feat(licenses): Updated the software dependencies license workflow

Author: amilcarlucas

.github/instructions/update_software_dependencies.md

@@ -0,0 +1,192 @@
+<!--
+SPDX-FileCopyrightText: 2024-2026 Amilcar do Carmo Lucas <amilcar.lucas@iav.de>
+
+SPDX-License-Identifier: GPL-3.0-or-later
+-->
+
+# Adding or Updating Software Dependencies
+
+This document describes the full workflow for adding a new dependency or updating an existing one in the
+ArduPilot Methodic Configurator project.
+It is intended for both human contributors and AI agents.
+
+All steps must be completed in order for the project to remain REUSE-compliant and its dependency
+credits to stay accurate and up to date.
+
+## Overview
+
+```text
+pyproject.toml  →  credits/CREDITS.md  →  credits/update_credits_licenses.py
+    →  run script to download license files  →  REUSE.toml
+```
+
+---
+
+## Step 1 — Add the dependency to `pyproject.toml`
+
+Add the package to the appropriate section of `pyproject.toml`:
+
+- Runtime dependency → `[project] dependencies`
+- Development tooling → `[project.optional-dependencies] dev`
+- CI-only → `[project.optional-dependencies] ci_headless_tests`
+
+Pin the exact version (use `==`).
+For packages sensitive to the Python runtime version, use environment markers (e.g., `python_version < '3.10'`).
+
+---
+
+## Step 2 — Update `credits/CREDITS.md`
+
+Add a row to the appropriate table in `credits/CREDITS.md`:
+
+- **Direct** runtime or GUI dependencies → "It directly uses:" table
+- **Indirect** (transitive) dependencies → "It indirectly uses:" table
+
+Each row must have:
+
+| Column   | Content                                                      |
+|----------|--------------------------------------------------------------|
+| Software | Markdown link to project homepage                            |
+| License  | Markdown link to the license URL on the project's repository |
+
+The author name (e.g., "by Mark Pointing") must be included in the Software column whenever
+it is known and the dependency is from an individual contributor rather than an organisation.
+
+Example row for a direct dependency:
+
+```markdown
+| [simpleeval](https://github.com/danthedeckie/simpleeval) | [MIT License](https://github.com/danthedeckie/simpleeval/blob/main/LICENCE) |
+```
+
+---
+
+## Step 3 — Update `credits/update_credits_licenses.py`
+
+Add the new package to the correct list in `credits/update_credits_licenses.py`:
+
+- `direct_dependencies` — for packages listed in the direct-use table
+- `indirect_dependencies` — for packages listed in the indirect-use table
+
+Each entry is a dict with two keys:
+
+```python
+{"name": "<PackageName>", "license_url": "<raw-URL-to-license-file>"}
+```
+
+Rules for the URL:
+
+- Use a **raw** URL that serves the plain-text license (e.g., `https://raw.githubusercontent.com/...`)
+- The filename at the end of the URL determines the downloaded file's suffix
+  (e.g., `…/main/LICENCE` → `<PackageName>-LICENCE`)
+- For packages hosted on Mozilla's site (MPL-2.0) provide `https://mozilla.org/MPL/2.0/` and the
+  download function will use a fixed HTML filename automatically (see `Scrollable_TK_frame`,
+  `Python_Tkinter_ComboBox`)
+
+---
+
+## Step 4 — Run the download script
+
+Execute the script from the `credits/` directory.
+It reads both lists and downloads each license file:
+
+```bash
+cd credits
+python update_credits_licenses.py
+```
+
+The script saves each file as `<PackageName>-<license-filename>` in the current directory.
+Check the output log to confirm all downloads succeeded.
+Re-run if any fail due to network errors.
+
+---
+
+## Step 5 — Add entries to `REUSE.toml`
+
+For each newly downloaded license file, append an `[[annotations]]` block to `REUSE.toml`
+with the correct path, copyright notice, and SPDX license identifier.
+
+### Finding the copyright holder
+
+1. Open the downloaded license file (e.g., `credits/simpleeval-LICENCE`).
+2. Look for a line starting with `Copyright` or `©` at the top.
+3. If the license file contains no copyright notice, use the project author name from the
+   corresponding entry in `credits/CREDITS.md` or the package's repository.
+
+### Choosing the SPDX identifier
+
+Use the canonical [SPDX license list](https://spdx.org/licenses/).
+Common mappings:
+
+| License text says                  | SPDX-License-Identifier |
+|------------------------------------|-------------------------|
+| MIT License                        | `MIT`                   |
+| Apache License, Version 2.0        | `Apache-2.0`            |
+| BSD 2-Clause                       | `BSD-2-Clause`          |
+| BSD 3-Clause                       | `BSD-3-Clause`          |
+| Mozilla Public License 2.0         | `MPL-2.0`               |
+| GNU General Public License v3      | `GPL-3.0-or-later`      |
+| GNU Lesser GPL v3                  | `LGPL-3.0-or-later`     |
+| Python Software Foundation License | `PSF-2.0`               |
+| MIT-CMU License (Pillow)           | `MIT-CMU`               |
+
+If no standard SPDX identifier exists (e.g., Inno Setup proprietary license), use a
+`LicenseRef-` identifier (e.g., `LicenseRef-Inno-Setup`) and place the license text in
+`LICENSES/LicenseRef-Inno-Setup.txt`.
+
+### Example `REUSE.toml` block
+
+```toml
+[[annotations]]
+path = "credits/simpleeval-LICENCE"
+SPDX-FileCopyrightText = "Copyright (c) 2013 Daniel Fairhead"
+SPDX-License-Identifier = "MIT"
+```
+
+For files that have no copyright notice at all (e.g., the Apache 2.0 generic license text at
+`argparse_check_range-LICENSE-2.0`), credit the known package author:
+
+```toml
+[[annotations]]
+path = "credits/argparse_check_range-LICENSE-2.0"
+SPDX-FileCopyrightText = "Dmitriy Kovalev"
+SPDX-License-Identifier = "Apache-2.0"
+```
+
+---
+
+## Step 6 — Verify REUSE compliance
+
+```bash
+reuse lint
+```
+
+All reported errors must be resolved before committing.
+Common errors and fixes:
+
+| Error                                    | Fix                                                              |
+|------------------------------------------|------------------------------------------------------------------|
+| `credits/<file>: no license identifier`  | Add the `SPDX-License-Identifier` to the REUSE.toml annotation   |
+| `credits/<file>: no copyright notice`    | Add `SPDX-FileCopyrightText` to the REUSE.toml annotation        |
+| `Missing license file LICENSES/<ID>.txt` | Add the license text to `LICENSES/` when using `LicenseRef-` IDs |
+
+---
+
+## Step 7 — Run pre-commit checks
+
+```bash
+pre-commit run --all
+```
+
+All hooks must pass (ruff, pylint, mypy, reuse, etc.) before pushing.
+
+---
+
+## Summary checklist
+
+- [ ] `pyproject.toml` — dependency added with pinned version
+- [ ] `credits/CREDITS.md` — row added to the correct table
+- [ ] `credits/update_credits_licenses.py` — entry added to the correct list
+- [ ] License file downloaded (`cd credits && python update_credits_licenses.py`)
+- [ ] `REUSE.toml` — `[[annotations]]` block added for each new license file
+- [ ] `reuse lint` passes
+- [ ] `pre-commit run --all` passes

