Add compliance

[AlphaOne1]

Summary by CodeRabbit

• New Features
  • Automated release workflow: source archives, checksums, and SLSA provenance.
• Security
  • Enhanced CI security checks, linting and vulnerability reporting; refined CodeQL and Scorecard settings.
• Compliance
  • Added DCO checks, REUSE metadata, DCO.txt and multiple license files.
• Documentation
  • Added/updated AUTHORS, CONTRIBUTING, CODE_OF_CONDUCT, GOVERNANCE, SECURITY, README, and issue/PR templates; standardized DMorph branding.
• Build/Test
  • Bumped Go to 1.25; expanded CI matrices; enabled more parallel tests.
• Chores
  • Applied SPDX headers repo-wide; ignored .DS_Store; improved error handling and related tests.

[coderabbitai]

Warning

Rate limit exceeded

@AlphaOne1 has exceeded the limit for the number of commits or files that can be reviewed per hour. Please wait 13 minutes and 52 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between 29581e8 and c406042.

📒 Files selected for processing (3)

• .github/workflows/compliance.yml (1 hunks)
• .github/workflows/release.yml (1 hunks)
• go.mod (1 hunks)

Walkthrough

The patch adds SPDX headers across many files, introduces governance/legal documents and DCO support, centralizes error wrapping with a new util, updates tests to use parallel subtests, upgrades Go/tooling deps, and adds/changes multiple GitHub Actions workflows for compliance, release, security, and testing.

Changes

Cohort / File(s)	Summary
SPDX & metadata updates .github/CODEOWNERS, .github/FUNDING.yml, .github/dependabot.yml, .github/workflows/dependency-review.yml, .markdownlint.json.license, README.md, SECURITY.md, go.sum.license, *.sql (testData/*), dialect_*.go (CSVQ/DB2/MSSQL/MySQL/Oracle/Postgres/SQLite), .gitignore, .golangci.yaml	Inserted SPDX-FileCopyrightText / SPDX-License-Identifier headers and small comment tweaks; mostly metadata-only edits.
GitHub templates .github/ISSUE_TEMPLATE/bug_report.md, .github/ISSUE_TEMPLATE/feature_request.md, .github/PULL_REQUEST_TEMPLATE.md	Added SPDX header metadata; minor placeholder and checklist wording fixes in bug and PR templates.
New/updated workflows .github/workflows/compliance.yml, .github/workflows/release.yml, .github/workflows/security.yml, .github/workflows/test.yml, .github/workflows/codeql.yml, .github/workflows/dependency-review.yml, .github/workflows/scorecard.yml	Added a Compliance workflow (REUSE + DCO checks), added a Release workflow (source archive, checksums, SLSA provenance), added/modified security and test workflows (golangci-lint job, vulnerability handling, matrix/stable Go, gotestsum usage), and minor comment/permission fixes.
Legal & governance files (new) AUTHORS.md, DCO.txt, GOVERNANCE.md, LICENSES/CC-BY-4.0.txt, LICENSES/LicenseRef-DCO.txt, LICENSES/MPL-2.0.txt	Added authors, DCO, governance document, and license texts.
Centralized error helper & usage utils.go, dialects.go, file_migration.go	New wrapIfError(text, err) helper; replaced several raw error returns with wrapped errors and added filepath.Clean on migration file opens.
Tests & test scaffolding dialects_test.go, file_migration_test.go, migration_test.go, utils_internal_test.go, exports_internal_test.go	Converted tests to use t.Parallel and subtests, switched some asserts to require, added TwrapIfError exported alias for testing, and added unit tests for wrapIfError.
Minor refactor migration.go	Local variable rename (m → morpher) in NewMorpher and updated references.
Module/tooling updates go.mod	Bumped Go toolchain to 1.25.0, added/updated indirect dependencies and a gotestsum tool directive.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor Dev
  participant GH as GitHub Actions
  participant REUSE as REUSE Check
  participant DCO_Push as CheckSignedOffCommit
  participant DCO_PR as CheckSignedOffPullRequest

  Dev->>GH: push / pull_request
  GH->>REUSE: run REUSE compliance
  alt push (normal)
    GH->>DCO_Push: compute commit range, validate Signed-off-by
    DCO_Push-->>GH: fail on missing DCO / succeed
  else pull_request (no bypass-dco)
    GH->>DCO_PR: fetch PR commits (gh api/gh cli), validate Signed-off-by
    DCO_PR-->>GH: fail on missing DCO / succeed
  end
  note right of GH: Hardened runner enforced (egress/audit)

Loading

sequenceDiagram
  autonumber
  participant GH as GitHub Releases
  participant Build as Build Job
  participant Checksum as ChecksumReleaseAssets
  participant Prov as AssetProvenance

  GH-->>Build: on release.published
  Build->>Build: Harden + Checkout, create tar.gz source archive
  Build->>GH: upload archive (gh release upload)
  Build-->>Checksum: artifact produced
  Checksum->>Checksum: Harden + Checkout, download release assets
  Checksum->>Checksum: compute SHA-256 sums, base64 encode subjects
  Checksum-->>Prov: provide base64 subjects file
  Prov->>Prov: generate SLSA provenance (generic SLSA3)
  Prov->>GH: attach provenance / upload artifacts
  note right of Prov: job sets provenance permissions

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

• Add markdownlint configuration and README adjustments #30 — Related changes to markdown lint rules and README badge/formatting.
• Add internal test exports and improve golangci-lint configuration #31 — Related test scaffolding edits (exports_internal_test.go) and lint configuration header updates.

Poem

I thump my paws and sign each line,
SPDX stars above the code now shine.
I wrap errors neat and tidy, too,
Tests run in parallel—hippity-hoo!
Releases hum provenance anew. 🐇✨

Pre-merge checks and finishing touches

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title Check	❓ Inconclusive	The provided title “Add compliance” is related to the broad set of license and DCO compliance updates but is too generic to convey the primary scope of changes, which include adding SPDX headers across files, introducing DCO requirements, and new compliance workflows. It does not clearly summarize the main changes in a way that a reviewer or future reader can quickly understand. Because the title lacks specificity about the core modifications, it is not sufficiently descriptive.	Consider renaming the pull request to explicitly reflect the key updates, for example “Add SPDX license headers, DCO compliance checks, and GitHub compliance workflows,” so that the title clearly summarizes the major changes in one concise sentence.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-advanced-security]

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ All tests successful. No failed tests found.

Files with missing lines	Coverage Δ
dialect_csvq.go	100.00% <ø> (ø)
dialect_db2.go	100.00% <ø> (ø)
dialect_mssql.go	100.00% <ø> (ø)
dialect_mysql.go	100.00% <ø> (ø)
dialect_oracle.go	100.00% <ø> (ø)
dialect_postgres.go	100.00% <ø> (ø)
dialect_sqlite.go	100.00% <ø> (ø)
dialects.go	93.47% <100.00%> (ø)
file_migration.go	100.00% <100.00%> (ø)
migration.go	96.34% <100.00%> (ø)
... and 1 more

[coderabbitai]

Actionable comments posted: 6

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/security.yml (1)

98-107: Restore correct govulncheck SARIF gating.

grep results always succeeds because the SARIF schema always contains a results key, so hasResults is now always true. Revert to checking for an empty array to avoid uploading empty reports.

Try this change:

-                if grep results govulncheck-results.sarif
-                then
-                    echo "hasResults=true" >> $GITHUB_OUTPUT
-                else
-                    echo "hasResults=false" >> $GITHUB_OUTPUT
-                fi
+                if grep -q '"results": \[\]' govulncheck-results.sarif
+                then
+                    echo "hasResults=false" >> $GITHUB_OUTPUT
+                else
+                    echo "hasResults=true" >> $GITHUB_OUTPUT
+                fi

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between aac8971 and 731e49f.

⛔ Files ignored due to path filters (2)

• dmorph_logo.svg is excluded by !**/*.svg
• go.sum is excluded by !**/*.sum

📒 Files selected for processing (46)

