feat(ort-config): Extract a generic GitPackageCurationProvider

[mnonnenmacher]

Extract a generic GitPackageCurationProvider from the OrtConfigPackageCurationProvider and make the latter inherit from the new one. The new provider allows to use any Git repository as a source for package curation files.

For now, the provider requires the same file layout as the OrtConfigPackageCurationProvider, this could be made configurable if required later on.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 58.43%. Comparing base (b1b82c2) to head (4d54d8c).

Additional details and impacted files

@@            Coverage Diff            @@
##               main   #11941   +/-   ##
=========================================
  Coverage     58.43%   58.43%           
  Complexity     1809     1809           
=========================================
  Files           361      361           
  Lines         13499    13499           
  Branches       1383     1383           
=========================================
  Hits           7888     7888           
  Misses         5115     5115           
  Partials        496      496           

Flag	Coverage Δ
funTest-external-tools	14.64% <ø> (ø)
funTest-no-external-tools	30.37% <ø> (-0.03%)	⬇️
test-ubuntu-24.04	41.78% <ø> (ø)
test-windows-2025	41.76% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[sschuberth]

Not sure about "cache" here. Should we put Git working directories into a more specifically named directory? Which BTW makes me wonder why DefaultWorkingTreeCache uses val dir = createOrtTempDir() instead.

[mnonnenmacher]

I just want some stable directory because it's a nice optimization when running ORT locally. "cache" made sense to me to signal that this can be deleted without causing problems (even though there is no automatic cleanup). Do you have any specific proposals for alternatives? It can also easily be changed later, if needed.

Which BTW makes me wonder why DefaultWorkingTreeCache uses val dir = createOrtTempDir() instead.

IIRC this is because the cache was made specifically for the requirements of the scanner and you would not want to permanently archive the source code of all scanned packages when running ORT locally.

[sschuberth]

Do you have any specific proposals for alternatives?

Well, maybe any of "git", "worktree", "clone", "plugin"... but you can also keep it at "cache".

[mnonnenmacher]

I kind of like "plugin" because it clarifies the scope, should I change it? Or maybe we can revisit this when doing the same change for the package configuration provider.

[sschuberth]

Or maybe we can revisit this when doing the same change for the package configuration provider.

Yes, let's do that.

[sschuberth]

Not sure if this should really be the default, or just something that OrtConfigPackageCurationProvider sets.

[mnonnenmacher]

I chose it because it seems people generally use the ort-config repo as template, so why not make their lives a bit easier.