Merge pull request #36788 from vespa-engine/laura/VESPANG-3162

lperry25 · web-flow · commit bbb1d5aa2d80 · 2026-05-07T13:33:12.000+02:00
add nightly attribution workflow and ATTRIBUTIONS.md
diff --git a/.github/scripts/build-attribution.sh b/.github/scripts/build-attribution.sh
@@ -0,0 +1,59 @@
+#!/usr/bin/env bash
+# Build a deduplicated ATTRIBUTIONS.md from one or more inventory JSON files.
+#
+# Usage: build-attribution.sh <inventory.json> [<inventory.json> ...]
+# Output: markdown attribution document on stdout.
+#
+# Each input is expected in the wrapped shape produced by the
+# vespa-engine/gh-actions/mend-inventory action:
+#   { response: [ { component, license, copyrights, extraData, ... }, ... ],
+#     additionalData: { totalItems: N } }
+set -euo pipefail
+
+today=$(date -u +"%Y-%m-%d")
+
+cat <<EOF
+# Third-Party Software Attributions
+
+This file is auto-generated nightly and lists the open-source software
+dependencies of Vespa detected by scanning package manifests.
+
+For the hand-maintained list of vendored C/C++ libraries (Boost, OpenSSL,
+ICU, etc.), see [\`NOTICES\`](NOTICES).
+
+Last updated: $today
+EOF
+
+# Skip entries that don't have an identified license (the scanner couldn't
+# determine one, or the entry has no package identity to attribute).
+skipped=$(jq -s '
+  [.[] | (.response // [])[]
+    | select(.license.name == "Requires Review" or (.component.groupId // "") == "")]
+  | length
+' "$@")
+jq -s -r '
+  [ .[] | (.response // [])[]
+    | select(.license.name != "Requires Review" and (.component.groupId // "") != "")
+  ]
+  | group_by([.component.groupId, .component.version, .license.name])
+  | map(.[0])
+  | sort_by([((.component.groupId // "") | ascii_downcase), (.component.version // "")])
+  | map(
+      [
+        "",
+        "---",
+        "",
+        ("## " + .component.groupId + " " + .component.version + " — " + .license.name),
+        ""
+      ]
+      + (if ((.extraData.homepage // "") | length) > 0
+          then ["- Homepage: <" + .extraData.homepage + ">"]
+          else [] end)
+      + ((.copyrights // []) | map("- " + .))
+      | join("\n")
+    )
+  | join("\n")
+' "$@"
+
+# Trailing newline so the file ends cleanly.
+echo
diff --git a/.github/workflows/attribution.yml b/.github/workflows/attribution.yml
@@ -0,0 +1,85 @@
+name: Update Third-Party Attributions
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: "0 3 * * *" # nightly 03:00 UTC
+  pull_request:
+    branches: [master]
+    paths:
+      - .github/workflows/attribution.yml
+      - .github/scripts/build-attribution.sh
+      - ATTRIBUTIONS.md
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  attribution:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Fetch dependency inventory
+        uses: vespa-engine/gh-actions/mend-inventory@217825ab3497a98c67134a9e8bb30f04329e82fe # v1
+        with:
+          mend-project-name: GH_vespa_master
+          mend-project-uuid: dbdbea81-7f52-426c-974f-975c2848770d
+          mend-user: ${{ vars.MEND_ATTRIBUTION_USER_EMAIL }}
+          mend-api-key: ${{ secrets.MEND_ATTRIBUTION_USER_KEY }}
+          output-path: build/inventory.json
+
+      - name: Build ATTRIBUTIONS.md
+        run: |
+          ./.github/scripts/build-attribution.sh build/inventory.json > ATTRIBUTIONS.md
+          echo "Wrote $(wc -l < ATTRIBUTIONS.md) lines to ATTRIBUTIONS.md"
+
+      # Only uploaded on failure so the raw response is available for debugging
+      # without bloating the artifact list on every successful run.
+      - name: Upload raw inventory JSON (debug, on failure)
+        if: ${{ failure() }}
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
+        with:
+          name: inventory-debug
+          path: build/inventory.json
+          retention-days: 7
+          if-no-files-found: warn
+
+      - name: Upload ATTRIBUTIONS.md
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
+        with:
+          name: attributions
+          path: ATTRIBUTIONS.md
+          retention-days: 14
+
+      - name: Open PR if changed
+        if: ${{ github.event_name != 'pull_request' }}
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          set -euo pipefail
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+          git config user.name  "github-actions[bot]"
+
+          git add ATTRIBUTIONS.md
+          if git diff --cached --quiet; then
+            echo "ATTRIBUTIONS.md is up to date — nothing to do."
+            exit 0
+          fi
+
+          BRANCH="chore/update-attributions"
+          git checkout -B "$BRANCH"
+          git commit -m "chore: update third-party attributions"
+          git push --force --set-upstream origin "$BRANCH"
+
+          if gh pr view "$BRANCH" --json state --jq .state 2>/dev/null | grep -q OPEN; then
+            echo "PR for $BRANCH already open — pushed update to existing PR."
+          else
+            gh pr create \
+              --base master \
+              --head "$BRANCH" \
+              --title "chore: update third-party attributions" \
+              --body "Auto-generated update of ATTRIBUTIONS.md."
+          fi
diff --git a/ATTRIBUTIONS.md b/ATTRIBUTIONS.md
