bobbai00 opened a new issue, #4450: URL: https://github.com/apache/texera/issues/4450
### What happened? `LICENSE-binary` and `NOTICE-binary` must stay accurate against Texera's actually-bundled third-party dependencies, otherwise the files drift and the ASF binary release stops being compliant. Today there is no automated check: a contributor can add or remove a dependency in `build.sbt`, `frontend/package.json`, or `amber/requirements.txt` without anyone noticing that `LICENSE-binary` was not updated to match. ### How to reproduce? 1. Add a new JVM dependency in any `build.sbt` file. 2. Run `sbt dist` and unzip the output. 3. The bundled `lib/` directory now contains a jar that is not mentioned anywhere in `LICENSE-binary`, and nothing in CI catches it. ### Version 1.1.0-incubating (Pre-release/Master) ### Commit Hash (Optional) ef663648d ### Proposed fix Add a CI workflow that runs on PRs touching build manifests or licensing files, plus a small Python checker. For each of the three ecosystems (JVM jars, npm packages, Python packages): 1. Enumerate the actually-bundled dependencies at build time. 2. Compare them against the bullets declared under the matching ecosystem heading in `LICENSE-binary`. 3. Fail the build on drift, distinguishing ADDED (bundled but not claimed) from STALE (claimed but no longer bundled). A companion maintainer script enumerates the three ecosystems' bundled inventory so `LICENSE-binary` can be refreshed deterministically. ### Was this authored or co-authored using generative AI tooling? Generated-by: Claude Code (Claude Opus 4.7) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
