Skip to content

Publish licensedcode data/index as seperate pypi wheels and improve arm installation support#4847

Merged
AyanSinhaMahapatra merged 25 commits into
developfrom
smaller-wheels
May 15, 2026
Merged

Publish licensedcode data/index as seperate pypi wheels and improve arm installation support#4847
AyanSinhaMahapatra merged 25 commits into
developfrom
smaller-wheels

Conversation

@AyanSinhaMahapatra

@AyanSinhaMahapatra AyanSinhaMahapatra commented Mar 17, 2026

Copy link
Copy Markdown
Member

This is basically an extension of the work done in:

Tasks

  • Reviewed contribution guidelines
  • PR is descriptively titled 📑 and links the original issue above 🔗
  • Tests pass -- look for a green checkbox ✔️ a few minutes after opening your PR
    Run tests locally to check for errors.
  • Commits are in uniquely-named feature branch and has no merge conflicts 📁
  • Updated documentation pages (if applicable)
  • Updated CHANGELOG.rst (if applicable)

Signed-off-by: Ayan Sinha Mahapatra <asmahapatra@aboutcode.org>
Reference: https://pypi.org/project/flot/0.7.3/
Signed-off-by: Ayan Sinha Mahapatra <asmahapatra@aboutcode.org>
Signed-off-by: Ayan Sinha Mahapatra <asmahapatra@aboutcode.org>
Signed-off-by: Ayan Sinha Mahapatra <asmahapatra@aboutcode.org>
Signed-off-by: Ayan Sinha Mahapatra <asmahapatra@aboutcode.org>
Signed-off-by: Ayan Sinha Mahapatra <asmahapatra@aboutcode.org>
Signed-off-by: Ayan Sinha Mahapatra <asmahapatra@aboutcode.org>
Signed-off-by: Ayan Sinha Mahapatra <asmahapatra@aboutcode.org>
Signed-off-by: Ayan Sinha Mahapatra <asmahapatra@aboutcode.org>
Fix release archive smoke tests.

Signed-off-by: Ayan Sinha Mahapatra <asmahapatra@aboutcode.org>
@AyanSinhaMahapatra AyanSinhaMahapatra changed the title Publish licensedcode data/index as seperate pypi wheels Publish licensedcode data/index as seperate pypi wheels and improve installation support Mar 24, 2026
Also add a default of `persist-credentials` as False.

These are fixes from running zizmorcore/zizmor

Signed-off-by: Ayan Sinha Mahapatra <asmahapatra@aboutcode.org>
Signed-off-by: Ayan Sinha Mahapatra <asmahapatra@aboutcode.org>
@github-advanced-security

Copy link
Copy Markdown

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

Comment thread .github/workflows/licensedcode-data-index-release.yml Dismissed
Comment thread .github/workflows/scancode-release.yml Dismissed
Signed-off-by: Ayan Sinha Mahapatra <asmahapatra@aboutcode.org>
Signed-off-by: Ayan Sinha Mahapatra <asmahapatra@aboutcode.org>
Signed-off-by: Ayan Sinha Mahapatra <asmahapatra@aboutcode.org>
Signed-off-by: Ayan Sinha Mahapatra <asmahapatra@aboutcode.org>
Reference: aboutcode-org/scancode.io#1646
Signed-off-by: Ayan Sinha Mahapatra <asmahapatra@aboutcode.org>
Comment thread .github/workflows/scancode-release.yml Fixed
Signed-off-by: Ayan Sinha Mahapatra <asmahapatra@aboutcode.org>
Signed-off-by: Ayan Sinha Mahapatra <asmahapatra@aboutcode.org>
Signed-off-by: Ayan Sinha Mahapatra <asmahapatra@aboutcode.org>
@AyanSinhaMahapatra AyanSinhaMahapatra changed the title Publish licensedcode data/index as seperate pypi wheels and improve installation support Publish licensedcode data/index as seperate pypi wheels and improve arm installation support Apr 24, 2026
Signed-off-by: Ayan Sinha Mahapatra <asmahapatra@aboutcode.org>
Signed-off-by: Ayan Sinha Mahapatra <asmahapatra@aboutcode.org>
Signed-off-by: Ayan Sinha Mahapatra <asmahapatra@aboutcode.org>
@AyanSinhaMahapatra

AyanSinhaMahapatra commented May 1, 2026

Copy link
Copy Markdown
Member Author

Release tests all green at https://github.com/AyanSinhaMahapatra/scancode-toolkit/actions/runs/25222214153 and scancode tests also passing now.

Note that the failure to load index and rebuilding of index at https://github.com/AyanSinhaMahapatra/scancode-toolkit/actions/runs/25222214153/job/73957559207#step:6:351 is caused because the latest licensedcode index wheels are not released yet so older test wheels are being installed.

@JonoYang JonoYang left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@AyanSinhaMahapatra lgtm, thanks for handling this!

@pombredanne pombredanne left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are a few minor point that you should fix before merging, like double checking URLS to GH repos and missing references to AboutCode in copyrights, otherwise this is all good to go. 🙇

Reference: #4959
Signed-off-by: Ayan Sinha Mahapatra <asmahapatra@aboutcode.org>
Reference: actions/runner-images#14017
Signed-off-by: Ayan Sinha Mahapatra <asmahapatra@aboutcode.org>
@AyanSinhaMahapatra AyanSinhaMahapatra merged commit bd47fa8 into develop May 15, 2026
40 checks passed

@gotmax23 gotmax23 left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I left some comments on the new packaging from the perspective of a distribution packager of scancode. Happy to discuss further!

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Having multiple pyproject-*.toml files in a single directory with different suffixes is not really in the spirit of Python standards. The usual structure for monorepos is to have each package in a separate subdirectory with its own pyproject.toml file. uv has a workspaces feature that supports this usecase pretty well, for example.

Also, introducing an entirely new PEP 517/518 build backend is nonideal, since we already have so many, including hatchling and setuptools that are more configurable and pluggable than flit is and keep up-to-date with Python packaging standards. flot also does not support the PEP 639 standard for improved license metadata that upstream flit and other build backends do, for example. This will become more of an issue as Python packaging continues to evolve.

Would you consider a different approach here? At least, I'd suggest properly documenting how the project can be built from source with a standard build frontend like python -m build.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

At least, I'd suggest properly documenting how the project can be built from source with a standard build frontend like python -m build.

From reading the buildapi code, I see that flot supports --config-settings=--pyproject=FILE, but that didn't seem to be documented anywhere else and also seems like a worse interface than just having one pyproject.toml per directory.

name = "licensedcode-data"
version = "32.5.0"
description = "A packaging of the ScanCode licensedb license and license rules database."
long_description_content_type = "text/x-rst"

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[project] does not support long_description_content_type, and this results in a warning.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The other pyproject-* files have this same issue.

description = "A packaging of the ScanCode licensedb license and license rules database."
long_description_content_type = "text/x-rst"
readme = "src/licensedcode/data/README.rst"
license = { text = "Apache-2.0 AND CC-BY-4.0 AND LicenseRef-scancode-other-permissive AND LicenseRef-scancode-other-copyleft" }

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This format is outdated. See my previous comment about PEP 639.

build-backend = "flot.buildapi"

[project]
name = "scancode-toolkit-mini"

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why does there need to be an entirely separate -mini package? Why not add extras/optional dependencies to the main scancode-toolkit package?

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why is there a vendored wheel here?

]

dependencies = [
"licensedcode-index",

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this have a version constraint? Otherwise, the dependencies could get out-of-sync when users run pip install -U scancode-toolkit.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Improve ScanCode packaging and reduce wheel size

5 participants