pyproject.toml: ship yaml files

[threexc]

shipcheck's wheels are missing the license_categories.yaml file, so as a result users hit errors like the following when running shipcheck check --build-dir .:

|FileNotFoundError: [Errno 2] No such file or directory: |'/home/tgamblin/.local/share/uv/tools/shipcheck/lib64/python3.14/site-packages/shipcheck/checks/license_categories.yaml'

Modify pyproject.toml with explicit entries for the uv build backend so that it includes .yaml files in the output wheel.

With this change, I can see what I believe to be the expected output for my build environment (which is not set up to build a proper product, for the record):

(venv) tgamblin@megalith ~/workspace/yocto/openembedded-core/build (tgamblin/patchtest)$ shipcheck check --build-dir .

shipcheck v0.0.4 — Embedded Linux Compliance Auditor

Checking ....

  FAIL  CVE Tracking  No CVE scan output found
          [critical] No CVE scan output found in build directory.
          Fix: No CVE scan output found. Add `inherit cve-check` to your image recipe or run sbom-cve-check against your SPDX SBOM.
  WARN  Image Signing  Image signing: checked FIT and verity, score 25/50
          [medium] No dm-verity configuration or hash files found
  WARN  License Audit  39 package(s) in core-image-minimal-qemux86-64.rootfs-20260427171630/license.manifest; permissive: 7; weak-copyleft: 4; strong-copyleft: 19; unknown: 9
          [medium] Unknown licence for package 'busybox': 'GPL-2.0-only & bzip2-1.0.6' not in canonical category map
          Fix: Add the licence ID to `src/shipcheck/checks/license_categories.yaml` under the correct category, or correct the package's LICENSE field.
          [medium] Unknown licence for package 'busybox-hwclock': 'GPL-2.0-only & bzip2-1.0.6' not in canonical category map
          Fix: Add the licence ID to `src/shipcheck/checks/license_categories.yaml` under the correct category, or correct the package's LICENSE field.
          [medium] Unknown licence for package 'busybox-syslog': 'GPL-2.0-only & bzip2-1.0.6' not in canonical category map
          Fix: Add the licence ID to `src/shipcheck/checks/license_categories.yaml` under the correct category, or correct the package's LICENSE field.
          [medium] Unknown licence for package 'busybox-udhcpc': 'GPL-2.0-only & bzip2-1.0.6' not in canonical category map
          Fix: Add the licence ID to `src/shipcheck/checks/license_categories.yaml` under the correct category, or correct the package's LICENSE field.
          [medium] Unknown licence for package 'kernel-base': 'GPL-2.0-with-Linux-syscall-note' not in canonical category map
          Fix: Add the licence ID to `src/shipcheck/checks/license_categories.yaml` under the correct category, or correct the package's LICENSE field.
          [medium] Unknown licence for package 'kernel-image': 'GPL-2.0-with-Linux-syscall-note' not in canonical category map
          Fix: Add the licence ID to `src/shipcheck/checks/license_categories.yaml` under the correct category, or correct the package's LICENSE field.
          [medium] Unknown licence for package 'kernel-image-bzimage': 'GPL-2.0-with-Linux-syscall-note' not in canonical category map
          Fix: Add the licence ID to `src/shipcheck/checks/license_categories.yaml` under the correct category, or correct the package's LICENSE field.
          [medium] Unknown licence for package 'kernel-module-uvesafb-6.18.24-yocto-standard': 'GPL-2.0-with-Linux-syscall-note' not in canonical category map
          Fix: Add the licence ID to `src/shipcheck/checks/license_categories.yaml` under the correct category, or correct the package's LICENSE field.
          [medium] Unknown licence for package 'liblzma': '0BSD' not in canonical category map
          Fix: Add the licence ID to `src/shipcheck/checks/license_categories.yaml` under the correct category, or correct the package's LICENSE field.
  PASS  SBOM Generation  SPDX 3.0 detected — format detected but not fully validated in v0.1
  WARN  Secure Boot  No Secure Boot configuration detected
          [medium] No Secure Boot signing class found in IMAGE_CLASSES
          Fix: Add a signing class to IMAGE_CLASSES in conf/local.conf. For UEFI Secure Boot, use 'image-uefi-sign' or 'sbsign' from meta-arm/meta-secure-core.
  ????  Vulnerability Reporting  product.yaml not found: product.yaml
  SKIP  Yocto CVE Check  No cve-check summary at tmp/log/cve/cve-summary.json. Add `INHERIT += "cve-check"` to local.conf or configure `yocto_cve.summary_path` in .shipcheck.yaml.

Readiness score: 45/350

Full report saved to: shipcheck-report.md

[threexc]

This should also catch the cra/requirements.yaml file, which seems to be missing in my normal tool install as well:

tgamblin@megalith ~/workspace/yocto/openembedded-core/build (tgamblin/patchtest)$ ls ~/.local/share/uv/tools/shipcheck/lib64/python3.14/site-packages/shipcheck/cra/
__init__.py  loader.py

Compare with a temporary venv I created:

(venv) tgamblin@megalith ~/workspace/git/shipcheck (tgamblin/ship_license_categories)$ ls ~/workspace/git/shipcheck/venv/lib64/python3.14/site-packages/shipcheck/cra/
__init__.py  loader.py  __pycache__  requirements.yaml

[threexc]

@jetm thoughts?

[jetm]

@threexc Thank you for the PR. I have added it to my queue to address while preparing the v0.0.5 release.

[jetm]

Thanks @threexc — confirmed the fix locally. The missing source-include glob explains why both license_categories.yaml and cra/requirements.yaml were absent from the v0.0.4 wheel; the new code-integrity work I'm landing also adds another YAML asset, so this glob covers all current and future .yaml resources in src/shipcheck/.

Merging and shipping as v0.0.5 alongside a check-set merge that retires the secure-boot and image-signing checks you're seeing in your terminal output — they're now consolidated into a single code-integrity check covering UEFI Secure Boot, signed FIT, dm-verity, and IMA/EVM.