "$(dirname "$0")/.." && pwd)"
cd "$ROOT"

cat <<'HEADER'
# Third-party notices

shithub depends on the open-source software listed below. Each
entry includes the module path, the license SPDX identifier as
detected by go-licenses, and a link upstream. The full license
texts are bundled with each Go module under your `$GOPATH/pkg/mod/`
checkout when you build from source; this file is the index, not
the corpus.

This file is generated by `scripts/gen-third-party-notices.sh`
from the active `go.mod`. Do not edit by hand; re-run the script
when bumping dependencies and commit the result in the same PR.

CI verifies that the committed file is byte-identical to a fresh
generation.

## Modules

HEADER

# go-licenses csv emits "<module>,<license_url>,<license_type>".
# We sort and reformat into a markdown table.
go-licenses csv ./... 2>/dev/null \
  | sort -u \
  | awk -F, '
      BEGIN {
          printf "| Module | License | Source |\n"
          printf "|---|---|---|\n"
      }
      {
          mod=$1; url=$2; lic=$3
          # Skip our own module path
          if (mod ~ /tenseleyFlow\/shithub/) next
          printf "| `%s` | %s | [link](%s) |\n", mod, lic, url
      }
  '

cat <<'FOOTER'

## Notes

- Modules under `golang.org/x/...` are subject to the
  [Go BSD-style license](https://go.dev/LICENSE) unless noted
  otherwise.
- The Go standard library and toolchain are licensed under the
  [Go BSD-style license](https://go.dev/LICENSE) and are not
  enumerated here.
- A small number of dependencies expose multiple licenses in
  their repository (e.g., a base license plus an alternate for
  bundled vendor code). go-licenses reports the one applying to
  the imported package; full license materials are in each
  module's distribution.
FOOTER