Add SPDX license headers, update workflows, and improve compliance.

[AlphaOne1]

• Replaced license comments with SPDX identifiers across files.
• Added release.yml and compliance.yml GitHub workflows for automated release and compliance checks.
• Updated tests to use -race and --covermode=atomic for increased reliability.
• Introduced reusable LICENSES/ directory with CC-BY-4.0 and MPL-2.0 license texts for clarity and attribution.

Summary by CodeRabbit

• Documentation

  • Added governance, DCO, AUTHORS and full license documents; expanded contributing guidance with sign-off and changelog rules; added REUSE badge and standardized license headers.

• Chores

  • Added automated compliance and release workflows (including checksums/provenance) and updated dependency/lint automation; applied SPDX headers consistently repository-wide.

• Tests

  • Enhanced CI test execution with race detection and updated reporting; marked selected tests as non-parallel for reliability.

[coderabbitai]

Warning

Rate limit exceeded

@AlphaOne1 has exceeded the limit for the number of commits or files that can be reviewed per hour. Please wait 14 minutes and 17 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between db9ad7b and 2394dd4.

📒 Files selected for processing (3)

• AUTHORS.md (1 hunks)
• CONTRIBUTING.md (6 hunks)
• geany_internal_test.go (2 hunks)

Walkthrough

Repository-wide SPDX headers were added or standardized across many files. New governance and compliance documents (DCO, GOVERNANCE, AUTHORS) and license files were introduced. GitHub Actions gained new Compliance and Release workflows; Test workflow, Dependabot, linter config, README badges, and Go module dependencies were updated.

Changes

Cohort / File(s)	Summary of Changes
SPDX header standardization geany.go, geany_*_test.go, examples/*/main*.go, .gitignore, README.md, CHANGELOG.md, CODE_OF_CONDUCT.md, SECURITY.md, .github/CODEOWNERS, .github/FUNDING.yml, .github/ISSUE_TEMPLATE/*, .github/PULL_REQUEST_TEMPLATE.md, .github/workflows/codeql.yml, .github/workflows/dependency-review.yml, .github/workflows/scorecard.yml, .github/workflows/security.yml, go.sum.license, .markdownlint.json.license	Replaced or added SPDX-FileCopyrightText and SPDX-License-Identifier header lines; preserved MPL-2.0 identifier where present. No runtime or control-flow changes.
New compliance & governance docs DCO.txt, GOVERNANCE.md, AUTHORS.md	Added DCO text, governance model, and authors list (with SPDX headers).
Licenses and license templates LICENSES/MPL-2.0.txt, LICENSES/CC-BY-4.0.txt, LICENSES/LicenseRef-DCO.txt, examples/*/logo*.license, examples/*/logo*.tmpl.license	Added full license texts and per-file license stubs containing SPDX metadata.
Workflows — new/modified .github/workflows/compliance.yml, .github/workflows/release.yml, .github/workflows/test.yml, .github/workflows/dependency-review.yml	Added Compliance workflow (REUSE, DCO checks for pushes/PRs). Added Release workflow (build source tarball, checksum assets, SLSA provenance). Modified Test workflow to run gotestsum via tool with race and covermode=atomic. Minor header SPDX updates in other workflow files.
Dependabot configuration .github/dependabot.yml	Replaced header with SPDX lines and added ecosystems (gomod, github-actions) with weekly schedules under version: 2.
Lint configuration .golangci.yaml	Added SPDX header and removed the paralleltest linter configuration block.
Contributing guide CONTRIBUTING.md	Added SPDX header; reworded and clarified contribution, changelog, merging, and CI guidance; introduced a DCO section.
README badge README.md	Inserted a REUSE badge into the badges block and added SPDX header.
Tests adjustment geany_test.go	Added nolint:paralleltest annotations for stdout-dependent tests; header updated to SPDX.
Go module / dependencies go.mod	Header updated to SPDX; expanded require block with additional indirect dependencies and added gotestsum tooling entry.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor Dev as Developer/Bot
  participant GH as GitHub
  participant CW as Workflow: Compliance Checks
  participant REUSE as Job: REUSE
  participant PUSH as Job: CheckSignedOffCommit
  participant PR as Job: CheckSignedOffPullRequest

