chore: open-source project setup

[skyoo2003]

Summary

• License: Change from MIT to Apache 2.0 (LICENSE, NOTICE, SPDX headers on all 94 Go files)
• Documentation: Add GOVERNANCE.md, SUPPORT.md; update README, CONTRIBUTING, SECURITY with Apache 2.0 references
• Community automation: Add stale bot, labeler, release-drafter, CodeQL, label-sync workflows
• Issue forms: Migrate to YAML forms with severity/priority fields; add question form
• Developer experience: Add .gitattributes, modernize .gitignore, add SPDX pre-commit hook, add CODEOWNERS and FUNDING.yml

Manual step required

After merging, update the GitHub repo license setting:
Settings → General → License → Apache 2.0

Test plan

• go build ./... passes
• go vet ./... passes
• go test -race ./... passes
• Pre-commit hooks pass
• No remaining MIT references in documentation
• All 94 Go files have SPDX headers
• CI green on this PR
• GitHub Discussions enabled

Summary by Sourcery

Switch the project to Apache 2.0 licensing and set up open-source friendly automation, templates, and metadata.

New Features:

• Add governance and support documentation to define project ownership, contribution model, and support channels.
• Introduce GitHub issue forms for bugs, features, and questions with severity/priority metadata.
• Add funding metadata and sponsor badge to advertise GitHub Sponsors.

Enhancements:

• Add SPDX license headers to Go sources and enforce them via pre-commit and CI checks.
• Update documentation and contribution guidelines to reference Apache License 2.0 and clarify contributor licensing terms.
• Add automatic PR labeling, release drafting, stale issue/PR management, and label synchronization workflows.
• Modernize git-related configuration with .gitattributes and CODEOWNERS files.

CI:

• Extend CI to verify presence of SPDX headers in Go files.
• Add CodeQL analysis workflow for Go code security scanning.

Documentation:

• Update README and site docs to reflect Apache 2.0 licensing, governance, support, and security policies.

Chores:

• Replace legacy Markdown issue templates with YAML-based GitHub issue forms.

[sourcery-ai]

Reviewer's Guide

Switches the project licensing and contributor model to Apache 2.0 and adds open‑source friendly governance, support docs, SPDX enforcement, and GitHub automation (CI, CodeQL, release drafting, labeling, stale/label-sync workflows, and structured issue templates).

Sequence diagram for PR lifecycle with labeling, CI, and release drafting

sequenceDiagram
  actor Developer
  participant GitHub
  participant LabelerWorkflow
  participant CIWorkflow
  participant LabelSyncWorkflow
  participant ReleaseDrafterWorkflow

  Developer->>GitHub: Open pull request
  GitHub-->>LabelerWorkflow: pull_request_target event (opened)
  LabelerWorkflow-->>GitHub: Apply labels based on changed files

  GitHub-->>CIWorkflow: pull_request event
  CIWorkflow-->>CIWorkflow: Run go build, go vet, tests
  CIWorkflow-->>CIWorkflow: Run SPDX header grep check
  CIWorkflow-->>GitHub: Report CI status on PR

  Developer->>GitHub: Update PR (push commits)
  GitHub-->>LabelerWorkflow: pull_request_target event (synchronize)
  LabelerWorkflow-->>GitHub: Update labels if needed
  GitHub-->>CIWorkflow: pull_request event
  CIWorkflow-->>GitHub: Update CI status

  Developer->>GitHub: Merge pull request
  GitHub-->>LabelSyncWorkflow: pull_request event (closed, merged)
  LabelSyncWorkflow-->>GitHub: Sync labels using repository config

  GitHub-->>ReleaseDrafterWorkflow: push event on master
  ReleaseDrafterWorkflow-->>GitHub: Update draft release notes

Loading

Flow diagram for SPDX header enforcement via pre-commit and CI

flowchart TD
  DevEdit["Developer edits Go files"] --> PreCommitRun["Run git commit with pre-commit enabled"]

  PreCommitRun --> LocalSPDXHook["Local pre-commit hook add-spdx-header"]
  LocalSPDXHook --> ScanFiles["Scan *.go files without SPDX header"]
  ScanFiles --> InsertHeader["Insert // SPDX-License-Identifier: Apache-2.0 at correct position"]
  InsertHeader --> CommitComplete["Commit succeeds with updated files"]

  CommitComplete --> Push["Push branch to GitHub"]
  Push --> CIWorkflow["CI workflow ci.yaml"]

