From cd210da167e3ff1274f2379ce013ae2533936765 Mon Sep 17 00:00:00 2001
From: GeWuYou <95328647+GeWuYou@users.noreply.github.com>
Date: Sun, 5 Apr 2026 20:42:00 +0800
Subject: [PATCH] =?UTF-8?q?feat(workflow):=20=E6=B7=BB=E5=8A=A0=E8=AE=B8?=
 =?UTF-8?q?=E5=8F=AF=E8=AF=81=E5=90=88=E8=A7=84=E6=A3=80=E6=9F=A5=E5=B7=A5?=
 =?UTF-8?q?=E4=BD=9C=E6=B5=81=E5=B9=B6=E4=BC=98=E5=8C=96=E5=8F=91=E5=B8=83?=
 =?UTF-8?q?=E6=B5=81=E7=A8=8B?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- 新增 license-compliance.yml 工作流，集成 Feluda 许可证扫描器
- 实现许可证合规性检查、SBOM 生成和验证功能
- 移除 publish.yml 中的许可证合规相关步骤
- 更新发布流程以分离许可证合规和包发布职责
- 添加并发控制配置避免重复执行
- 简化 GitHub Release 创建流程，移除合规文件附件逻辑
---
 .github/workflows/license-compliance.yml |  6 +++-
 .github/workflows/publish.yml            | 37 ++++--------------------
 2 files changed, 11 insertions(+), 32 deletions(-)

diff --git a/.github/workflows/license-compliance.yml b/.github/workflows/license-compliance.yml
index 13494b7d..18fb5ee4 100644
--- a/.github/workflows/license-compliance.yml
+++ b/.github/workflows/license-compliance.yml
@@ -5,6 +5,10 @@ on:
     tags:
       - '*'
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: false
+
 permissions:
   contents: write
 
@@ -114,4 +118,4 @@ jobs:
             sbom-cyclonedx-validation.txt
             license-compliance.zip
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ github.token }}
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index a92a62c1..883aa3b4 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -11,6 +11,10 @@ on:
     tags:
       - '*'
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: false
+
 permissions:
   contents: write
   packages: write
@@ -79,19 +83,6 @@ jobs:
           name: packages
           path: ./packages/*.nupkg
 
-      # 上传许可证合规相关的工件文件，包括通知文件、第三方许可证、SBOM 文件及验证结果。
-      - name: Upload compliance artifacts
-        uses: actions/upload-artifact@v7
-        with:
-          name: license-compliance
-          path: |
-            NOTICE
-            THIRD_PARTY_LICENSES.md
-            sbom.spdx.json
-            sbom.cyclonedx.json
-            sbom-spdx-validation.txt
-            sbom-cyclonedx-validation.txt
-
   publish-nuget:
     name: Publish To NuGet.org
     runs-on: ubuntu-latest
@@ -215,13 +206,8 @@ jobs:
           name: packages
           path: ./packages
 
-      - name: Download compliance artifacts
-        uses: actions/download-artifact@v5
-        with:
-          name: license-compliance
-          path: .
-
-      # 无论某一侧包源发布是否失败，都继续创建 Release，并在正文中标注结果。
+      # 无论某一侧包源发布是否失败，都继续创建 Release。
+      # 合规工件由独立 workflow 生成，当前发布流不再假设这些文件在同一次运行中可用。
       - name: Create GitHub Release and Upload Assets
         uses: softprops/action-gh-release@v2
         with:
@@ -230,20 +216,9 @@ jobs:
           body: |
             Release created by CI for tag ${{ github.ref_name }}
             Package version: ${{ needs.build-pack.outputs.package_version }}
-
-            ## Compliance
-            - NOTICE
-            - THIRD_PARTY_LICENSES
-            - SPDX & CycloneDX SBOM
           draft: false
           prerelease: false
           files: |
             ./packages/*.nupkg
-            NOTICE
-            THIRD_PARTY_LICENSES.md
-            sbom.spdx.json
-            sbom.cyclonedx.json
-            sbom-spdx-validation.txt
-            sbom-cyclonedx-validation.txt
         env:
           GITHUB_TOKEN: ${{ github.token }}