Include LICENSES via license-files and read from dist-info

[bjk7119]

Description

• fix(build): declare license files via PEP 639 license-files field
• fix(notice): support license file discovery via importlib.metadata for non-bundled env

Summary by CodeRabbit

• Bug Fixes

  • Improved robustness of license file discovery for the --notice option, including bundled-app fallback.
  • Enhanced handling of Unicode in license output to avoid encoding failures.

• New Features

  • Added an alternate CLI name so the same command is accessible via both fosslight_prechecker and fosslight_reuse.

• Chores

  • Updated project packaging and metadata (pyproject, license file declarations).

[coderabbitai]

📝 Walkthrough

Walkthrough

Replace setuptools/setup.py packaging with a PEP 517 pyproject.toml, remove legacy packaging files, adjust CI and packaging-related configs, and make CLI --notice license discovery/output more robust with better error handling.

Changes

Cohort / File(s)	Summary
Packaging metadata pyproject.toml	Add PEP 517/PEP 621 metadata, runtime and optional dev deps, license-files, project URLs, and two console entry points mapping to fosslight_prechecker.cli:main.
Removed legacy packaging files setup.py, .bumpversion.cfg, requirements.txt, requirements-dev.txt	Delete old setup script and deprecated/versioning and requirements files; packaging/install deps moved into pyproject.toml.
CLI — license notice src/fosslight_prechecker/cli.py	When --notice is used, build license_files list from bundled LICENSES under sys._MEIPASS or from importlib.metadata.files(); skip non-files; catch OSError/UnicodeError and emit safe UTF-8 output via sys.stdout.buffer on encode failures.
CI / Release workflow .github/workflows/publish-release.yml	Remove bumpversion install/usage; sed-update pyproject.toml version; switch build/upload steps to python -m build and twine (install build instead of setuptools/wheel).
Packaging manifest / reuse metadata / tox MANIFEST.in, .reuse/dep5, tox.ini	Stop including requirements.txt in sdist; map pyproject.toml in reuse dep5 and remove .bumpversion entry; tox envs install .[dev] and skipdist removed.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• Migrate from setup.py to pyproject.toml #181 — Similar packaging migration: add pyproject.toml, remove setup.py, update metadata/entry-points and CI workflow.

Suggested reviewers

• dd-jy

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main changes: migration from setup.py to pyproject.toml with PEP 639 license-files support and importlib.metadata integration for license discovery.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch temp

⚔️ Resolve merge conflicts

• Resolve merge conflict in branch temp

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@src/fosslight_prechecker/cli.py`:
- Around line 76-80: Wrap the call to importlib.metadata.files
(pkg_files(PKG_NAME)) in a try-except that catches
importlib.metadata.PackageNotFoundError so the code falls back to an empty
iterable instead of raising; update the block that builds license_files (the
list comprehension using pkg_files and PKG_NAME) to handle the exception and set
license_files = [] when the distribution is not found, ensuring downstream logic
that reads license_files still works.
- Around line 89-90: The blind "except Exception:" in the license output block
should be replaced with targeted exception handling: catch expected errors such
as FileNotFoundError, OSError, and UnicodeDecodeError around the file
reading/printing operation (the block currently guarded by "except Exception:"
in the license notice printing code) and write a concise warning including the
exception message to stderr (or use the existing logger) so users know the
notice couldn't be printed; let any other unexpected exceptions propagate rather
than silently swallowing them.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 3b5104a3-0218-49a5-b6af-9b8d6f337d17

📥 Commits

Reviewing files that changed from the base of the PR and between fba61a9 and f15454c.

📒 Files selected for processing (2)

• pyproject.toml
• src/fosslight_prechecker/cli.py

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🌐 Web query:

In Python importlib.metadata, what does files('<missing-distribution>') do? Does it raise PackageNotFoundError?

💡 Result:

In Python's importlib.metadata, calling files('<missing-distribution>') raises PackageNotFoundError because the distribution name '<missing-distribution>' does not correspond to an installed package. The files function first attempts to locate the named distribution, and if not found, it raises PackageNotFoundError before accessing any file metadata. The official documentation confirms: importlib.metadata.files(distribution_name) "Raises PackageNotFoundError if the named distribution package is not installed in the current Python environment." It returns None only if the distribution is found but the file listing metadata (RECORD or SOURCES.txt) is missing.

Citations:

• 1: https://docs.python.org/3/library/importlib.metadata.html
• 2: https://docs.python.org/3.11/library/importlib.metadata.html
• 3: https://importlib-metadata.readthedocs.io/en/stable/api.html
• 4: https://runebook.dev/en/docs/python/library/importlib.metadata/importlib.metadata.files

---

Handle missing distribution metadata explicitly.