  CIWorkflow --> SPDXCheck["Run grep to verify SPDX header in all *.go files"]
  SPDXCheck -->|all files have header| CI_PASS["CI passes"]
  SPDXCheck -->|missing header detected| CI_FAIL["CI fails and reports missing files"]

  CI_FAIL --> FixHeaders["Developer fixes headers locally (re-run pre-commit)"]
  FixHeaders --> PreCommitRun

Loading

File-Level Changes

Change	Details	Files
Move project from MIT to Apache 2.0 and align docs, notices, and contribution terms.	Replace MIT licensing with Apache 2.0 in LICENSE, NOTICE, and docs such as README, SECURITY, CONTRIBUTING, and docs site index. Clarify that all contributions are licensed under Apache 2.0 in CONTRIBUTING and the PR template. Ensure all visible license references (badges, text snippets) point to Apache 2.0 instead of MIT.	LICENSE NOTICE README.md SECURITY.md CONTRIBUTING.md docs/content/_index.md .github/PULL_REQUEST_TEMPLATE.md
Add and enforce SPDX license headers across Go source files via tooling and CI.	Add SPDX-License-Identifier: Apache-2.0 header to all Go source and test files, including cmd, internal, and pkg trees. Introduce a local pre-commit hook that inserts SPDX headers while preserving go:build / +build tags. Extend GitHub Actions CI to fail if any Go files are missing the Apache-2.0 SPDX header.	.pre-commit-config.yaml .github/workflows/ci.yaml cmd/acor/main.go cmd/acor/main_test.go internal/pkg/utils/utils.go internal/pkg/utils/utils_test.go pkg/**/**/*.go
Introduce governance and support documentation and basic project metadata for open-source readiness.	Add GOVERNANCE.md describing BDFL governance, contribution expectations, and release process. Add SUPPORT.md describing help channels, response times, and security reporting, and link these from README. Add empty or placeholder .gitattributes, CODEOWNERS, and NOTICE files to align with standard OSS structure and sponsors configuration via FUNDING.yml.	GOVERNANCE.md SUPPORT.md README.md .gitattributes .github/CODEOWNERS NOTICE .github/FUNDING.yml
Replace legacy Markdown issue templates with structured YAML forms including severity/priority metadata and question template.	Remove old Markdown issue templates for bugs and feature requests. Add YAML-based bug report template with severity and environment fields. Add YAML-based feature request template with priority and problem/solution sections. Add YAML-based question template and update issue config to surface GitHub Discussions and docs links.	.github/ISSUE_TEMPLATE/bug_report.md .github/ISSUE_TEMPLATE/feature_request.md .github/ISSUE_TEMPLATE/bug_report.yml .github/ISSUE_TEMPLATE/feature_request.yml .github/ISSUE_TEMPLATE/question.yml .github/ISSUE_TEMPLATE/config.yml
Expand GitHub automation: release drafting, labeling, stale management, label synchronization, and CodeQL analysis.	Add release-drafter configuration and workflow to auto-generate release notes and versions based on labels. Introduce labeler config and workflow to auto-apply labels based on changed files and designate breaking changes. Add stale workflow to auto-mark and close inactive issues/PRs with configurable exemptions. Add label-sync workflow to sync labels after PR merges and a CodeQL workflow to scan Go code on pushes, PRs, and a weekly schedule.	.github/release-drafter.yml .github/workflows/release-drafter.yml .github/labeler.yml .github/workflows/labeler.yml .github/workflows/stale.yaml .github/workflows/label-sync.yaml .github/workflows/codeql.yml
Tighten documented development prerequisites for integration tests.	Increase documented minimum Redis version from 3.0 to 6.0 in contributor documentation to reflect current requirements.	CONTRIBUTING.md

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey - I've found 1 issue, and left some high level feedback:

• The add-spdx-header pre-commit hook uses sed -i "", which is macOS-specific and will fail on Linux (including most CI runners); consider using a portable sed invocation or a small Go/Python helper instead.
• The newly added .github/CODEOWNERS file appears to be empty in this change; if you intend to use code owners for reviews, populate it with the relevant paths and owners or drop the file until you have a concrete mapping.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- The `add-spdx-header` pre-commit hook uses `sed -i ""`, which is macOS-specific and will fail on Linux (including most CI runners); consider using a portable `sed` invocation or a small Go/Python helper instead.
- The newly added `.github/CODEOWNERS` file appears to be empty in this change; if you intend to use code owners for reviews, populate it with the relevant paths and owners or drop the file until you have a concrete mapping.

