Skip to content

chore(repo): drop DEPENDENCIES.md per ASF policy#3222

Merged
hubcio merged 4 commits into
masterfrom
chore/drop-dependencies-md
May 9, 2026
Merged

chore(repo): drop DEPENDENCIES.md per ASF policy#3222
hubcio merged 4 commits into
masterfrom
chore/drop-dependencies-md

Conversation

@hubcio
Copy link
Copy Markdown
Contributor

@hubcio hubcio commented May 7, 2026

DEPENDENCIES.md (cargo license + CI drift check) broke every
dependabot PR; dependabot can't run repo scripts so the file
went stale on every lockfile bump.

Per ASF release policy, source tarballs ship Cargo.lock but no
bundled crates, so LICENSE/NOTICE MUST NOT enumerate them. The
real compliance gap was on convenience binaries (Docker images,
PyPI wheels) which statically link crates without bundling the
license text.

Confirmed on general@incubator (2026-05-06):
https://lists.apache.org/thread/1okljz8jxt2g0bt3hlgpxyor7zv0nobl

Replace with cargo-about + license-checker-rseidelsohn driven by
scripts/ci/third-party-licenses.sh, scoped per-artifact via a
single composite action shared by pre-merge and publish.yml.
iggy-server bundles the embedded web UI, so apache/iggy
enumerates web npm deps too.

@codecov
Copy link
Copy Markdown

codecov Bot commented May 7, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 57.69%. Comparing base (86bf419) to head (eb26a42).

Additional details and impacted files 
@@              Coverage Diff              @@
##             master    #3222       +/-   ##
=============================================
- Coverage     74.45%   57.69%   -16.76%     
  Complexity      943      943               
=============================================
  Files          1188     1187        -1     
  Lines        106543    93222    -13321     
  Branches      83560    70256    -13304     
=============================================
- Hits          79329    53787    -25542     
- Misses        24463    36725    +12262     
+ Partials       2751     2710       -41
Components Coverage Δ
Rust Core 53.44% <ø> (-22.27%) ⬇️
Java SDK 60.14% <ø> (ø)
C# SDK 69.13% <ø> (-0.31%) ⬇️
Python SDK 81.43% <ø> (ø)
Node SDK 91.41% <ø> (-0.13%) ⬇️
Go SDK 39.80% <ø> (ø)
see 262 files with indirect coverage changes
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@hubcio hubcio force-pushed the chore/drop-dependencies-md branch 2 times, most recently from 33a96f0 to a895c7a Compare May 7, 2026 07:01
numinnex
numinnex previously approved these changes May 8, 2026
View reviewed changes
hubcio added 2 commits May 9, 2026 12:19
@hubcio
chore(repo): drop DEPENDENCIES.md per ASF policy
c913723 
DEPENDENCIES.md (cargo license + CI drift check) broke every
dependabot PR; dependabot can't run repo scripts so the file
went stale on every lockfile bump.

Per ASF release policy, source tarballs ship Cargo.lock but no
bundled crates, so LICENSE/NOTICE MUST NOT enumerate them. The
real compliance gap was on convenience binaries (Docker images,
PyPI wheels) which statically link crates without bundling the
license text.

Confirmed on general@incubator (2026-05-06):
https://lists.apache.org/thread/1okljz8jxt2g0bt3hlgpxyor7zv0nobl

Replace with cargo-about + license-checker-rseidelsohn driven by
scripts/ci/third-party-licenses.sh, scoped per-artifact via a
single composite action shared by pre-merge and publish.yml.
iggy-server bundles the embedded web UI, so apache/iggy
enumerates web npm deps too.
@hubcio
fix(ci): force cleanup trap to return 0 in license script
776d091 
scripts/ci/third-party-licenses.sh chained `[[ -n VAR && -f VAR ]] && rm`
in its EXIT trap. When invoked with only Rust manifests (e.g.
`--manifest core/ai/mcp/Cargo.toml`), NODE_FMT_FILE and NODE_JSON_FILE
stay empty, the last `[[ ... ]] && rm` short-circuits to exit code 1,
and bash propagates the trap's status as the script's. Validation
printed "All manifests pass third-party license validation." then
exited 1, failing the Validate third-party licenses job.

Append `return 0` to cleanup so trap status no longer leaks.
@hubcio hubcio force-pushed the chore/drop-dependencies-md branch from 33c8822 to 776d091 Compare May 9, 2026 10:19
@hubcio hubcio merged commit 0928f13 into master May 9, 2026
84 checks passed
@hubcio hubcio deleted the chore/drop-dependencies-md branch May 9, 2026 12:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@spetz spetz spetz approved these changes

@mmodzelewski mmodzelewski mmodzelewski approved these changes

@numinnex numinnex numinnex left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@hubcio @spetz @mmodzelewski @numinnex