justinmclean opened a new pull request, #191:
URL: https://github.com/apache/airflow-steward/pull/191
## Problem
The `pr-management-code-review` skill had no check for third-party-licensed
code being added to the project. A PR including a file with a GPL, MIT, or
CDDL header — or a third-party copyright line — passed through review
undetected. Under the ASF `resolved_licenses` policy, Category X and B
licences are forbidden in source form; Category A licences are allowed but
require the project's `LICENSE` file to be updated in the same PR.
A secondary gap: the existing "License headers" category (added previously)
would raise a "missing Apache header" finding against legitimately included
third-party code — the wrong fix for the wrong problem. The routing between
the two categories needed clarifying.
## Changes
**`.claude/skills/pr-management-code-review/criteria.md`**
- Added `Third-party license compliance` to the canonical category list
(after "Code quality").
- Added a new "Third-party license compliance" section documenting:
- What signals to detect (non-Apache SPDX identifiers, recognised licence
blocks, third-party copyright lines).
- Category X/B → `blocking`; Category A without LICENSE update → `major`;
Category A with LICENSE update → no finding.
- Routing note clarifying when to use "License headers" vs this category.
**`.claude/skills/pr-management-code-review/review-flow.md`**
- Step 4 enumeration updated: "Third-party license compliance" added as
category 4; subsequent categories renumbered 5–10.
**`projects/_template/pr-management-code-review-criteria.md`**
- Two new rows added to the Section anchors table:
- `Third-party license compliance` →
`https://www.apache.org/legal/resolved.html`
- `Applying the Apache licence` →
`https://www.apache.org/legal/apply-license.html`
- These ship as ready-to-use defaults (global ASF policy, not
project-specific).
## Testing
**Structural validation**
`tools/skill-validator` run against all SKILL.md files post-change.
Result: 0 violations in pr-management skills.
**Functional dry-run (4 cases)**
1. *Category X file added* — new file with `GNU General Public License v3.0`
header: classified as Category X (GPL), `blocking` finding raised,
disposition `REQUEST_CHANGES`. ✓
2. *Category A file added, LICENSE updated* — new MIT-licensed file,
`LICENSE`
also modified in same PR: Category A with attribution present, no finding
raised. ✓
3. *Category A file added, LICENSE not updated* — same MIT file, `LICENSE`
not touched: `major` finding raised citing
`https://www.apache.org/legal/resolved.html`. ✓
4. *Clean PR* — all new files have Apache headers, no third-party copyright
lines: 0 matches, no finding. ✓
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
