chore: add NOTICE file for third-party components#1043
Merged
danielmeppiel merged 1 commit intomainfrom Apr 29, 2026
Merged
Conversation
Adds a top-level NOTICE.md listing third-party open source components distributed with apm, along with their license texts and any required attribution from upstream NOTICE / AUTHORS files. Covers all 14 direct runtime dependencies declared in pyproject.toml. Format follows the standard NOTICES template: component name, license/copyright notice, additional attribution where applicable. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Adds a repository-root NOTICE.md to document third-party runtime dependencies shipped with the apm Python package, including license texts and upstream attributions where applicable.
Changes:
- Introduces
NOTICE.mdcontaining per-dependency license/attribution sections for 14 direct runtime dependencies. - Includes verbatim upstream license texts plus extra NOTICE/AUTHORS attributions for select packages (e.g., requests, watchdog, GitPython).
Show a summary per file
| File | Description |
|---|---|
| NOTICE.md | New NOTICE document enumerating direct runtime dependencies and their license/attribution text. |
Copilot's findings
Comments suppressed due to low confidence (1)
NOTICE.md:599
- This inline note also says "see Open Issues" but doesn't point anywhere concrete. For a licensing/NOTICE document, please replace with a specific link (or a tracked internal issue number) so readers can resolve the license ambiguity.
_Copyright (c) 2025 Anthony Shaw (LICENSE header) -- note: file contents are MIT-style header followed by Apache-2.0 reference; see Open Issues_
- Files reviewed: 1/1 changed files
- Comments generated: 3
Comment on lines
+9
to
+14
| with this project (the runtime dependencies of the `apm` Python package). Build- | ||
| time and contributor-only tooling (test runners, linters, type-checkers, the | ||
| PyInstaller build backend, and the `setuptools` / `wheel` build system) are not | ||
| distributed and are intentionally omitted, as is install-time user state created | ||
| by the CLI under `apm_modules/`. No third-party source is vendored into this | ||
| repository. |
There was a problem hiding this comment.
The introductory paragraph manually hyphenates "Build-" across a newline, which will render as "Build- time" in Markdown. Please remove the hard line break (or the hyphen) so the phrase reads correctly as "Build-time".
Suggested change
| with this project (the runtime dependencies of the `apm` Python package). Build- | |
| time and contributor-only tooling (test runners, linters, type-checkers, the | |
| PyInstaller build backend, and the `setuptools` / `wheel` build system) are not | |
| distributed and are intentionally omitted, as is install-time user state created | |
| by the CLI under `apm_modules/`. No third-party source is vendored into this | |
| repository. | |
| with this project (the runtime dependencies of the `apm` Python package). | |
| Build-time and contributor-only tooling (test runners, linters, type-checkers, | |
| the PyInstaller build backend, and the `setuptools` / `wheel` build system) are | |
| not distributed and are intentionally omitted, as is install-time user state | |
| created by the CLI under `apm_modules/`. No third-party source is vendored into | |
| this repository. |
|
|
||
| ## Component. PyYAML | ||
|
|
||
| - Version requirement: `>=6.0.0 (declared as `pyyaml`)` |
There was a problem hiding this comment.
This line uses nested backticks (... `pyyaml` ...), which breaks Markdown inline-code rendering. Consider rewriting without nested backticks (e.g., use a plain word, escape the inner backticks, or switch to a fenced code block).
Suggested change
| - Version requirement: `>=6.0.0 (declared as `pyyaml`)` | |
| - Version requirement: >=6.0.0 (declared as pyyaml) |
Comment on lines
+595
to
+599
| - Notes: Upstream LICENSE file declares MIT license text but PyPI metadata + classifiers say Apache-2.0. See Open Issues. | ||
|
|
||
| ### Open Source License/Copyright Notice. | ||
|
|
||
| _Copyright (c) 2025 Anthony Shaw (LICENSE header) -- note: file contents are MIT-style header followed by Apache-2.0 reference; see Open Issues_ |
There was a problem hiding this comment.
"See Open Issues" is referenced here, but this NOTICE doesn't include an "Open Issues" section or a link/identifier to the specific issue(s). Please either link to the relevant upstream/repo issue(s) or remove the reference to avoid ambiguity for auditors.
This issue also appears on line 599 of the same file.
