refactor(workflow): 重构许可证合规检查流程

- 将许可证扫描逻辑提取到独立的 license-compliance.yml 工作流文件
- 在 auto-tag 工作流中添加 license-compliance 作业依赖
- 移除 ci.yml 中的 Feluda 许可证扫描相关步骤
- 移除 publish.yml 中的 Feluda 设置和 SBOM 生成步骤
- 更新工件上传配置以包含 SBOM 验证文件
- 添加工作流输出标记用于许可证合规检查触发

.github/workflows/auto-tag.yml

@@ -20,7 +20,8 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: write
-
+    outputs:
+      tagged: ${{ steps.create_tag.outcome == 'success' }}
     steps:
       - name: Checkout code
         uses: actions/checkout@v6
@@ -29,7 +30,6 @@ jobs:
           persist-credentials: false
 
       - name: Get next version
-        if: steps.check_skip.outputs.skip_tag == 'false'
         id: version
         run: |
           LATEST_TAG=$(git tag --list "v*" --sort=-v:refname | head -n 1)
@@ -40,7 +40,6 @@ jobs:
           echo "new_tag=v$MAJOR.$MINOR.$PATCH" >> $GITHUB_OUTPUT
 
       - name: Create tag
-        if: steps.check_skip.outputs.skip_tag == 'false'
         env:
           PAT: ${{ secrets.PAT_TOKEN }}
           TAG: ${{ steps.version.outputs.new_tag }}
@@ -55,4 +54,10 @@ jobs:
           fi
 
           git tag -a "$TAG" -m "Auto tag $TAG"
-          git push "https://x-access-token:${PAT}@github.com/${{ github.repository }}.git" "$TAG"
+          git push "https://x-access-token:${PAT}@github.com/${{ github.repository }}.git" "$TAG"
+  license-compliance:
+    needs: auto-tag
+    if: needs.auto-tag.outputs.tagged == 'true'
+    uses: ./.github/workflows/license-compliance.yml
+    permissions:
+      contents: read

.github/workflows/ci.yml

@@ -79,25 +79,7 @@ jobs:
       # 恢复.NET本地工具
       - name: Restore .NET tools
         run: dotnet tool restore
-
-      # 使用Feluda许可证扫描器检查项目依赖的许可证合规性
-      # 配置参数：
-      # - project-license: 设置项目许可证为Apache-2.0
-      # - fail-on-restrictive: 发现限制性许可证时失败
-      # - fail-on-incompatible: 发现不兼容许可证时失败  
-      # - update-badge: 自动更新许可证徽章
-      - name: Feluda License Scanner
-        uses: anistark/feluda@v1.11.1
-        with:
-          project-license: 'Apache-2.0'
-          fail-on-restrictive: false
-          fail-on-incompatible: false
-          verbose: true
-          update-badge: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' && contains(github.event.head_commit.message, '[release ci]') }}
-      - name: Feluda License Scanner Incompatible Licenses
-        run: |
-          feluda --incompatible
-
+        
       # 构建项目，使用Release配置且跳过恢复步骤
       - name: Build
         run: dotnet build -c Release --no-restore

.github/workflows/license-compliance.yml

@@ -0,0 +1,69 @@
+name: License Compliance (Feluda)
+
+on:
+  workflow_call:
+    inputs:
+      upload-artifacts:
+        required: false
+        type: boolean
+        default: true
+
+permissions:
+  contents: read
+
+jobs:
+  compliance:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      # 使用Feluda许可证扫描器检查项目依赖的许可证合规性
+      # 配置参数：
+      # - project-license: 设置项目许可证为Apache-2.0
+      # - fail-on-restrictive: 发现限制性许可证时失败
+      # - fail-on-incompatible: 发现不兼容许可证时失败  
+      # - update-badge: 自动更新许可证徽章
+      - name: Feluda License Scanner
+        uses: anistark/feluda@v1.11.1
+        with:
+          project-license: 'Apache-2.0'
+          fail-on-restrictive: false
+          fail-on-incompatible: false
+          update-badge: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }}
+      - name: Feluda License Scanner Incompatible Licenses
+        run: |
+          feluda --incompatible
+
+      # 生成合规性文件（NOTICE / THIRD_PARTY_LICENSES）
+      - name: Generate compliance files
+        run: |
+          echo "1" | feluda generate
+          echo "2" | feluda generate
+
+      # 生成 SBOM（SPDX + CycloneDX）
+      - name: Generate SBOM
+        run: |
+          feluda sbom spdx --output sbom.spdx.json
+          feluda sbom cyclonedx --output sbom.cyclonedx.json
+
+      # 校验 SBOM
+      - name: Validate SBOM files
+        run: |
+          feluda sbom validate sbom.spdx.json --output sbom-spdx-validation.txt
+          feluda sbom validate sbom.cyclonedx.json --output sbom-cyclonedx-validation.txt
+
+      # 上传合规产物
+      - name: Upload compliance artifacts
+        if: inputs.upload-artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: license-compliance
+          path: |
+            NOTICE
+            THIRD_PARTY_LICENSES.md
+            sbom.spdx.json
+            sbom.cyclonedx.json
+            sbom-spdx-validation.txt
+            sbom-cyclonedx-validation.txt

.github/workflows/publish.yml

@@ -67,26 +67,6 @@ jobs:
           set -e
           echo "Packing with version=${{ steps.tag_version.outputs.version }}"
           dotnet pack -c Release -o ./packages -p:PackageVersion=${{ steps.tag_version.outputs.version }} -p:IncludeSymbols=false
-      - name: Setup Feluda
-        uses: anistark/feluda@v1.11.1
-      # 生成合规性文件，执行两次feluda generate命令
-      - name: Generate compliance files
-        run: |
-          echo "1" | feluda generate
-          echo "2" | feluda generate
-
-      # 生成软件物料清单(SBOM)文件，输出SPDX和CycloneDX两种格式
-      - name: Generate SBOM
-        run: |
-          feluda sbom spdx --output sbom.spdx.json
-          feluda sbom cyclonedx --output sbom.cyclonedx.json
-
-      # 验证生成的SBOM文件的有效性，并输出验证结果到文本文件
-      - name: Validate SBOM files
-        run: |
-          feluda sbom validate sbom.spdx.json --output sbom-spdx-validation.txt
-          feluda sbom validate sbom.cyclonedx.json --output sbom-cyclonedx-validation.txt
-
       # 上传许可证合规相关的工件文件，包括通知文件、第三方许可证、SBOM文件及验证结果
       - name: Upload compliance artifacts
         uses: actions/upload-artifact@v4
@@ -181,5 +161,7 @@ jobs:
             THIRD_PARTY_LICENSES.md
             sbom.spdx.json
             sbom.cyclonedx.json
+            sbom-spdx-validation.txt
+            sbom-cyclonedx-validation.txt
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}