project-robius · kevinaboos · Jun 2, 2026 · Jun 2, 2026 · Jun 2, 2026 · Jun 2, 2026
diff --git a/.github/typos.toml b/.github/typos.toml
@@ -0,0 +1,10 @@
+# Skip the auto-generated third-party license artifacts when spell-checking:
+# they contain third-party crate names (e.g. `flate2`, `writeable`) and verbatim
+# upstream license text (e.g. the OpenSSL license's "aheared"/"rouines") that we
+# neither control nor should edit. Hand-written files under licenses/ (e.g.
+# ATTRIBUTIONS.md and the cargo-about config/templates) are still checked.
+[files]
+extend-exclude = [
+    "licenses/THIRD-PARTY-NOTICES.html",
+    "licenses/THIRD-PARTY-LICENSES.md",
+]
diff --git a/.github/workflows/licenses.yml b/.github/workflows/licenses.yml
@@ -0,0 +1,102 @@
+# Third-party license notices
+#
+# Keeps licenses/THIRD-PARTY-NOTICES.html (full license texts) and
+# licenses/THIRD-PARTY-LICENSES.md (summary) in sync with the dependency graph,
+# without burdening contributors and without ever committing to main directly.
+#
+# Runs ONLY on pushes to main (after PRs merge). It regenerates both files with
+# `cargo about` (config + templates in licenses/config/) and, if anything
+# changed, opens or updates a single rolling pull request with the refreshed
+# files for a human to review and merge. It never pushes to main.
+#
+# This is intentionally NOT a check on contributor PRs: deps merge with briefly
+# stale notices, then this workflow refreshes them in a follow-up PR.
+#
+# If a dependency uses a license not accepted in licenses/config/about.toml,
+# `--fail` aborts the run (no PR is opened) — a new license type needs a human
+# to vet it and add it there. You'll see this as a failed run on main.
+
+name: Third-party licenses
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - Cargo.toml
+      - Cargo.lock
+      - licenses/config/about.toml
+      - licenses/config/about.hbs
+      - licenses/config/about.md.hbs
+      - .github/workflows/licenses.yml
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}
+  cancel-in-progress: true
+
+permissions:
+  contents: write        # push the bot's PR branch (never main)
+  pull-requests: write   # open / update the pull request
+
+env:
+  CARGO_TERM_COLOR: always
+  RUST_BACKTRACE: 1
+
+jobs:
+  licenses:
+    name: Refresh third-party notices
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: dtolnay/rust-toolchain@stable
+
+      - uses: Swatinem/rust-cache@v2
+        with:
+          cache-all-crates: "true"
+
+      # cargo-about is pinned to the version that generated the committed files;
+      # a different version can render the output differently. When bumping this
+      # pin, regenerate and commit both files in the same change.
+      - name: Cache cargo-about
+        id: cache-cargo-about
+        uses: actions/cache@v4
+        with:
+          path: ~/.cargo/bin/cargo-about
+          key: cargo-about-0.9.0-${{ runner.os }}
+
+      - name: Install cargo-about
+        if: steps.cache-cargo-about.outputs.cache-hit != 'true'
+        run: cargo install cargo-about --version 0.9.0 --features cli
+
+      - name: Regenerate notices
+        run: |
+          cargo about generate --fail -c licenses/config/about.toml licenses/config/about.hbs    -o licenses/THIRD-PARTY-NOTICES.html
+          cargo about generate --fail -c licenses/config/about.toml licenses/config/about.md.hbs -o licenses/THIRD-PARTY-LICENSES.md
+
+      # Opens a PR only if the files actually changed; otherwise it's a no-op.
+      # Re-runs update the same branch/PR instead of opening new ones.
+      # Requires "Allow GitHub Actions to create and approve pull requests"
+      # (Settings -> Actions -> General). If main's branch protection requires
+      # status checks, swap `token` for a PAT/GitHub App token so the PR's
+      # checks run (GITHUB_TOKEN-created PRs don't trigger other workflows).
+      - name: Open or update license-notices PR
+        uses: peter-evans/create-pull-request@v7
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          base: main
+          branch: chore/update-third-party-licenses
+          add-paths: |
+            licenses/THIRD-PARTY-NOTICES.html
+            licenses/THIRD-PARTY-LICENSES.md
+          commit-message: "chore: update third-party license notices"
+          title: "chore: update third-party license notices"
+          body: |
+            Automated update of the third-party license notices to match the
+            current dependency graph on `main`.
+
+            Generated by `cargo about` (config + templates in
+            `licenses/config/`) via the **Third-party licenses** workflow.
+            Do not edit these files by hand.
+          delete-branch: true
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -67,3 +67,5 @@ jobs:
       - uses: actions/checkout@v4
       - name: Check for typos
         uses: crate-ci/typos@master
+        with:
+          config: .github/typos.toml
diff --git a/License Attributions.md → licenses/ATTRIBUTIONS.md b/License Attributions.md → licenses/ATTRIBUTIONS.md