The importlib.metadata.files() function raises PackageNotFoundError when the named distribution is not installed. The current code at lines 76–80 does not explicitly catch this exception, which could cause --notice to fail instead of degrading gracefully. Wrap the call to pkg_files(PKG_NAME) in a try-except block to catch PackageNotFoundError and fall back to an empty list.

🔧 Proposed fix

         except AttributeError:
             from importlib.metadata import files as pkg_files, PackageNotFoundError
-            license_files = [
-                str(f.locate()) for f in (pkg_files(PKG_NAME) or [])
+            try:
+                dist_files = pkg_files(PKG_NAME) or []
+            except PackageNotFoundError:
+                dist_files = []
+            license_files = [
+                str(f.locate()) for f in dist_files
                 if 'licenses' in str(f).lower() and f.locate().is_file()
             ]

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	from importlib.metadata import files as pkg_files
	license_files = [
	str(f.locate()) for f in (pkg_files(PKG_NAME) or [])
	if 'licenses' in str(f).lower() and f.locate().is_file()
	]
	except AttributeError:
	from importlib.metadata import files as pkg_files, PackageNotFoundError
	try:
	dist_files = pkg_files(PKG_NAME) or []
	except PackageNotFoundError:
	dist_files = []
	license_files = [
	str(f.locate()) for f in dist_files
	if 'licenses' in str(f).lower() and f.locate().is_file()
	]

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/fosslight_prechecker/cli.py` around lines 76 - 80, Wrap the call to
importlib.metadata.files (pkg_files(PKG_NAME)) in a try-except that catches
importlib.metadata.PackageNotFoundError so the code falls back to an empty
iterable instead of raising; update the block that builds license_files (the
list comprehension using pkg_files and PKG_NAME) to handle the exception and set
license_files = [] when the distribution is not found, ensuring downstream logic
that reads license_files still works.

[bjk7119]

minor issue.

[coderabbitai]

🧹 Nitpick comments (1)

.github/workflows/publish-release.yml (1)

108-114: Pin build and twine versions, and use python -m for consistency.

Line 108 installs floating versions (pip install build twine), which can break releases when upstream changes. Pin these tools explicitly and use python -m pip install for consistency. Additionally, line 115 uses direct twine upload instead of python -m twine upload, which should be aligned with the python -m build pattern.

Suggested workflow diff

-        pip install build twine
+        python -m pip install "build==1.4.2" "twine==6.2.0"
...
-        twine upload dist/*
+        python -m twine upload dist/*

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/publish-release.yml around lines 108 - 114, Update the
"Build and publish" step to pin the versions of build and twine and to invoke
pip and twine via python -m for consistency: replace the pip install command in
the "Build and publish" job so it uses "python -m pip install
build==<PIN_VERSION> twine==<PIN_VERSION>" (choose concrete versions), keep
TWINE_USERNAME/TWINE_PASSWORD env, run "python -m build" (already used) and
change the upload invocation to "python -m twine upload ..." so all tooling is
executed via python -m and uses pinned versions; locate these changes in the
"Build and publish" job block in the workflow.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.github/workflows/publish-release.yml:
- Around line 108-114: Update the "Build and publish" step to pin the versions
of build and twine and to invoke pip and twine via python -m for consistency:
replace the pip install command in the "Build and publish" job so it uses
"python -m pip install build==<PIN_VERSION> twine==<PIN_VERSION>" (choose
concrete versions), keep TWINE_USERNAME/TWINE_PASSWORD env, run "python -m
build" (already used) and change the upload invocation to "python -m twine
upload ..." so all tooling is executed via python -m and uses pinned versions;
locate these changes in the "Build and publish" job block in the workflow.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 75de6d35-0310-4df1-836e-331e6617a5ed

📥 Commits

Reviewing files that changed from the base of the PR and between f15454c and 66b1bf0.

📒 Files selected for processing (10)

• .bumpversion.cfg
• .github/workflows/publish-release.yml
• .reuse/dep5
• MANIFEST.in
• pyproject.toml
• requirements-dev.txt
• requirements.txt
• setup.py
• src/fosslight_prechecker/cli.py
• tox.ini

💤 Files with no reviewable changes (5)

• MANIFEST.in
• .bumpversion.cfg
• requirements-dev.txt
• requirements.txt
• setup.py

✅ Files skipped from review due to trivial changes (1)

• .reuse/dep5

🚧 Files skipped from review as they are similar to previous changes (2)

• src/fosslight_prechecker/cli.py
• pyproject.toml