  Dev->>GH: push / pull_request
  GH->>CW: trigger (on push / pull_request)
  CW->>REUSE: run REUSE (checkout, verify licensing)
  Note over REUSE: Fails on REUSE non-compliance

  alt push (non-bot)
    CW->>PUSH: checkout (fetch-depth:0)
    PUSH->>PUSH: compute commit SHAs (handle new branch / force-push)
    PUSH->>PUSH: verify Signed-off-by per commit (fail if missing)
  end

  alt pull_request (no bypass-dco label)
    CW->>PR: checkout (fetch-depth:0)
    PR->>GH: fetch PR commits (gh + jq)
    PR->>PR: verify Signed-off-by per commit (fail if missing)
  end

Loading

sequenceDiagram
  autonumber
  actor Maint as Maintainer
  participant GH as GitHub Releases
  participant R as Workflow: Release
  participant Build as Job: Build
  participant Sum as Job: ChecksumReleaseAssets
  participant Prov as Job: AssetProvenance

  Maint->>GH: publish release (tag)
  GH->>R: trigger on release: published
  R->>Build: checkout, archive tag -> geany-src-${TAG}.tar.gz
  Build->>GH: upload source archive
  Build-->>R: outputs: tag

  R->>Sum: download release assets
  Sum->>Sum: compute sha256 of regular files -> check.sha256
  Sum->>Sum: base64-encode subjects -> outputs.hashBase64File
  Sum-->>R: outputs.hashBase64File

  R->>Prov: run provenance workflow with subjects/tag
  Prov->>GH: upload provenance attestation

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Poem

I stamped each file with SPDX flair,
A warren of docs now neat and fair.
New workflows hop—release, comply—
With checks and sums beneath the sky.
I twitch my nose and thump the ground;
“Signed-off!” echo all around. 🐇✨

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The title succinctly captures the core changes of adding SPDX license headers, updating workflows, and enhancing compliance without extraneous detail, giving a clear overview of the PR’s intent and scope.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 5

🧹 Nitpick comments (9)

.github/workflows/release.yml (1)

23-27: Optional: Harden egress to block instead of audit

For release/compliance workflows, consider egress-policy: block with explicit allowed endpoints for stronger supply-chain posture. Can be done later.

Also applies to: 61-65

CONTRIBUTING.md (5)

55-59: Nit: suggest clearer wording for formatting step

Tiny clarity tweak.

-Be sure to have run the go fmt tool to have a unified code style:
+Run go fmt to ensure a unified code style:

---

64-69: Align docs with CI: mention race detector and atomic covermode

CI runs tests with -race and --covermode=atomic; reflect that here.

-After implementing your feature, add tests that cover all major code paths. A
+After implementing your feature, add tests that cover all major code paths. Run:
+
+```bash
+go test -race -covermode=atomic ./...
+```
+
+A

---

77-80: Minor grammar fixes for bullet list

Improve readability.

-- a coarse description of your new feature
-- generate new or update (in case) the existing examples
-- update the CHANGELOG.md
+- a concise description of your new feature
+- generate new examples or update existing ones, if applicable
+- update CHANGELOG.md

---

81-83: Fix awkward sentence in CHANGELOG guidance

Current sentence is confusing.

-The CHANGELOG document contains the changes of the next major contains all the
-changes of the current major version since x.0.0. On a major release, the CHANGELOG
+The CHANGELOG contains all changes of the current major version since x.0.0 and a
+section outlining the next release. On a major release, the CHANGELOG

---

93-97: Minor grammar polish

“serious” -> “seriously”.

-These tests may produce warnings. Take those warnings serious even if they seem harmless.
+These tests may produce warnings. Take those warnings seriously even if they seem harmless.

.github/workflows/compliance.yml (3)

59-75: Comment and implementation mismatch: merges excluded but comment says included

You use --no-merges yet the comment says merges are included. Either update the comment or include merges. Including merges is preferable as merge commits can carry DCO sign-offs.