• .github/CODEOWNERS (1 hunks)
• .github/FUNDING.yml (1 hunks)
• .github/ISSUE_TEMPLATE/bug_report.md (2 hunks)
• .github/ISSUE_TEMPLATE/feature_request.md (1 hunks)
• .github/PULL_REQUEST_TEMPLATE.md (2 hunks)
• .github/dependabot.yml (1 hunks)
• .github/workflows/codeql.yml (3 hunks)
• .github/workflows/compliance.yml (1 hunks)
• .github/workflows/dependency-review.yml (1 hunks)
• .github/workflows/release.yml (1 hunks)
• .github/workflows/scorecard.yml (1 hunks)
• .github/workflows/security.yml (4 hunks)
• .github/workflows/test.yml (3 hunks)
• .gitignore (1 hunks)
• .golangci.yaml (1 hunks)
• .markdownlint.json.license (1 hunks)
• AUTHORS.md (1 hunks)
• CODE_OF_CONDUCT.md (3 hunks)
• CONTRIBUTING.md (6 hunks)
• DCO.txt (1 hunks)
• GOVERNANCE.md (1 hunks)
• LICENSES/CC-BY-4.0.txt (1 hunks)
• LICENSES/LicenseRef-DCO.txt (1 hunks)
• LICENSES/MPL-2.0.txt (1 hunks)
• README.md (1 hunks)
• SECURITY.md (1 hunks)
• dialect_csvq.go (1 hunks)
• dialect_db2.go (1 hunks)
• dialect_mssql.go (1 hunks)
• dialect_mysql.go (1 hunks)
• dialect_oracle.go (1 hunks)
• dialect_postgres.go (1 hunks)
• dialect_sqlite.go (1 hunks)
• dialects.go (4 hunks)
• dialects_test.go (4 hunks)
• exports_internal_test.go (2 hunks)
• file_migration.go (6 hunks)
• file_migration_test.go (6 hunks)
• go.mod (1 hunks)
• go.sum.license (1 hunks)
• migration.go (2 hunks)
• migration_test.go (22 hunks)
• testData/01_base_table.sql (1 hunks)
• testData/02_addon_table.sql (1 hunks)
• utils.go (1 hunks)
• utils_internal_test.go (1 hunks)

🧰 Additional context used

🧬 Code graph analysis (3)

dialects_test.go (1)

dialect_sqlite.go (1)

• DialectSQLite (7-22)

utils_internal_test.go (1)

exports_internal_test.go (1)

• TwrapIfError (18-18)

migration_test.go (4)

exports_internal_test.go (2)

• TwrapIfError (18-18)
• TmigrationOrder (17-17)

migration.go (5)

• Run (312-320)
• NewMorpher (134-151)
• WithDialect (86-92)
• WithLog (105-111)
• WithTableName (115-129)

dialect_sqlite.go (1)

• DialectSQLite (7-22)

file_migration.go (1)

• WithMigrationFromFile (38-57)

🪛 YAMLlint (1.37.1)

.github/workflows/security.yml

[warning] 99-99: too many spaces after colon

(colons)

.github/workflows/release.yml

[warning] 104-104: too many spaces after colon

(colons)

🔇 Additional comments (42)

.github/ISSUE_TEMPLATE/feature_request.md (1)

1-3: SPDX header addition looks good.

Consistent with the repo-wide licensing updates.

dialect_db2.go (1)

1-2: Header modernization acknowledged.

SPDX metadata replaces the old comment without affecting behavior.

.github/dependabot.yml (1)

1-3: SPDX header update confirmed.

YAML config remains untouched beyond licensing metadata.

dialect_postgres.go (1)

1-2: SPDX header change verified.

The dialect implementation stays the same.

testData/01_base_table.sql (1)

1-2: License header alignment looks good.

SQL content unaffected aside from SPDX metadata.

go.mod (2)

1-3: LGTM!

The SPDX header addition is a standard metadata enhancement and aligns with the repository-wide compliance updates.

---

14-39: LGTM!

The indirect dependencies and tool directive additions are appropriate for the testing infrastructure improvements mentioned in the PR summary.

CODE_OF_CONDUCT.md (1)

1-61: LGTM!

The SPDX header addition and capitalization updates align with the repository-wide compliance and branding standardization.

CONTRIBUTING.md (1)

1-136: LGTM!

The SPDX header, updated test commands, and new DCO section enhance contribution guidelines and align with the repository's compliance objectives.

.github/workflows/test.yml (1)

1-179: LGTM!

The matrix-based testing strategy, explicit Go installation steps, and improved test commands (race detection, atomic coverage, gotestsum) enhance the CI/CD pipeline's robustness and coverage.

migration_test.go (1)

1-543: LGTM!

The addition of parallel execution, subtests with formatted labels, centralized error wrapping via TwrapIfError, and updated logger usage align with Go testing best practices and the broader test infrastructure improvements.

