chore: OSS compliance — NOTICE, CodeQL, .gitignore#75
Merged
Conversation
- Add NOTICE file crediting upstream forks (yahoo/kubectl-flame Copyright Verizon Media, josepdcs/kubectl-prof) and listing bundled third-party tools and their licenses, per Apache 2.0 §4(d) - Add .github/workflows/codeql.yml: weekly + PR-triggered CodeQL scan for Go and GitHub Actions - .gitignore: add .DS_Store, .vscode/, editor swap files
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates the .gitignore file to include common editor and OS temporary files and adds a NOTICE file documenting the project's licensing and heritage. Feedback suggests refining the .vscode ignore rules to allow sharing project-wide configurations and notes that the CodeQL workflow file mentioned in the PR description is missing from the changes.
CodeQL's Perform-Analysis step uploads results via the Code Scanning API, which requires the 'code_security' feature. On a private repo that needs GitHub Advanced Security; on a public repo it's free. Until this repo flips public, leave the workflow out — adding it now just produces a permanent red check. Rest of the OSS-compliance commit (NOTICE, .gitignore hardening) stays as-is.
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
RamanKharchee
approved these changes
May 12, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Three small OSS-readiness items in one PR.
NOTICE file
Apache 2.0 §4(d) asks downstream forks to preserve attribution. Neither upstream (
yahoo/kubectl-flame,josepdcs/kubectl-prof) shipped a NOTICE file, and the josepdcs fork stripped the//: Copyright Verizon Mediaper-file headers that the original Yahoo repo had. This adds a top-level NOTICE that:We don't retroactively restore per-file headers — the fork tree is mixed (many files were added by josepdcs and have no Verizon ancestry), so per-file work would be incomplete and noisy. NOTICE-level attribution is the standard approach for fork chains.
.gitignore
Adds
.DS_Store,.vscode/, and editor swap files.CodeQL
New
.github/workflows/codeql.yml— autobuild Go + GitHub Actions analysis on PR, push, and weekly cron. Results land in repo Security tab once enabled.Settings already toggled (no diff)
The following were enabled live on the repo via
gh api(not visible in this PR):Out of scope
@mayankpande88 @blue4209211in CODEOWNERS with a team — user deferred this