CONTRIBUTING.md

@@ -139,6 +139,25 @@ python3 -m ardupilot_methodic_configurator
 
 More detailed usage instructions can be found in our [user manual](https://ardupilot.github.io/MethodicConfigurator/USERMANUAL)
 
+## Managing Dependencies
+
+When adding a new runtime or development dependency, **all** of the following steps must be completed
+in order to keep the project REUSE-compliant and credits accurate:
+
+1. **`pyproject.toml`** — add the package with a pinned version.
+2. **`credits/CREDITS.md`** — add a row to the "directly uses" or "indirectly uses" table with a
+   link to the project and its license.
+3. **`credits/update_credits_licenses.py`** — add an entry (name + raw license URL) to
+   `direct_dependencies` or `indirect_dependencies`.
+4. **Download the license file** — run `python update_credits_licenses.py` from the `credits/`
+   directory to fetch the license file(s).
+5. **`REUSE.toml`** — add an `[[annotations]]` block for each downloaded license file with the
+   correct `SPDX-FileCopyrightText` and `SPDX-License-Identifier`.
+6. **Verify** — run `reuse lint` and `pre-commit run --all` until all checks pass.
+
+Full details and examples are in
+[`.github/instructions/update_software_dependencies.md`](.github/instructions/update_software_dependencies.md).
+
 ## Submitting patches
 
 Follow the [Conventional Commits](https://www.conventionalcommits.org/en/v1.0.0/) style for your git commit messages.