.github/workflows/release.yml (3)

18-53: LGTM!

The Build job logic for creating and uploading the source archive is well-structured, assuming the project name is corrected.

---

54-101: LGTM!

The ChecksumReleaseAssets job correctly downloads assets, generates checksums, and prepares them for provenance generation.

---

102-113: LGTM!

The AssetProvenance job integrates SLSA provenance generation with appropriate permissions and configuration.

.github/workflows/compliance.yml (3)

22-36: LGTM!

The REUSE job correctly enforces REUSE compliance using the official action.

---

38-99: LGTM!

The CheckSignedOffCommit job properly handles push events with appropriate bot exclusions and DCO validation logic for both new branches and normal pushes.

---

101-153: LGTM!

The CheckSignedOffPullRequest job correctly fetches PR commits via GitHub API and validates DCO sign-offs with proper error handling and bypass label support.

migration.go (2)

1-5: LGTM!

The SPDX header and package comment additions are standard metadata enhancements that align with the repository-wide compliance updates.

---

134-151: LGTM!

The variable rename from m to morpher in the NewMorpher function improves code readability without changing behavior.

exports_internal_test.go (2)

1-3: LGTM! SPDX headers added.

Standard compliance headers correctly applied.

---

13-19: LGTM! Test export for wrapIfError.

The TwrapIfError alias correctly exposes the internal wrapIfError function for testing, and the nolint directive is appropriate for test-only globals.

file_migration_test.go (3)

1-2: LGTM! SPDX headers added.

Standard compliance headers correctly applied.

---

19-20: LGTM! Parallel test execution enabled.

Adding t.Parallel() enables concurrent test execution, improving test suite performance.

Also applies to: 32-33, 48-49, 61-62

---

87-87: LGTM! Switched to require.Error.

Using require.Error ensures the test stops immediately if the error is not returned, which is appropriate for critical assertions.

utils.go (2)

1-3: LGTM! SPDX headers added.

Standard compliance headers correctly applied.

---

10-23: LGTM! Error wrapping utility.

The wrapIfError function correctly wraps errors with context text using fmt.Errorf with %w for proper error chain preservation. The nil and empty-text checks are appropriate.

utils_internal_test.go (2)

1-3: LGTM! SPDX headers added.

Standard compliance headers correctly applied.

---

14-68: LGTM! Comprehensive test coverage for wrapIfError.

The test suite covers all relevant cases: wrapping with/without text, nil errors, empty text, and ensures that format verbs in the text are not interpreted as format directives. Parallel execution is correctly implemented.

dialects.go (4)

1-2: LGTM! SPDX headers updated.

Standard compliance headers correctly applied.

---

27-27: LGTM! Error wrapping for transaction start.

Adding context to transaction start errors improves debugging.

---

61-61: LGTM! Error wrapping for applied migrations query.

Adding context to query errors improves debugging.

---

84-84: LGTM! Error wrapping for migration registration.

Adding context to registration errors improves debugging.

file_migration.go (6)

1-2: LGTM! SPDX headers updated.

Standard compliance headers correctly applied.

---

16-16: LGTM! Path normalization added.

Using filepath.Clean normalizes paths and helps prevent path traversal issues.

Also applies to: 43-43

---

46-46: LGTM! Error wrapping with file path context.

Including the migration path in the error message aids debugging.

---

86-86: LGTM! Error wrapping for directory read.

Adding context to directory read errors improves debugging.

---

99-99: LGTM! Error wrapping for file migration open.

Adding context to file open errors improves debugging.

---

169-169: LGTM! Error wrapping for scanner errors.

Adding context to scanner errors improves debugging.

dialects_test.go (4)

1-2: LGTM! SPDX headers updated.

Standard compliance headers correctly applied.

---

7-7: LGTM! Test refactoring for parallelism and subtests.

The addition of fmt import, t.Parallel(), and per-case subtests with t.Run improves test organization, isolation, and performance. Renaming the loop variable to test improves clarity.

Also applies to: 19-20, 36-60

---

65-66: LGTM! Parallel execution and require.Error assertions.

Adding t.Parallel() and switching to require.Error for critical assertions ensures tests stop immediately on error, which is appropriate for error validation tests.

Also applies to: 70-75

---

81-82: LGTM! Parallel execution enabled.

Adding t.Parallel() to additional test functions enables concurrent execution.

Also applies to: 99-100