feat(workflow): 添加许可证合规检查工作流并优化发布流程

- 新增 license-compliance.yml 工作流，集成 Feluda 许可证扫描器 - 实现许可证合规性检查、SBOM 生成和验证功能 - 移除 publish.yml 中的许可证合规相关步骤 - 更新发布流程以分离许可证合规和包发布职责 - 添加并发控制配置避免重复执行 - 简化 GitHub Release 创建流程，移除合规文件附件逻辑
2026-05-08 09:34:30 +08:00 · 2026-04-05 20:42:00 +08:00 · 2026-04-05 20:42:00 +08:00 · cd210da167
commit cd210da167
parent 1e092c07d3
2 changed files with 11 additions and 32 deletions
--- a/.github/workflows/license-compliance.yml
+++ b/.github/workflows/license-compliance.yml
@ -5,6 +5,10 @@ on:
    tags:
      - '*'

+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: false
+
 permissions:
  contents: write

@ -114,4 +118,4 @@ jobs:
            sbom-cyclonedx-validation.txt
            license-compliance.zip
        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ github.token }}
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@ -11,6 +11,10 @@ on:
    tags:
      - '*'

+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: false
+
 permissions:
  contents: write
  packages: write
@ -79,19 +83,6 @@ jobs:
          name: packages
          path: ./packages/*.nupkg

-      # 上传许可证合规相关的工件文件，包括通知文件、第三方许可证、SBOM 文件及验证结果。
-      - name: Upload compliance artifacts
-        uses: actions/upload-artifact@v7
-        with:
-          name: license-compliance
-          path: |
-            NOTICE
-            THIRD_PARTY_LICENSES.md
-            sbom.spdx.json
-            sbom.cyclonedx.json
-            sbom-spdx-validation.txt
-            sbom-cyclonedx-validation.txt
-
  publish-nuget:
    name: Publish To NuGet.org
    runs-on: ubuntu-latest
@ -215,13 +206,8 @@ jobs:
          name: packages
          path: ./packages

-      - name: Download compliance artifacts
-        uses: actions/download-artifact@v5
-        with:
-          name: license-compliance
-          path: .
-
-      # 无论某一侧包源发布是否失败，都继续创建 Release，并在正文中标注结果。
+      # 无论某一侧包源发布是否失败，都继续创建 Release。
+      # 合规工件由独立 workflow 生成，当前发布流不再假设这些文件在同一次运行中可用。
      - name: Create GitHub Release and Upload Assets
        uses: softprops/action-gh-release@v2
        with:
@ -230,20 +216,9 @@ jobs:
          body: |
            Release created by CI for tag ${{ github.ref_name }}
            Package version: ${{ needs.build-pack.outputs.package_version }}
-
-            ## Compliance
-            - NOTICE
-            - THIRD_PARTY_LICENSES
-            - SPDX & CycloneDX SBOM
          draft: false
          prerelease: false
          files: |
            ./packages/*.nupkg
-            NOTICE
-            THIRD_PARTY_LICENSES.md
-            sbom.spdx.json
-            sbom.cyclonedx.json
-            sbom-spdx-validation.txt
-            sbom-cyclonedx-validation.txt
        env:
          GITHUB_TOKEN: ${{ github.token }}