Skip to content

Add SPDX license headers, update workflows, and improve compliance. #50

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
AlphaOne1 merged 5 commits into from
Sep 27, 2025
Merged

Add SPDX license headers, update workflows, and improve compliance. #50

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
cc5cf2d
Add SPDX license headers, update workflows, and improve compliance.
AlphaOne1 Sep 27, 2025
db9ad7b
Follow review comments.
AlphaOne1 Sep 27, 2025
419ee41
Fix racing test case.
AlphaOne1 Sep 27, 2025
efcd885
Update test command in CONTRIBUTING.md to include race detection.
AlphaOne1 Sep 27, 2025
2394dd4
Add missing newline to AUTHORS.md
AlphaOne1 Sep 27, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/CODEOWNERS
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# Copyright the geany contributors.
# SPDX-FileCopyrightText: 2025 The geany contributors.
# SPDX-License-Identifier: MPL-2.0

/.github/ @AlphaOne1
3 changes: 3 additions & 0 deletions .github/FUNDING.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,6 @@
# SPDX-FileCopyrightText: 2025 The geany contributors.
# SPDX-License-Identifier: MPL-2.0

# These are supported funding model platforms

github: [AlphaOne1] # Replace with up to 4 GitHub Sponsors-enabled usernames e.g., [user1, user2]
Expand Down
4 changes: 4 additions & 0 deletions .github/ISSUE_TEMPLATE/bug_report.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,7 @@
<!-- SPDX-FileCopyrightText: 2025 The geany contributors.
SPDX-License-Identifier: MPL-2.0
-->

---
name: Bug report
about: Create a report to help us improve
Expand Down
4 changes: 4 additions & 0 deletions .github/ISSUE_TEMPLATE/feature_request.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,7 @@
<!-- SPDX-FileCopyrightText: 2025 The geany contributors.
SPDX-License-Identifier: MPL-2.0
-->

---
name: Feature request
about: Suggest an idea for this project
Expand Down
4 changes: 4 additions & 0 deletions .github/PULL_REQUEST_TEMPLATE.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,7 @@
<!-- SPDX-FileCopyrightText: 2025 The geany contributors.
SPDX-License-Identifier: MPL-2.0
-->

### All Submissions:

* [ ] Have you followed the guidelines in our Contributing document?
Expand Down
7 changes: 1 addition & 6 deletions .github/dependabot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,10 +1,5 @@
# Copyright the geany contributors.
# SPDX-FileCopyrightText: 2025 The geany contributors.
# SPDX-License-Identifier: MPL-2.0
#
# To get started with Dependabot version updates, you'll need to specify which
# package ecosystems to update and where the package manifests are located.
# Please see the documentation for all configuration options:
# https://help.github.com/github/administering-a-repository/configuration-options-for-dependency-updates

version: 2
updates:
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/codeql.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# Copyright the geany contributors.
# SPDX-FileCopyrightText: 2025 The geany contributors.
# SPDX-License-Identifier: MPL-2.0
#
# For most projects, this workflow file will not need changing; you simply need
Expand Down
153 changes: 153 additions & 0 deletions .github/workflows/compliance.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,153 @@
# SPDX-FileCopyrightText: 2025 The geany contributors.
# SPDX-License-Identifier: MPL-2.0

name: Compliance Checks

on:
push:
branches:
- master
pull_request:
branches:
- master

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

permissions:
contents: read

jobs:
REUSE:
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
with:
egress-policy: audit

- name: Checkout
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
fetch-depth: 1

- name: REUSE Compliance Check
uses: fsfe/reuse-action@bb774aa972c2a89ff34781233d275075cbddf542 #v5.0.0

CheckSignedOffCommit:
if: >
github.event_name == 'push' &&
!startsWith(github.actor, 'dependabot') &&
github.event.pusher.name != 'web-flow' &&
github.event.pusher.name != 'github-actions[bot]' &&
github.event.pusher.name != 'github-merge-queue[bot]'
Comment on lines +40 to +44
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Sep 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Don't bypass DCO on web-flow pushes

Line 42 short-circuits the entire job whenever github.event.pusher.name is web-flow, which is the pusher GitHub uses for browser-based commits and merge commits performed through the UI. That means contributors can land unsigned commits simply by using the web editor or the standard merge button, undermining the compliance check this workflow is supposed to enforce. Please keep the exclusions for automation bots, but allow web-flow pushes to be evaluated.