LICENSES/BSD-2-Clause.txt

@@ -0,0 +1,24 @@
+BSD 2-Clause License
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions
+are met:
+
+1. Redistributions of source code must retain the above copyright
+   notice, this list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright
+   notice, this list of conditions and the following disclaimer in the
+   documentation and/or other materials provided with the distribution.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

LICENSES/LicenseRef-Inno-Setup.txt

@@ -0,0 +1,37 @@
+Inno Setup License
+==================
+
+Except where otherwise noted, all of the documentation and software
+included in the Inno Setup package is copyrighted by Jordan Russell.
+
+Copyright (C) 1997-2026 Jordan Russell. All rights reserved.
+Portions Copyright (C) 2000-2026 Martijn Laan. All rights reserved.
+
+This software is provided "as-is," without any express or implied
+warranty. In no event shall the author be held liable for any damages
+arising from the use of this software.
+
+Permission is granted to anyone to use this software for any purpose,
+including commercial applications, and to alter and redistribute it,
+provided that the following conditions are met:
+
+1. All redistributions of source code files must retain all copyright
+   notices that are currently in place, and this list of conditions
+   without modification.
+
+2. All redistributions in binary form must retain all occurrences of
+   the above copyright notice and web site addresses that are currently
+   in place (for example, in the About boxes).
+
+3. The origin of this software must not be misrepresented; you must not
+   claim that you wrote the original software. If you use this software
+   to distribute a product, an acknowledgment in the product
+   documentation would be appreciated but is not required.
+
+4. Modified versions in source or binary form must be plainly marked as
+   such, and must not be misrepresented as being the original software.
+
+
+Jordan Russell
+jr-2020 AT jrsoftware.org
+https://jrsoftware.org/

REUSE.toml

@@ -185,3 +185,28 @@ SPDX-License-Identifier = "GPL-3.0-or-later"
 path = [".dockerignore", "docker-compose.yml", "Dockerfile"]
 SPDX-FileCopyrightText = "2026 ArduPilot methodic configurator developers"
 SPDX-License-Identifier = "GPL-3.0-or-later"
+
+[[annotations]]
+path = "credits/simpleeval-LICENCE"
+SPDX-FileCopyrightText = "Copyright (c) 2013 Daniel Fairhead"
+SPDX-License-Identifier = "MIT"
+
+[[annotations]]
+path = "credits/pip-system-certs-LICENSE"
+SPDX-FileCopyrightText = "Copyright (c) alelec"
+SPDX-License-Identifier = "BSD-2-Clause"
+
+[[annotations]]
+path = "credits/argparse_check_range-LICENSE-2.0"
+SPDX-FileCopyrightText = "Dmitriy Kovalev"
+SPDX-License-Identifier = "Apache-2.0"
+
+[[annotations]]
+path = "credits/screeninfo-LICENSE.md"
+SPDX-FileCopyrightText = "Copyright (c) 2018 Marcin Kurczewski"
+SPDX-License-Identifier = "MIT"
+
+[[annotations]]
+path = "credits/Inno_Setup-license.txt"
+SPDX-FileCopyrightText = "Copyright (C) 1997-2026 Jordan Russell. Portions Copyright (C) 2000-2026 Martijn Laan."
+SPDX-License-Identifier = "LicenseRef-Inno-Setup"

credits/CREDITS.md

@@ -100,4 +100,4 @@ These books helped shape this software:
 - [The Mythical Man-Month: 2nd Edition by Frederick P. Brooks](https://www.oreilly.com/library/view/mythical-man-month-the/0201835959/)
 - [Clean Agile: Back to Basics by Robert C. Martin](https://www.oreilly.com/library/view/clean-agile-back/9780135782002/)
 - [Tidy First? by Kent Beck](https://www.oreilly.com/library/view/tidy-first/9781098151232/)
-- [Laws of UX by Jon Yablonski](https://www.oreilly.com/library/view/laws-of-ux/9781492055303/)
+- [Laws of UX by Jon Yablonski](https://www.oreilly.com/library/view/laws-of-ux/9781492055303/)

credits/Inno_Setup-license.txt

@@ -0,0 +1,32 @@
+Inno Setup License
+==================
+
+Except where otherwise noted, all of the documentation and software included in the Inno
+Setup package is copyrighted by Jordan Russell.
+
+Copyright (C) 1997-2026 Jordan Russell. All rights reserved.
+Portions Copyright (C) 2000-2026 Martijn Laan. All rights reserved.
+
+This software is provided "as-is," without any express or implied warranty. In no event shall
+the author be held liable for any damages arising from the use of this software.
+
+Permission is granted to anyone to use this software for any purpose, including commercial
+applications, and to alter and redistribute it, provided that the following conditions are met:
+
+1. All redistributions of source code files must retain all copyright notices that are currently
+   in place, and this list of conditions without modification.
+
+2. All redistributions in binary form must retain all occurrences of the above copyright notice
+   and web site addresses that are currently in place (for example, in the About boxes).
+
+3. The origin of this software must not be misrepresented; you must not claim that you wrote
+   the original software. If you use this software to distribute a product, an acknowledgment
+   in the product documentation would be appreciated but is not required.
+
+4. Modified versions in source or binary form must be plainly marked as such, and must not
+   be misrepresented as being the original software.
+
+
+Jordan Russell
+jr-2020 AT jrsoftware.org
+https://jrsoftware.org/