This is an automated email from the ASF dual-hosted git repository. sbp pushed a commit to branch sbp in repository https://gitbox.apache.org/repos/asf/tooling-trusted-releases.git
commit 266093185a1964dc8fe5f8d037e058f1e404d31a Author: Sean B. Palmer <[email protected]> AuthorDate: Fri Feb 6 20:06:38 2026 +0000 Document project policy inputs to checks --- atr/docs/checks.md | 38 +++++++++++++++++++++++++++++++++++++- 1 file changed, 37 insertions(+), 1 deletion(-) diff --git a/atr/docs/checks.md b/atr/docs/checks.md index b469644..d609018 100644 --- a/atr/docs/checks.md +++ b/atr/docs/checks.md @@ -112,4 +112,40 @@ _For debugging only_, if you need a fresh run, place a file named `.atr-no-cache ## Project policy inputs -Several checks depend on project policy. You can define which paths are considered source artifacts and which are considered binary artifacts, and you can define exclusion patterns for the RAT scan and for the lightweight license header check. These settings affect which checks run and which files are skipped. If no policy pattern matches a file, ATR treats it as a source artifact for the purpose of the lightweight and RAT license checks. +Several project and committee settings influence which checks run, what they skip, and how their results are interpreted. This section lists each setting that can change the outcome of a check, where to find it, and what it does. Most of these settings live on the project settings page in the _Release policy - Compose options_ form. Committee signing keys and check ignores are, however, managed separately. + +### Source and binary artifact paths + +You can configure path patterns that tell ATR which of your artifacts are source artifacts and which are binary. These are the _Source artifact paths_ and _Binary artifact paths_ fields in the compose options form, and they accept one .gitignore style pattern per line. ATR uses these patterns to classify each file, and the classification makes several checks behave differently depending on whether an artifact is source or binary: archive structure checks are skipped for binary artifacts, [...] + +Please note that there is [currently a bug](https://github.com/apache/tooling-trusted-releases/issues/630) where license file exclusions are not applied when a source archive is not explicitly classified through release policy options. + +### License check mode + +The _Source artifact license checker_ setting controls which license checks run on source archives. You can set it to _Both_ (the default), _Lightweight_, or _RAT_. Binary artifacts always use the lightweight checks regardless of this setting, because RAT does not operate on binary artifacts. In _Lightweight_ mode, therefore, the RAT check is skipped entirely. In _RAT_ mode, the lightweight checks are skipped for source artifacts only. + +You can [read more about license checks](license-checks). + +### License check exclusions + +Two separate sets of exclusion patterns let you skip files during license scanning. The _RAT source excludes_ are applied when RAT scans a source artifact that does not contain its own `.rat-excludes` file. The _Lightweight source excludes_ are always applied during the lightweight license header scan for source artifacts. In both cases the exclusions only take effect for artifacts that are classified as source by the source artifact paths setting (this is a [bug](https://github.com/apac [...] + +You can [read more about license check exclusions](license-checks#project-policy-exclusions). + +### Strict checking + +When _Strict checking_ is enabled, ATR prevents a release from being promoted to a vote unless all checks pass. This setting does not change what the checks themselves do or what they report. + +### Committee signing keys + +Signature verification depends on the public signing keys registered for the project's committee. ATR verifies each `.asc` signature against the set of keys linked to the committee, and accepts a signature only when the signing key has a valid ASF UID association or matches the committee's private email address pattern `private@`_committee_`.apache.org`. If a key has not been imported for the committee, or if it lacks an ASF UID, signature checks will fail for artifacts signed with that [...] + +### Podling status + +If the project belongs to an incubating podling, ATR passes this to certain checks automatically. The path and naming check requires the word "incubating" in artifact filenames for podlings, and the license file check looks for a `DISCLAIMER` or `DISCLAIMER-WIP` file in the archive root. Podling status comes from the committee record and is not something that you can configure per project. + +### Check ignores + +Check ignore rules do not change which checks run or what they report, but they do change which results are shown. Ignored results are removed from the warning and error counts and shown separately. Since ignores can mask failures that would otherwise block a vote under strict checking, they are part of the effective check policy for a project. Ignores are managed from the release checks page and apply at the project level, not per release. + +You can [read more about check ignores](check-ignores). --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