-          github.event.pusher.name != 'web-flow' &&
-          github.event.pusher.name != 'github-actions[bot]' &&
-          github.event.pusher.name != 'github-merge-queue[bot]'
+          github.event.pusher.name != 'github-actions[bot]' &&
+          github.event.pusher.name != 'github-merge-queue[bot]'
🤖 Prompt for AI Agents 
In .github/workflows/compliance.yml around lines 40 to 44, the workflow
short-circuits DCO checks by excluding github.event.pusher.name == 'web-flow';
remove the "github.event.pusher.name != 'web-flow'" condition so browser/UI
commits are still evaluated, and instead keep only exclusions for automation
actors (e.g., dependabot and known bots) — update the conditional to exclude
automation actors only (e.g., startsWith(github.actor, 'dependabot') or explicit
bot names) so web-flow pushes are not bypassed and the compliance job runs for
them.

runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Harden Runner
uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
with:
egress-policy: audit

- name: Checkout
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
fetch-depth: 0

- name: Determine pushed commits
id: range
run: |
set -euo pipefail

# Use GitHub-provided SHAs to build the range for this push
BEFORE="${{ github.event.before }}"
AFTER="${{ github.sha }}"

if [ "$BEFORE" = "0000000000000000000000000000000000000000" ]
then
# New branch or force push without previous SHA
git rev-list --no-merges "$AFTER" > shas.txt
else
git rev-list --no-merges "$BEFORE".."$AFTER" > shas.txt
fi
Comment thread
AlphaOne1 marked this conversation as resolved.

- name: Check for Signed-off-by
run: |
set -euo pipefail
missing=""

while read -r sha
do
[ -n "$sha" ] || continue
msg=`git log --format=%B -n 1 "$sha"`

if ! printf '%s' "$msg" | grep -Eqi '^[[:space:]]*Signed[- ]off[- ]by:'
then
echo "Commit $sha missing Signed-off-by"
missing="true"
fi
done < shas.txt

if [ "$missing" = "true" ]
then
echo "DCO check failed on push"
exit 1
fi

echo "All pushed commits are signed"

CheckSignedOffPullRequest:
if: github.event_name == 'pull_request' && !contains(github.event.pull_request.labels.*.name, 'bypass-dco')
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: read
steps:
- name: Harden Runner
uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
with:
egress-policy: audit

- name: Checkout
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
fetch-depth: 0

- name: Get PR commits
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
set -euo pipefail
gh --version
jq --version

# Fetch all commits of the PR with pagination and extract SHAs
gh api -H "Accept: application/vnd.github+json" --paginate \
repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}/commits \
| jq -r '.[].sha' > shas.txt

- name: Check for Signed-off-by
run: |
set -euo pipefail
missing=""

while read -r sha
do
[ -n "$sha" ] || continue
msg=`git log --format=%B -n 1 "$sha"`

if ! printf '%s' "$msg" | grep -Eqi '^[[:space:]]*Signed[- ]off[- ]by:'
then
echo "Commit $sha missing Signed-off-by"
missing="true"
fi
done < shas.txt

if [ "$missing" = "true" ]
then
echo "DCO check failed"; exit 1
fi

echo "All commits are signed"
2 changes: 1 addition & 1 deletion .github/workflows/dependency-review.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# Copyright the geany contributors.
# SPDX-FileCopyrightText: 2025 The geany contributors.
# SPDX-License-Identifier: MPL-2.0
#
# Dependency Review Action
Expand Down
113 changes: 113 additions & 0 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,113 @@
# SPDX-FileCopyrightText: 2025 The geany contributors.
# SPDX-License-Identifier: MPL-2.0

name: Release

on:
release:
types:
- published

permissions: read-all

concurrency:
group: release-${{ github.event.release.tag_name }}
cancel-in-progress: true

jobs:
Build:
permissions:
contents: write
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
with:
egress-policy: audit

