Skip to content

chore: OSS audit fixes — restore full LICENSE, add NOTICE, prune upstream-specific config#5

Merged
mayankpande88 merged 1 commit into
mainfrom
chore/oss-audit-fixes
May 18, 2026
Merged

chore: OSS audit fixes — restore full LICENSE, add NOTICE, prune upstream-specific config#5
mayankpande88 merged 1 commit into
mainfrom
chore/oss-audit-fixes

Conversation

@mayankpande88

@mayankpande88 mayankpande88 commented May 18, 2026

Copy link
Copy Markdown
Contributor

Summary

Addresses the OSS-readiness audit findings flagged after the initial cleanup.

Must-fix

  • LICENSE was truncated to 12 lines (ended mid-sentence at "permissions and") — pre-existing upstream defect, but publishing under Apache 2.0 requires the full license body. Restored the Imhotep copyright header plus verbatim Apache 2.0 text.
  • Added NOTICE attributing upstream (Imhotep Software LLC / derailed/popeye) and the Nudgebee fork.

Should-fix

  • Repointed three derailed/popeye image references in README (run examples and the CronJob snippet) at ghcr.io/nudgebee/popeye. Removed the dead Travis-CI badge and the Docker Hub badge (we publish to GHCR, not Docker Hub). Remaining badges relabeled as upstream-project badges. Dropped the Gitpod button (pointed at upstream).
  • Deleted .goreleaser.yml — fork only ships a container image and the config still baked derailed/popeye into ldflags.
  • Deleted .github/FUNDING.yml — pointed sponsors at the upstream author.
  • Deleted .github/ISSUE_TEMPLATE/* — upstream's templates; routed users in a way that contradicts CONTRIBUTING.md.
  • Added a fork security contact line to README's Contact section so people know where fork-specific issues go.

Nice-to-have

  • Dockerfile base bumped alpine:3.19 → alpine:3.21 for current security patches.
  • .gitignore — added .DS_Store.

Test plan

  • Confirm Tests workflow runs and passes on this branch
  • Visual review of LICENSE and NOTICE
  • Spot-check that the relabeled badges still render
  • Merge, then tag the next release and watch release.yml push to GHCR successfully

@mayankpande88
chore: OSS audit fixes — full LICENSE, NOTICE, strip upstream-specifi…
dc52070 
…c config, repoint README

LICENSE was truncated to 12 lines (ends mid-sentence at "permissions and").
Pre-existing upstream defect inherited via fork; publishing under Apache 2.0
requires the full license text. Now contains the existing Imhotep copyright
header plus the verbatim Apache 2.0 license body. Adding a NOTICE file to
attribute upstream alongside the fork, per Apache 2.0 convention.

Stale image references in README contradicted the fork notice — three
`derailed/popeye` invocations (run/save examples and the CronJob snippet)
now point at `ghcr.io/nudgebee/popeye`. Dead Travis-CI badge and the
Docker Hub badge (we publish to GHCR, not Docker Hub) removed; remaining
badges relabeled as upstream-project badges so the link targets aren't
misleading. Gitpod button removed (pointed at upstream). Contact section
now distinguishes upstream questions from fork-specific issues and links
SECURITY.md.

`.goreleaser.yml` deleted — fork only ships a container image, there is
no goreleaser workflow, and the config still baked `derailed/popeye`
into ldflags.

`.github/FUNDING.yml` deleted — pointed sponsors at the upstream author,
not appropriate for the fork.

`.github/ISSUE_TEMPLATE/{bug_report,feature_request}.md` deleted — they
were upstream's generic templates and routed users in a way that
contradicts CONTRIBUTING.md ("file popeye bugs/features upstream; only
fork-specific issues here"). Removing them gives the GitHub default
blank issue page; we can re-add a fork-scoped template later if needed.

Dockerfile base bumped alpine:3.19 → alpine:3.21 for current security
patches. Statically linked binary, no runtime impact.

.gitignore: add .DS_Store so macOS metadata doesn't get staged.
gemini-code-assist[bot]
gemini-code-assist Bot reviewed May 18, 2026
View reviewed changes

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request transitions the repository into a Nudgebee-maintained fork by removing upstream-specific configuration files, updating the Dockerfile to Alpine 3.21, and revising documentation to reflect the new image registry and contact details. Feedback was provided regarding a discrepancy between the README's CronJob example and the actual manifest files, with a suggestion to include the ":latest" tag for consistency.

Comment thread README.md
@mayankpande88 mayankpande88 merged commit 4785f59 into main May 18, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@RamanKharchee RamanKharchee RamanKharchee approved these changes

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mayankpande88 @RamanKharchee