-                  if [ "$BEFORE" = "0000000000000000000000000000000000000000" ]
+                  if [ "$BEFORE" = "0000000000000000000000000000000000000000" ]
                   then
-                      # New branch or force push without previous SHA
-                      git rev-list --no-merges "$AFTER" > shas.txt
+                      # New branch or force push without previous SHA
+                      git rev-list "$AFTER" > shas.txt
                   else
-                      git rev-list --no-merges "$BEFORE".."$AFTER" > shas.txt
+                      git rev-list "$BEFORE".."$AFTER" > shas.txt
                   fi
@@
-                  # Include merge commits as well (their message may carry DCO)
+                  # Include merge commits as well (their message may carry DCO)

Also applies to: 76-101

---

39-45: Optional: Limit checked commits on new branches to only those in the push

For new branches (before is all zeros), git rev-list "$AFTER" walks all reachable history, which can be large. Prefer using the push payload commit SHAs (github.event.commits[*].id) to bound the check.

I can provide a patch that reads github.event.commits into a file and iterates over those SHAs only.

Also applies to: 59-75

---

109-113: Optional: Block egress in hardened runner

As with release workflow, consider egress-policy: block with explicit allowlist for stricter CI egress controls.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 2bbf313 and cc5cf2d.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (43)

• .github/CODEOWNERS (1 hunks)
• .github/FUNDING.yml (1 hunks)
• .github/ISSUE_TEMPLATE/bug_report.md (1 hunks)
• .github/ISSUE_TEMPLATE/feature_request.md (1 hunks)
• .github/PULL_REQUEST_TEMPLATE.md (1 hunks)
• .github/dependabot.yml (1 hunks)
• .github/workflows/codeql.yml (1 hunks)
• .github/workflows/compliance.yml (1 hunks)
• .github/workflows/dependency-review.yml (1 hunks)
• .github/workflows/release.yml (1 hunks)
• .github/workflows/scorecard.yml (1 hunks)
• .github/workflows/security.yml (1 hunks)
• .github/workflows/test.yml (2 hunks)
• .gitignore (1 hunks)
• .golangci.yaml (1 hunks)
• .markdownlint.json.license (1 hunks)
• AUTHORS.md (1 hunks)
• CHANGELOG.md (1 hunks)
• CODE_OF_CONDUCT.md (1 hunks)
• CONTRIBUTING.md (7 hunks)
• DCO.txt (1 hunks)
• GOVERNANCE.md (1 hunks)
• LICENSES/CC-BY-4.0.txt (1 hunks)
• LICENSES/LicenseRef-DCO.txt (1 hunks)
• LICENSES/MPL-2.0.txt (1 hunks)
• README.md (2 hunks)
• SECURITY.md (1 hunks)
• examples/logo_embed/logo.tmpl.license (1 hunks)
• examples/logo_embed/main.go (1 hunks)
• examples/logo_embed/main_test.go (1 hunks)
• examples/logo_file/logo.tmpl.license (1 hunks)
• examples/logo_file/main.go (1 hunks)
• examples/logo_file/main_test.go (1 hunks)
• examples/logo_owndata/logo.tmpl.license (1 hunks)
• examples/logo_owndata/main.go (1 hunks)
• examples/logo_owndata/main_test.go (1 hunks)
• examples/logo_simple/main.go (1 hunks)
• examples/logo_simple/main_test.go (1 hunks)
• geany.go (1 hunks)
• geany_internal_test.go (1 hunks)
• geany_test.go (3 hunks)
• go.mod (2 hunks)
• go.sum.license (1 hunks)

🧰 Additional context used

🪛 YAMLlint (1.37.1)

.github/workflows/release.yml

[warning] 104-104: too many spaces after colon

(colons)

🪛 markdownlint-cli2 (0.18.1)

AUTHORS.md

5-5: First line in a file should be a top-level heading

(MD041, first-line-heading, first-line-h1)

---

5-5: Files should end with a single newline character

(MD047, single-trailing-newline)

🔇 Additional comments (9)

examples/logo_embed/main.go (1)

1-2: SPDX header looks good.

The Go file now uses the canonical single-line // SPDX annotations; nothing else changed. All good.