- name: Checkout
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
fetch-depth: 0
ref: ${{ github.event.release.tag_name }}

- name: Generate source archive
shell: bash
run: |
set -euo pipefail

TAG=`echo "${{ github.event.release.tag_name }}" | sed 's/\//-/g'`
git archive \
--format=tar.gz \
--prefix="geany-src-${TAG}/" \
--output="geany-src-${TAG}.tar.gz" \
"${{ github.event.release.tag_name }}"

Comment on lines +39 to +45
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Sep 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

Bug: Using sanitized tag for git archive will fail for tags containing '/'

You sanitize the tag for filenames, then use the sanitized value as the git ref. If the actual tag contains '/', git archive "${TAG}" will fail because the sanitized ref doesn’t exist. Keep two vars: original (for git) and sanitized (for filenames).

Apply this diff:

-                  TAG=`echo "${{ github.event.release.tag_name }}" | sed 's/\//-/g'`
+                  TAG_ORIG="${{ github.event.release.tag_name }}"
+                  TAG_SAFE=`printf '%s' "$TAG_ORIG" | sed 's/\//-/g'`
                   git archive \
                     --format=tar.gz \
-                    --prefix="geany-src-${TAG}/" \
-                    --output="geany-src-${TAG}.tar.gz" \
-                    "${TAG}"
+                    --prefix="geany-src-${TAG_SAFE}/" \
+                    --output="geany-src-${TAG_SAFE}.tar.gz" \
+                    "$TAG_ORIG"
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
TAG=`echo "${{ github.event.release.tag_name }}" | sed 's/\//-/g'`
git archive \
--format=tar.gz \
--prefix="geany-src-${TAG}/" \
--output="geany-src-${TAG}.tar.gz" \
"${TAG}"
TAG_ORIG="${{ github.event.release.tag_name }}"
TAG_SAFE=`printf '%s' "$TAG_ORIG" | sed 's/\//-/g'`
git archive \
--format=tar.gz \
--prefix="geany-src-${TAG_SAFE}/" \
--output="geany-src-${TAG_SAFE}.tar.gz" \
"$TAG_ORIG"
🤖 Prompt for AI Agents 
In .github/workflows/release.yml around lines 39 to 45, the code overwrites the
original tag with a sanitized version and then uses that sanitized value as the
git ref, which fails if the real tag contains '/'. Keep two variables: one
original TAG_ORIG (set from github.event.release.tag_name) to use with git
archive and any git operations, and a separate sanitized TAG (or TAG_SAFE)
derived from TAG_ORIG (replace '/' with '-') for filenames and prefixes; update
the git archive call to use TAG_ORIG and use the sanitized variable for --prefix
and --output filename generation.

- name: Upload Release (via GitHub CLI)
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
shell: bash
run: |
set -euo pipefail
gh release upload "${{ github.event.release.tag_name }}" geany-src-*.tar.gz --clobber

ChecksumReleaseAssets:
needs: Build
runs-on: ubuntu-latest
name: Checksum Release Assets
outputs:
hashBase64File: ${{ steps.hashes.outputs.handle }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
with:
egress-policy: audit

- name: Checkout
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
fetch-depth: 1

- name: Download all release assets via GitHub CLI
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
set -euo pipefail

mkdir -p release-assets
cd release-assets
# gets all assets of the release
gh release download "${{ github.event.release.tag_name }}" --clobber
echo "Downloaded assets:"
ls -lah

- name: Generate Checksums
working-directory: release-assets
run: |
set -euo pipefail

# Robustly hash all regular files in this directory, then base64 and write via tee.
LC_ALL=C find . -maxdepth 1 -type f -printf '%P\0' \
| sort -z \
| xargs -0 sha256sum -- \
| base64 -w0 \
> check.sha256
Comment thread
AlphaOne1 marked this conversation as resolved.