Suggested change
| - Notes: Upstream LICENSE file declares MIT license text but PyPI metadata + classifiers say Apache-2.0. See Open Issues. | |
| ### Open Source License/Copyright Notice. | |
| _Copyright (c) 2025 Anthony Shaw (LICENSE header) -- note: file contents are MIT-style header followed by Apache-2.0 reference; see Open Issues_ | |
| - Notes: Upstream LICENSE file declares MIT license text, but PyPI metadata and classifiers say Apache-2.0. | |
| ### Open Source License/Copyright Notice. | |
| _Copyright (c) 2025 Anthony Shaw (LICENSE header) -- note: file contents are MIT-style header followed by an Apache-2.0 reference_ |
This was referenced Apr 29, 2026
danielmeppiel
pushed a commit
that referenced
this pull request
Apr 29, 2026
Promotes [Unreleased] -> [0.11.0] - 2026-04-29 and bumps pyproject.toml + uv.lock to 0.11.0. Version-bump rationale: 0.11.0 (minor bump) chosen over 0.10.1 because this release ships one BREAKING removal (`apm marketplace build` -> exits 2, use `apm pack`) plus several net-new features (Dev Container Feature, Codex project-scoped MCP, `marketplace:` block in apm.yml, `apm pack` unification, multi-org `apps[]`). Strict semver in 0.x: minor for features-with-break, patch only for bugfixes. Milestone admin (done out-of-band): - Renamed milestone #8 `0.10.1` -> `0.11.0` - Created milestone #9 `0.12.0` as next-up bucket - Moved 43 open items (42 issues + 1 open PR #999) from `0.11.0` -> `0.12.0` - 6 closed items stay in `0.11.0` PRs shipping in 0.11.0 (22 commits since v0.10.0): User-facing features: - #1042/#722 `apm pack` unifies bundle + marketplace.json (BREAKING: `apm marketplace build` removed) - #1038 `marketplace:` block in apm.yml + `apm marketplace migrate` - #803 /#502 Codex project-scoped MCP (`.codex/config.toml`) + user-scope primitives - #861 Dev Container Feature `ghcr.io/microsoft/apm/apm-cli` - #982/#984 shared/apm.md `apps:` array for cross-org private packages - #820 `target:` in apm.yml validates at parse time - #1032 `apm marketplace add` honors manifest.name (Claude Code parity) - #1000/#998/#994 unified `--policy` / `--policy-source` accepted forms User-facing fixes: - #1015 ADO Entra ID auth + `apm install --update` pre-flight abort - #1019/#1020 GEMINI.md only created when target requested - #1008 marketplace producer respects GITHUB_HOST + multi-host URL forms - #1018 POSIX paths in auto-discovery output (Windows compat) - #996 drop stray 'specify' from generated file footer Maintainer tooling: - #1043 NOTICE.md per CELA template - #1045/#1044 NOTICE drift gate + license-policy gate in CI - #1033 shared/apm.md `[a b]` import-input repair (gh-aw#29076 paper-cut) - #1030 panel workflows skip-don't-fail on unmatched labels; gh-aw v0.71.1 - #1026 shared/apm.md recompiled to apm-action v1.5.0 + bundles-file - #1022 review-panel: true fan-out + binary verdict + label automation - #918 complexity audit + benchmarks suite - #1002 CodeQL clear-text-storage false-positive resolved (token -> placeholder) Files changed: - pyproject.toml: 0.10.0 -> 0.11.0 - uv.lock: regenerated (version field only) - CHANGELOG.md: [Unreleased] promoted to [0.11.0] - 2026-04-29 NOTICE drift check passes against the bumped lockfile. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds a top-level
NOTICE.mdenumerating the third-party open source components distributed with theapmpackage, along with their license texts and any additional upstream attribution (NOTICE,AUTHORSfiles where applicable).Scope
All 14 direct runtime dependencies declared in
pyproject.tomlare listed:For each component the file includes:
NOTICEorAUTHORSfiles where the upstream provides them (applies to:requests,watchdog,GitPython)Format
The file follows the standard NOTICES template — header line, then one section per component containing
Open Source License/Copyright Noticeand (where applicable)Additional Attribution. Saved asNOTICE.mdat the repository root per convention.Testing
Documentation-only change. No code or test changes.
Notes
This covers direct dependencies (industry-standard scope for a NOTICE file). Transitive dependencies are not enumerated; if a broader scope is desired in the future it can be added incrementally.
Co-authored-by: Copilot 223556219+Copilot@users.noreply.github.com