fix(compliance): wrap instructional SPDX echoes in python-reuse.yml

[williaby]

Summary

Wrap instructional echo '# SPDX-License-Identifier: MIT' lines in
.github/workflows/python-reuse.yml with # REUSE-IgnoreStart /
# REUSE-IgnoreEnd markers (REUSE 3.3 spec) so the REUSE compliance
gate stops parsing them as real SPDX expressions.

Why

The previous failure log on PR #67 (TruffleHog rollout) and on this PR's
initial commit reported two REUSE errors against the same file:

1. INVALID SPDX LICENSE EXPRESSIONS: the shell echoes were parsed as
   actual SPDX tags, producing MIT' >> $GITHUB_STEP_SUMMARY (invalid).
2. MISSING COPYRIGHT AND LICENSING INFORMATION: the file had no header.

The original approach (adding a [[annotations]] block to REUSE.toml
with CC0-1.0) only addressed #2; the invalid-SPDX detection runs on
file content directly and would have remained failing after merge.

This rev wraps the offending lines so REUSE skips them. The existing
global path = ["**"] MIT annotation then satisfies the licensing-info
check without needing an override block. The earlier CC0-1.0 annotation
is reverted (CC0 in this org is reserved for the image-detection
training-data project; reusable workflows referenced via uses: are
not redistributed, so MIT applies fine).

Verification

• reuse lint passes locally: 125/125 files compliant, 0 invalid SPDX
  expressions.
• CodeQL Default setup was disabled in repo settings (separate fix), so
  the CodeQL Analyze advanced workflow can upload SARIF without
  conflict.

Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Updated compliance checking workflow configuration to improve handling of license documentation examples.

[coderabbitai]

📝 Walkthrough

Walkthrough

This pull request adds a REUSE ignore block wrapper around example SPDX header lines in the "How to Fix" section of the REUSE compliance summary step. The change prevents the example headers themselves from triggering compliance checks within the workflow output.

Changes

REUSE Ignore Block Addition

Layer / File(s)	Summary
Workflow Configuration .github/workflows/python-reuse.yml	REUSE ignore block markers (# REUSE-IgnoreStart / # REUSE-IgnoreEnd) are added around example SPDX header lines in the compliance summary.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

A rabbit hops through workflows with care,
Adding markers that say "Don't fix there!"
SPDX examples wrapped up tight,
In ignore blocks, safe from reuse's sight. 🐰

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: wrapping instructional SPDX echoes in the python-reuse.yml workflow with REUSE ignore markers.
Description check	✅ Passed	The description provides clear context on the problem, solution, and verification, though it deviates from the template structure which requires sections like 'Type of Change', 'Changes Made', 'Testing', and 'Checklist'.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/reuse-coverage

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[williaby]

@github-copilot review

[Copilot]

Pull request overview

Updates REUSE.toml to add an explicit REUSE annotation intended to cover a pre-existing workflow file that is currently flagged as missing licensing metadata, in order to unblock the REUSE compliance check referenced in the PR description.

Changes:

• Adds a CC0-1.0 [[annotations]] entry for .github/workflows/python-reuse.yml.
• Adds explanatory comments describing why the annotation was added.

[williaby]

PR Review

BUILD FAILING — do not merge. Two CI checks block this PR. Findings below; agent-based deep review on this 11-line diff was condensed since Copilot already reviewed and the failures are deterministic CI signals.

---

Critical (must fix before merge)

1. PR does NOT actually fix the REUSE failure. REUSE.toml:18-22

The REUSE failure log shows TWO error categories:

• INVALID SPDX LICENSE EXPRESSIONS in .github/workflows/python-reuse.yml:106 — lines like echo ' # SPDX-License-Identifier: MIT' >> \$GITHUB_STEP_SUMMARY parse as the literal SPDX expression MIT' >> \$GITHUB_STEP_SUMMARY.
• MISSING COPYRIGHT AND LICENSING INFORMATION for the same file.

This PR only addresses the second. After merge, Invalid SPDX License Expressions: 1 will remain and reuse lint will still exit non-zero.

Fix (the failure log itself recommends option 1): wrap the offending echo lines in # REUSE-IgnoreStart / # REUSE-IgnoreEnd comments inside python-reuse.yml, OR break the SPDX tag in the echo strings, OR remove the instructional echoes.

2. CodeQL failure is a repo-settings conflict. .github/workflows/codeql.yml:1-9

CI annotation: "CodeQL analyses from advanced configurations cannot be processed when the default setup is enabled." Both default setup and the custom codeql.yml workflow are active. The workflow file's own header comment already warns about this trap. Fix: disable CodeQL Default setup at Settings > Code security > Code scanning > Default setup. No code change needed.