.github/workflows/scorecard.yml (1)

1-2: Workflow metadata updated correctly.

The SPDX header is using the proper YAML comment style and leaves the workflow logic untouched. No further action needed.

.gitignore (1)

1-2: SPDX header is correctly formatted.

The .gitignore keeps its behavior intact while documenting licensing with the expected comment prefix. Looks good.

SECURITY.md (1)

1-3: Markdown header conversion LGTM.

Switching to an HTML comment block preserves rendering while carrying the SPDX fields. No other content affected.

CHANGELOG.md (1)

1-3: Changelog SPDX block approved.

Using an HTML comment ensures the header stays hidden in rendered output and keeps the changelog entries untouched.

LICENSES/CC-BY-4.0.txt (1)

1-396: SPDX license text addition looks correct

Standard CC-BY-4.0 text added; no issues.

CONTRIBUTING.md (1)

1-3: SPDX header added correctly

Header is present and properly scoped in an HTML comment block.

examples/logo_file/main_test.go (1)

1-1: SPDX header update looks good

No functional changes; header aligned with repo policy.

.github/workflows/release.yml (1)

84-101: Ignore previous suggestion: base64 is required
The create-base64-subjects-from-file action expects a base64-encoded sha256sum output, so the existing encoding step is correct.

Likely an incorrect or invalid review comment.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Bug: Using sanitized tag for git archive will fail for tags containing '/'

You sanitize the tag for filenames, then use the sanitized value as the git ref. If the actual tag contains '/', git archive "${TAG}" will fail because the sanitized ref doesn’t exist. Keep two vars: original (for git) and sanitized (for filenames).

Apply this diff:

-                  TAG=`echo "${{ github.event.release.tag_name }}" | sed 's/\//-/g'`
+                  TAG_ORIG="${{ github.event.release.tag_name }}"
+                  TAG_SAFE=`printf '%s' "$TAG_ORIG" | sed 's/\//-/g'`
                   git archive \
                     --format=tar.gz \
-                    --prefix="geany-src-${TAG}/" \
-                    --output="geany-src-${TAG}.tar.gz" \
-                    "${TAG}"
+                    --prefix="geany-src-${TAG_SAFE}/" \
+                    --output="geany-src-${TAG_SAFE}.tar.gz" \
+                    "$TAG_ORIG"

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	TAG=`echo "${{ github.event.release.tag_name }}" | sed 's/\//-/g'`
	git archive \
	--format=tar.gz \
	--prefix="geany-src-${TAG}/" \
	--output="geany-src-${TAG}.tar.gz" \
	"${TAG}"
	TAG_ORIG="${{ github.event.release.tag_name }}"
	TAG_SAFE=`printf '%s' "$TAG_ORIG" | sed 's/\//-/g'`
	git archive \
	--format=tar.gz \
	--prefix="geany-src-${TAG_SAFE}/" \
	--output="geany-src-${TAG_SAFE}.tar.gz" \
	"$TAG_ORIG"

🤖 Prompt for AI Agents

In .github/workflows/release.yml around lines 39 to 45, the code overwrites the
original tag with a sanitized version and then uses that sanitized value as the
git ref, which fails if the real tag contains '/'. Keep two variables: one
original TAG_ORIG (set from github.event.release.tag_name) to use with git
archive and any git operations, and a separate sanitized TAG (or TAG_SAFE)
derived from TAG_ORIG (replace '/' with '-') for filenames and prefixes; update
the git archive call to use TAG_ORIG and use the sanitized variable for --prefix
and --output filename generation.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Fix go test flag ordering in gotestsum invocation

With the backticked go list ./..., the package list expands before --covermode, --coverpkg, and --coverprofile. That makes those flags land after the package arguments, so go test treats them as test binary flags and aborts with flag provided but not defined: -covermode. Move the package expansion to the end (or just use ./...) so the coverage flags stay in the build-flag section.

-            run: go tool gotestsum --junitfile junit.xml -- -race -v `go list ./...` --covermode=atomic --coverpkg=./... --coverprofile=coverage.txt
+            run: go tool gotestsum --junitfile junit.xml -- -race -v --covermode=atomic --coverpkg=./... --coverprofile=coverage.txt ./...

