Skip to content

0.2.0 license update#124

Open
dallasfoster wants to merge 1 commit into
NVIDIA:mainfrom
dallasfoster:dallasf/license-update-0.2.0
Open

0.2.0 license update#124
dallasfoster wants to merge 1 commit into
NVIDIA:mainfrom
dallasfoster:dallasf/license-update-0.2.0

Conversation

@dallasfoster

Copy link
Copy Markdown
Collaborator

ALCHEMI Toolkit Pull Request

Description

Regenerate the third-party license inventory covering all optional dependencies (cu12, cu13, mace, uma, aimnet, ase, pymatgen) and dependency groups, via a repeatable .licenses/generate_licenses.sh. Adds a license-overrides.json mechanism to fill licenses for packages whose PyPI metadata lacks a usable SPDX identifier.

Type of Change

  • Bug fix (non-breaking change that fixes an issue)
  • New feature (non-breaking change that adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Performance improvement
  • Documentation update
  • Refactoring (no functional changes)
  • CI/CD or infrastructure change

Testing

  • Unit tests pass locally (make pytest)
  • [x ] Linting passes (make lint)
  • New tests added for new functionality meets coverage expectations?

Checklist

  • I have read and understand the Contributing Guidelines
  • [] I have updated the CHANGELOG.md
  • [x ] I have performed a self-review of my code
  • I have added docstrings to new functions/classes
  • I have updated the documentation (if applicable)

Additional Notes

Tip

This repository uses Greptile, an AI code review service, to help conduct
pull request reviews. We encourage contributors to read and consider suggestions
made by Greptile, but note that human maintainers will provide the necessary
reviews for merging: Greptile's comments are not a qualitative judgement
of your code, nor is it an indication that the PR will be accepted/rejected.
We encourage the use of emoji reactions to Greptile comments, depending on
their usefulness and accuracy.

Regenerate the third-party license inventory covering all optional
dependencies (cu12, cu13, mace, uma, aimnet, ase, pymatgen) and dependency
groups, via a repeatable .licenses/generate_licenses.sh. Adds a
license-overrides.json mechanism to fill licenses for packages whose PyPI
metadata lacks a usable SPDX identifier.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Signed-off-by: Dallas Foster <dallasf@nvidia.com>
@copy-pr-bot

copy-pr-bot Bot commented Jun 29, 2026

Copy link
Copy Markdown

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

@greptile-apps

greptile-apps Bot commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

Greptile Summary

This PR establishes a reproducible third-party license inventory for the 0.2.0 release, covering all optional extras (cu12, cu13, mace, uma, aimnet, ase, pymatgen) and dependency groups via a new .licenses/generate_licenses.sh script.

  • Adds generate_licenses.sh which builds a throwaway venv, installs all conflict-grouped extras in separate passes, and emits summary.md, details.json, and Third_party_attr.txt from a single pip-licenses inventory run with a license-overrides.json mechanism for packages lacking usable SPDX metadata.
  • Commits the current generated artifacts and adds .venv-licenses to .gitignore to keep the throwaway venv out of source control.

Important Files Changed

Filename Overview
.licenses/generate_licenses.sh New script that builds a throwaway venv, installs all extras/groups, then runs pip-licenses to produce three inventory artifacts; uses uvx pip-licenses@latest (non-pinned) and has a minor robustness gap in the embedded Python sort.
.licenses/license-overrides.json New file providing manual SPDX overrides for packages with missing/unusable license metadata; entries are well-documented with evidence fields.
.licenses/README.md New documentation file explaining the license inventory process, regeneration steps, and override mechanism; minor heading inconsistency ("## Overrides" describes env-var customisation, not the overrides JSON).
.licenses/version-pins.txt Placeholder file for optional pip constraint pins; currently contains only comments with no active pins.
.gitignore Adds .venv-licenses to the ignore list, correctly preventing the throwaway venv created by the script from being tracked.
.licenses/summary.md Generated human-readable license summary table; one row per package with name, version, license identifier, and URL.
.licenses/Third_party_attr.txt Generated full attribution dump including license text for all inventoried packages.
.licenses/details.json Generated machine-readable inventory with License field and full LicenseText for every package.

Reviews (1): Last reviewed commit: "0.2.0 license update" | Re-trigger Greptile


# pip-licenses runs from an isolated tool env and inspects $PY via --python,
# so pip-licenses' own deps never pollute the inventory.
PL=(uvx pip-licenses@latest --python "$PY")

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Using pip-licenses@latest fetches whichever version is current at run time, so two engineers regenerating the inventory on different days can get different field names, column ordering, or flag behaviour. The --python flag (used on this same line) was added in pip-licenses 4.1; if @latest ever resolves to a build that drops or renames it, the script will either error or silently scan the wrong environment. Pin to the lowest version that guarantees --python support to make the script fully reproducible.

Suggested change
PL=(uvx pip-licenses@latest --python "$PY")
PL=(uvx pip-licenses@4.1 --python "$PY")

r["LicenseText"] = o.get("evidence", o["license"]) # paper trail, no file shipped
applied.append(r["Name"])

data.sort(key=lambda r: (r["License"].lower(), r["Name"].lower())) # mirror --order=license

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 If pip-licenses ever returns a record whose License field is None (possible for unusual packages), calling .lower() directly will raise AttributeError and abort the script mid-write, potentially leaving the output files in a partially-overwritten state. The rest of the script already uses the (r["License"] or "UNKNOWN") guard; applying the same pattern to the sort key keeps it consistent.

Suggested change
data.sort(key=lambda r: (r["License"].lower(), r["Name"].lower())) # mirror --order=license
data.sort(key=lambda r: ((r["License"] or "UNKNOWN").lower(), (r["Name"] or "").lower())) # mirror --order=license

Comment thread .licenses/README.md
Comment on lines +75 to +80
## Overrides

```bash
PYTHON=3.12 .licenses/generate_licenses.sh # change interpreter version
REUSE_ENV=1 .licenses/generate_licenses.sh # skip the venv rebuild
```

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 The heading "## Overrides" is ambiguous — the previous section already explains license-overrides.json as the override mechanism. This section is actually about script env-var customisation (PYTHON=, REUSE_ENV=), so a more accurate heading reduces confusion for contributors skimming the file.

Suggested change
## Overrides
```bash
PYTHON=3.12 .licenses/generate_licenses.sh # change interpreter version
REUSE_ENV=1 .licenses/generate_licenses.sh # skip the venv rebuild
```
## Script env-var customisation
```bash
PYTHON=3.12 .licenses/generate_licenses.sh # change interpreter version
REUSE_ENV=1 .licenses/generate_licenses.sh # skip the venv rebuild

Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant