git-pkgs
diff --git a/‎.github/workflows/update-licenses.yml‎
Lines changed: 85 additions & 0 deletions b/‎.github/workflows/update-licenses.yml‎
Lines changed: 85 additions & 0 deletions
diff --git a/‎LICENSE‎
Lines changed: 21 additions & 0 deletions b/‎LICENSE‎
Lines changed: 21 additions & 0 deletions
diff --git a/‎README.md‎
Lines changed: 179 additions & 0 deletions b/‎README.md‎
Lines changed: 179 additions & 0 deletions
@@ -0,0 +1,85 @@
+name: Update License Database
+
+on:
+  schedule:
+    # Run weekly on Monday at 00:00 UTC
+    - cron: '0 0 * * 1'
+  workflow_dispatch: # Allow manual trigger
+
+jobs:
+  update:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: '1.22'
+
+      - name: Download latest license database
+        run: |
+          curl -sL https://scancode-licensedb.aboutcode.org/index.json -o licenses.json.full
+
+          # Check if file is valid JSON
+          if ! jq empty licenses.json.full 2>/dev/null; then
+            echo "Downloaded file is not valid JSON"
+            exit 1
+          fi
+
+          # Check if file has reasonable content
+          count=$(jq length licenses.json.full)
+          if [ "$count" -lt 2500 ]; then
+            echo "Downloaded file has fewer licenses than expected: $count"
+            exit 1
+          fi
+
+          echo "Downloaded $count licenses"
+
+          # Filter to OSS licenses and only needed fields
+          jq '[.[] | select(.category == "Permissive" or .category == "Copyleft" or .category == "Copyleft Limited" or .category == "Public Domain" or .category == "Free Restricted" or .category == "Source-available") | {license_key, category, spdx_license_key, other_spdx_license_keys, is_exception, is_deprecated}]' licenses.json.full > licenses.json.new
+          rm licenses.json.full
+
+          filtered_count=$(jq length licenses.json.new)
+          echo "Filtered to $filtered_count OSS licenses"
+
+      - name: Check for changes
+        id: diff
+        run: |
+          if diff -q licenses.json licenses.json.new > /dev/null 2>&1; then
+            echo "changed=false" >> $GITHUB_OUTPUT
+          else
+            echo "changed=true" >> $GITHUB_OUTPUT
+            mv licenses.json.new licenses.json
+
+            # Count changes
+            old_count=$(git show HEAD:licenses.json | jq length)
+            new_count=$(jq length licenses.json)
+            echo "License count: $old_count -> $new_count"
+          fi
+
+      - name: Run tests
+        if: steps.diff.outputs.changed == 'true'
+        run: go test ./...
+
+      - name: Create Pull Request
+        if: steps.diff.outputs.changed == 'true'
+        uses: peter-evans/create-pull-request@v6
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          commit-message: "Update scancode license database"
+          title: "Update scancode license database"
+          body: |
+            Automated update of the scancode-licensedb license database.
+
+            Source: https://scancode-licensedb.aboutcode.org/
+
+            This PR was created automatically by the weekly update workflow.
+          branch: update-license-db
+          delete-branch: true
+          labels: dependencies
@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Andrew Nesbitt
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
@@ -0,0 +1,179 @@
+# spdx
+
+Go library for SPDX license expression parsing, normalization, and validation.
+
+Normalizes informal license strings from the real world (like "Apache 2" or "MIT License") to valid SPDX identifiers (like "Apache-2.0" or "MIT"). Useful when working with package metadata from registries where license fields often contain non-standard values.
+
+## Installation
+
+```bash
+go get github.com/git-pkgs/spdx
+```
+
+## Usage
+
+### Normalize informal license strings
+
+```go
+import "github.com/git-pkgs/spdx"
+
+// Normalize converts informal strings to valid SPDX identifiers
+id, err := spdx.Normalize("Apache 2")           // "Apache-2.0"
+id, err := spdx.Normalize("MIT License")        // "MIT"
+id, err := spdx.Normalize("GPL v3")             // "GPL-3.0-or-later"
+id, err := spdx.Normalize("GNU General Public License") // "GPL-3.0-or-later"
+id, err := spdx.Normalize("BSD 3-Clause")       // "BSD-3-Clause"
+id, err := spdx.Normalize("CC BY 4.0")          // "CC-BY-4.0"
+```
+
+### Parse and normalize expressions
+
+```go
+// Parse handles both strict SPDX IDs and informal license names
+expr, err := spdx.Parse("MIT OR Apache-2.0")
+fmt.Println(expr.String())  // "MIT OR Apache-2.0"
+
+expr, err := spdx.Parse("Apache 2 OR MIT License")
+fmt.Println(expr.String())  // "Apache-2.0 OR MIT"
+
+expr, err := spdx.Parse("GPL v3 AND BSD 3-Clause")
+fmt.Println(expr.String())  // "GPL-3.0-or-later AND BSD-3-Clause"
+
+// Handles operator precedence (AND binds tighter than OR)
+expr, err := spdx.Parse("MIT OR GPL-2.0-only AND Apache-2.0")
+fmt.Println(expr.String())  // "MIT OR (GPL-2.0-only AND Apache-2.0)"
+
+// ParseStrict requires valid SPDX IDs (no fuzzy normalization)
+expr, err := spdx.ParseStrict("MIT OR Apache-2.0")  // succeeds
+expr, err := spdx.ParseStrict("Apache 2 OR MIT")    // fails
+```
+
+### Validate licenses
+
+```go
+// Check if a string is valid SPDX
+spdx.Valid("MIT OR Apache-2.0")     // true
+spdx.Valid("FAKEYLICENSE")          // false
+
+// Check if a single identifier is valid
+spdx.ValidLicense("MIT")            // true
+spdx.ValidLicense("Apache 2")       // false (informal, not valid SPDX)
+
+// Validate multiple licenses at once
+valid, invalid := spdx.ValidateLicenses([]string{"MIT", "Apache-2.0", "FAKE"})
+// valid: false, invalid: ["FAKE"]
+```
+
+### Check license compatibility
+
+```go
+// Check if allowed licenses satisfy an expression
+satisfied, err := spdx.Satisfies("MIT OR Apache-2.0", []string{"MIT"})
+// true
+
+satisfied, err := spdx.Satisfies("MIT AND Apache-2.0", []string{"MIT"})
+// false (both required)
+```
+
+### Extract licenses from expressions
+
+```go
+licenses, err := spdx.ExtractLicenses("(MIT AND GPL-2.0-only) OR Apache-2.0")
+// ["Apache-2.0", "GPL-2.0-only", "MIT"]
+```
+
+### Get license categories
+
+Categories are sourced from [scancode-licensedb](https://scancode-licensedb.aboutcode.org/) (OSS licenses only) and updated weekly.
+
+```go
+// Get the category for a license
+cat := spdx.LicenseCategory("MIT")           // spdx.CategoryPermissive
+cat := spdx.LicenseCategory("GPL-3.0-only")  // spdx.CategoryCopyleft
+cat := spdx.LicenseCategory("MPL-2.0")       // spdx.CategoryCopyleftLimited
+cat := spdx.LicenseCategory("Unlicense")     // spdx.CategoryPublicDomain
+
+// Check license type
+spdx.IsPermissive("MIT")        // true
+spdx.IsPermissive("GPL-3.0")    // false
+spdx.IsCopyleft("GPL-3.0-only") // true
+spdx.IsCopyleft("LGPL-2.1")     // true (weak copyleft)
+
+// Get categories for an expression
+cats, err := spdx.ExpressionCategories("MIT OR GPL-3.0-only")
+// []Category{CategoryPermissive, CategoryCopyleft}
+
+// Check expressions for copyleft
+spdx.HasCopyleft("MIT OR Apache-2.0")     // false
+spdx.HasCopyleft("MIT OR GPL-3.0-only")   // true
+spdx.IsFullyPermissive("MIT OR Apache-2.0") // true
+spdx.IsFullyPermissive("MIT OR GPL-3.0")    // false
+
+// Get detailed license info
+info := spdx.GetLicenseInfo("MIT")
+// info.Category: CategoryPermissive
+// info.IsException: false
+// info.IsDeprecated: false
+```
+
+Available categories:
+- `CategoryPermissive` - MIT, Apache-2.0, BSD-*
+- `CategoryCopyleft` - GPL-*, AGPL-*
+- `CategoryCopyleftLimited` - LGPL-*, MPL-*, EPL-*
+- `CategoryPublicDomain` - Unlicense, CC0-1.0
+- `CategoryCommercial` - Commercial licenses
+- `CategoryProprietaryFree` - Free but proprietary
+- `CategorySourceAvailable` - Source-available licenses
+- `CategoryPatentLicense` - Patent grants
+- `CategoryFreeRestricted` - Free with restrictions
+- `CategoryCLA` - Contributor agreements
+- `CategoryUnstated` - No license stated
+
+## Normalization examples
+
+The library handles many common variations found in package registries:
+
+| Input | Output |
+|-------|--------|
+| Apache 2 | Apache-2.0 |
+| Apache License 2.0 | Apache-2.0 |
+| Apache License, Version 2.0 | Apache-2.0 |
+| MIT License | MIT |
+| M.I.T. | MIT |
+| GPL v3 | GPL-3.0-or-later |
+| GNU General Public License v3 | GPL-3.0-or-later |
+| LGPL 2.1 | LGPL-2.1-only |
+| BSD 3-Clause | BSD-3-Clause |
+| 3-Clause BSD | BSD-3-Clause |
+| Simplified BSD | BSD-2-Clause |
+| MPL 2.0 | MPL-2.0 |
+| Mozilla Public License | MPL-2.0 |
+| CC BY 4.0 | CC-BY-4.0 |
+| Attribution-NonCommercial | CC-BY-NC-4.0 |
+| Unlicense | Unlicense |
+| WTFPL | WTFPL |
+
+## Performance
+
+Designed for processing large numbers of licenses:
+
+```
+BenchmarkNormalize-8       49116    24381 ns/op   (~5µs per license)
+BenchmarkNormalizeBatch-8    372  3271336 ns/op   (~3.3µs per license at scale)
+BenchmarkParse-8          236752     5263 ns/op   (includes normalization)
+BenchmarkValid-8          789087     1506 ns/op   (strict validation)
+```
+
+## Prior art
+
+This library combines approaches from several existing implementations:
+
+- [librariesio/spdx](https://github.com/librariesio/spdx) (Ruby) - Expression parsing and case normalization
+- [jslicense/spdx-correct.js](https://github.com/jslicense/spdx-correct.js) (JavaScript) - Fuzzy matching transforms and test cases
+- [EmbarkStudios/spdx](https://github.com/EmbarkStudios/spdx) (Rust) - Performance-oriented design
+- [github/go-spdx](https://github.com/github/go-spdx) (Go) - SPDX license list and Satisfies implementation
+- [aboutcode-org/scancode-licensedb](https://github.com/aboutcode-org/scancode-licensedb) - License categories and metadata
+
+## License
+
+MIT