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	run: go tool gotestsum --junitfile junit.xml -- -race -v `go list ./...` --covermode=atomic --coverpkg=./... --coverprofile=coverage.txt
	run: go tool gotestsum --junitfile junit.xml -- -race -v --covermode=atomic --coverpkg=./... --coverprofile=coverage.txt ./...

🤖 Prompt for AI Agents

In .github/workflows/test.yml at line 87, the invocation uses backticked `go
list ./...` which expands packages before the coverage flags so those flags
become positional arguments and cause go test to fail; change the command to put
the package list at the end (for example replace the backticked expansion with
./... at the end of the gotestsum invocation) so --covermode, --coverpkg, and
--coverprofile remain before the package arguments.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Fix broken AUTHORS link.

The repository exposes the contributor roster in the AUTHORS file (no .md suffix). Linking to AUTHORS.md renders a 404 on GitHub, so this reference needs to point at the actual file name.

Apply this diff to correct the link:

- (e.g. [AUTHORS.md](AUTHORS.md)).
+ (e.g. [AUTHORS](AUTHORS)).

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	etc. All contributors are listed in the project's metadata
	(e.g. [AUTHORS.md](AUTHORS.md)).
	etc. All contributors are listed in the project's metadata
	(e.g. [AUTHORS](AUTHORS)).

🤖 Prompt for AI Agents

In GOVERNANCE.md around lines 21 to 22, the markdown link points to AUTHORS.md
which does not exist; update the link target to the actual file name AUTHORS
(remove the .md suffix) so the reference becomes [AUTHORS](AUTHORS) and resolves
correctly on GitHub.

[AlphaOne1]

But it is AUTHORS.md, included the md suffix.

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ All tests successful. No failed tests found.

Files with missing lines	Coverage Δ
examples/logo_embed/main.go	100.00% <ø> (ø)
examples/logo_file/main.go	100.00% <ø> (ø)
examples/logo_owndata/main.go	100.00% <ø> (ø)
examples/logo_simple/main.go	100.00% <ø> (ø)
geany.go	100.00% <ø> (ø)

[coderabbitai]

Actionable comments posted: 4

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between cc5cf2d and db9ad7b.

📒 Files selected for processing (4)

• .github/workflows/compliance.yml (1 hunks)
• .github/workflows/release.yml (1 hunks)
• AUTHORS.md (1 hunks)
• CONTRIBUTING.md (6 hunks)

🧰 Additional context used

🪛 YAMLlint (1.37.1)

.github/workflows/release.yml

[warning] 104-104: too many spaces after colon

(colons)

🪛 markdownlint-cli2 (0.18.1)

AUTHORS.md

7-7: Files should end with a single newline character

(MD047, single-trailing-newline)

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Don't bypass DCO on web-flow pushes

Line 42 short-circuits the entire job whenever github.event.pusher.name is web-flow, which is the pusher GitHub uses for browser-based commits and merge commits performed through the UI. That means contributors can land unsigned commits simply by using the web editor or the standard merge button, undermining the compliance check this workflow is supposed to enforce. Please keep the exclusions for automation bots, but allow web-flow pushes to be evaluated.

-          github.event.pusher.name != 'web-flow' &&
-          github.event.pusher.name != 'github-actions[bot]' &&
-          github.event.pusher.name != 'github-merge-queue[bot]'
+          github.event.pusher.name != 'github-actions[bot]' &&
+          github.event.pusher.name != 'github-merge-queue[bot]'

🤖 Prompt for AI Agents

In .github/workflows/compliance.yml around lines 40 to 44, the workflow
short-circuits DCO checks by excluding github.event.pusher.name == 'web-flow';
remove the "github.event.pusher.name != 'web-flow'" condition so browser/UI
commits are still evaluated, and instead keep only exclusions for automation
actors (e.g., dependabot and known bots) — update the conditional to exclude
automation actors only (e.g., startsWith(github.actor, 'dependabot') or explicit
bot names) so web-flow pushes are not bypassed and the compliance job runs for
them.