---

Important (should fix)

3. License downgrade MIT → CC0-1.0 is unjustified. PR description says the change is "consistent with the other configuration-files annotation," but the existing REUSE.toml has only one annotation block (** → MIT). There is no precedent for CC0 in this repo. Either document why CC0 is appropriate for org-default workflows, or revert the license change.

4. Annotation overlap with global ** pattern (Copilot). python-reuse.yml matches both annotations. Suggest making intent explicit with precedence = \"override\" on the new block, or narrowing the ** pattern.

---

Suggested

5. Comment plural/file-singular mismatch (Copilot). Comment says "Pre-existing files" / "These files," but the annotation lists one file. Adjust to singular or expand the list.

6. PR description grammar. "1 pre-existing files" should be singular.

---

Recommended Action

1. Disable CodeQL default setup in repo settings (one-time, fixes Critical feat: add reusable workflow templates for Python projects #2).
2. Expand this PR with a fix to python-reuse.yml (REUSE-IgnoreStart/End wrapping), OR rescope the PR to fix only python-reuse.yml and drop the annotation.
3. Justify or revert the MIT → CC0 downgrade.
4. Tidy the singular/plural wording.

Copilot review summary: 2 comments received (overlap concern + plural wording), both reflected above. CodeRabbit was rate-limited on this run.

🤖 Generated with Claude Code

[williaby]

PR Fix Summary

Pivoted from the original approach after diagnosing the REUSE failure log line-by-line: the failing file (python-reuse.yml) had two REUSE errors, and adding annotations to REUSE.toml only addressed one. The actual root cause was invalid SPDX expressions detected by REUSE inside the file's content.

Fixes applied in commit 8972276:

• Wrapped the instructional echo '# SPDX-License-Identifier: MIT' lines in python-reuse.yml with # REUSE-IgnoreStart / # REUSE-IgnoreEnd markers (REUSE 3.3 spec).
• Reverted the CC0-1.0 [[annotations]] block in REUSE.toml; the global ** MIT annotation now applies to python-reuse.yml without an override. (CC0 in this org is reserved for the image-detection ML training-data project.)

Resolved review threads:

• Copilot: annotation overlap concern → resolved (annotation removed).
• Copilot: plural/singular wording → resolved (annotation removed).

Verification:

• reuse lint passes locally with 125/125 files compliant and 0 invalid SPDX expressions.
• CodeQL Default setup was disabled in repo Security settings (separate fix), unblocking the advanced CodeQL Analyze workflow's SARIF upload.

CI re-run triggered by push.

🤖 Generated with Claude Code

[coderabbitai]

🧹 Nitpick comments (1)

.github/workflows/python-reuse.yml (1)

115-115: 💤 Low value

Consider matching the indentation of surrounding code.

The REUSE markers are currently at column 0, while the surrounding code is indented with 12 spaces. For visual consistency and readability, consider indenting the markers to match:

✨ Suggested indentation fix

           echo '   ```' >> $GITHUB_STEP_SUMMARY
-# REUSE-IgnoreStart
+          # REUSE-IgnoreStart
           echo '   # SPDX-FileCopyrightText: 2024 Your Name' >> $GITHUB_STEP_SUMMARY
           echo '   # SPDX-License-Identifier: MIT' >> $GITHUB_STEP_SUMMARY
-# REUSE-IgnoreEnd
+          # REUSE-IgnoreEnd
           echo '   ```' >> $GITHUB_STEP_SUMMARY

Also applies to: 118-118

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/python-reuse.yml at line 115, The REUSE markers "#
REUSE-IgnoreStart" and "# REUSE-IgnoreEnd" in the workflow snippet are
left-aligned while surrounding commands are indented; update those marker lines
to match the existing 12-space indentation used by the surrounding block so the
markers align visually with the echo lines (adjust the two occurrences of "#
REUSE-IgnoreStart" and "# REUSE-IgnoreEnd" shown in the diff).

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.github/workflows/python-reuse.yml:
- Line 115: The REUSE markers "# REUSE-IgnoreStart" and "# REUSE-IgnoreEnd" in
the workflow snippet are left-aligned while surrounding commands are indented;
update those marker lines to match the existing 12-space indentation used by the
surrounding block so the markers align visually with the echo lines (adjust the
two occurrences of "# REUSE-IgnoreStart" and "# REUSE-IgnoreEnd" shown in the
diff).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: a56a72bc-7367-4d9b-8d8e-e5ca58a8ae66

📥 Commits

Reviewing files that changed from the base of the PR and between cd0f5c2 and 8972276.

📒 Files selected for processing (1)

• .github/workflows/python-reuse.yml