- name: Upload Checksums
id: hashes
uses: slsa-framework/slsa-github-generator/actions/generator/generic/create-base64-subjects-from-file@f7dd8c54c2067bafc12ca7a55595d5ee9b75204a # 2.1.0
with:
path: release-assets/check.sha256

AssetProvenance:
permissions:
actions: read # Needed for detection of GitHub Actions environment.
id-token: write # Needed for provenance signing and ID
contents: write # Needed for release uploads
Comment thread
AlphaOne1 marked this conversation as resolved.
needs: ChecksumReleaseAssets
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0 #must have semver!
with:
base64-subjects-as-file: |
${{ needs.ChecksumReleaseAssets.outputs.hashBase64File }}
upload-assets: true
upload-tag-name: "${{ github.event.release.tag_name }}"
2 changes: 1 addition & 1 deletion .github/workflows/scorecard.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# Copyright the geany contributors.
# SPDX-FileCopyrightText: 2025 The geany contributors.
# SPDX-License-Identifier: MPL-2.0
#
# This workflow uses actions that are not certified by GitHub. They are provided
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/security.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# Copyright the geany contributors.
# SPDX-FileCopyrightText: 2025 The geany contributors.
# SPDX-License-Identifier: MPL-2.0

name: Security
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# Copyright the geany contributors.
# SPDX-FileCopyrightText: 2025 The geany contributors.
# SPDX-License-Identifier: MPL-2.0

name: Tests
Expand Down Expand Up @@ -84,7 +84,7 @@ jobs:
check-latest: true

- name: Test
run: go run gotest.tools/gotestsum@latest --junitfile junit.xml -- -v `go list ./...` --covermode=count --coverpkg=./... --coverprofile=coverage.txt
run: go tool gotestsum --junitfile junit.xml -- -race -v `go list ./...` --covermode=atomic --coverpkg=./... --coverprofile=coverage.txt
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Sep 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

Fix go test flag ordering in gotestsum invocation

With the backticked go list ./..., the package list expands before --covermode, --coverpkg, and --coverprofile. That makes those flags land after the package arguments, so go test treats them as test binary flags and aborts with flag provided but not defined: -covermode. Move the package expansion to the end (or just use ./...) so the coverage flags stay in the build-flag section.

-            run: go tool gotestsum --junitfile junit.xml -- -race -v `go list ./...` --covermode=atomic --coverpkg=./... --coverprofile=coverage.txt
+            run: go tool gotestsum --junitfile junit.xml -- -race -v --covermode=atomic --coverpkg=./... --coverprofile=coverage.txt ./...
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
run: go tool gotestsum --junitfile junit.xml -- -race -v `go list ./...` --covermode=atomic --coverpkg=./... --coverprofile=coverage.txt
run: go tool gotestsum --junitfile junit.xml -- -race -v --covermode=atomic --coverpkg=./... --coverprofile=coverage.txt ./...
🤖 Prompt for AI Agents 
In .github/workflows/test.yml at line 87, the invocation uses backticked `go
list ./...` which expands packages before the coverage flags so those flags
become positional arguments and cause go test to fail; change the command to put
the package list at the end (for example replace the backticked expansion with
./... at the end of the gotestsum invocation) so --covermode, --coverpkg, and
--coverprofile remain before the package arguments.


- name: Upload test results to Codecov
if: ${{ !cancelled() }}
Expand Down
2 changes: 1 addition & 1 deletion .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# Copyright the geany contributors.
# SPDX-FileCopyrightText: 2025 The geany contributors.
# SPDX-License-Identifier: MPL-2.0

.idea
5 changes: 1 addition & 4 deletions .golangci.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# Copyright the geany contributors.
# SPDX-FileCopyrightText: 2025 The geany contributors.
# SPDX-License-Identifier: MPL-2.0

# Configuration file for golangci-lint
Expand Down Expand Up @@ -81,9 +81,6 @@ linters:
ignored-numbers:
- "2"

paralleltest:
ignore-missing: true

perfsprint:
errorf: false

Expand Down
2 changes: 2 additions & 0 deletions .markdownlint.json.license
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
SPDX-FileCopyrightText: 2025 The geany contributors.
SPDX-License-Identifier: MPL-2.0
8 changes: 8 additions & 0 deletions AUTHORS.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
<!-- SPDX-FileCopyrightText: 2025 The geany contributors.
SPDX-License-Identifier: MPL-2.0
-->

Authors
=======

- @AlphaOne1
Loading
Loading