## Individual Comments

### Comment 1
<location path=".pre-commit-config.yaml" line_range="31-34" />
<code_context>
+      - id: add-spdx-header
+        name: Add SPDX license header
+        entry: >-
+          bash -c 'for f in "$@"; do if ! head -1 "$f" | grep -q "SPDX-License-Identifier";
+          then sed -i "" "1i\\
+          // SPDX-License-Identifier: Apache-2.0\\
+          " "$f" && echo "Added SPDX header to $f"; fi; done'
+        language: system
+        files: \.go$
</code_context>
<issue_to_address>
**issue (bug_risk):** The SPDX header injection script is not portable and can break files with build tags or existing SPDX lines.

Key issues with this hook:

1. Uses `sed -i ""`, which only works with BSD `sed` (macOS) and will fail on GNU `sed` (Linux/CI). Consider a cross-platform approach (e.g., `python`/`perl` in-place edit or a `sed` incantation that works on both).
2. Inserts the SPDX line at the very top, which breaks Go files that start with `//go:build` / `// +build` or other required first-line constructs. The header should be inserted after any build tags or shebangs.
3. Only checks the first line for `SPDX-License-Identifier`, so it can add a duplicate header if SPDX already appears later in the file, while CI checks anywhere in the file.

Refactor to be cross-platform, choose the correct insertion point, and scan the whole file for an existing SPDX line before adding one.
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

[skyoo2003]

@sourcery-ai review

[sourcery-ai]

Hey - I've found 2 issues, and left some high level feedback:

• The .github/labeler.yml rules for the bug label are extremely broad (any *.go or *_test.go change), which will cause most PRs to be auto-labeled as bugs; consider tightening these patterns so labels more accurately reflect intent.
• The label-sync.yaml workflow only grants pull-requests: write, but micnncim/action-label-syncer needs permission to manage repository labels (via the issues/labels API), so you likely need to add issues: write (or appropriate repo-level scope) to the workflow permissions.
• The inline Python in the local add-spdx-header pre-commit hook is quite large and complex for an embedded one-liner; consider moving it into a dedicated script file (checked into the repo) and referencing that from the hook for easier maintenance and testing.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- The `.github/labeler.yml` rules for the `bug` label are extremely broad (any `*.go` or `*_test.go` change), which will cause most PRs to be auto-labeled as bugs; consider tightening these patterns so labels more accurately reflect intent.
- The `label-sync.yaml` workflow only grants `pull-requests: write`, but `micnncim/action-label-syncer` needs permission to manage repository labels (via the issues/labels API), so you likely need to add `issues: write` (or appropriate repo-level scope) to the workflow permissions.
- The inline Python in the local `add-spdx-header` pre-commit hook is quite large and complex for an embedded one-liner; consider moving it into a dedicated script file (checked into the repo) and referencing that from the hook for easier maintenance and testing.

## Individual Comments

### Comment 1
<location path=".github/workflows/ci.yaml" line_range="49-56" />
<code_context>
           version: v2.11.3
       - name: Run go vet
         run: go vet ./...
+      - name: Check SPDX headers
+        run: |
+          missing=$(grep -rL "// SPDX-License-Identifier: Apache-2.0" --include="*.go" . || true)
+          if [ -n "$missing" ]; then
+            echo "Missing SPDX headers in:"
+            echo "$missing"
+            exit 1
+          fi
       - name: Run test
         run: go test -race -v ./...
</code_context>
<issue_to_address>
**suggestion:** Align the SPDX CI check with the pre-commit hook behavior and consider limiting the scan to tracked files.

The CI step currently uses `grep -rL` over all `*.go` files in the tree, which may include generated or ignored files and may not exactly match what the pre-commit hook enforces. Two suggestions:

1) Use `git ls-files "*.go"` instead of `grep -r` so CI only checks tracked Go sources.
2) Match the exact header form used by the pre-commit hook (e.g., `^// SPDX-License-Identifier:`) so both checks enforce the same invariant and don’t drift over time.

```suggestion
      - name: Check SPDX headers
        run: |
          missing=$(git ls-files '*.go' | xargs -r grep -L -E '^// SPDX-License-Identifier:' || true)
          if [ -n "$missing" ]; then
            echo "Missing SPDX headers in:"
            echo "$missing"
            exit 1
          fi
```
</issue_to_address>

### Comment 2
<location path=".github/workflows/labeler.yml" line_range="3-5" />
<code_context>
+name: CodeQL
+
+on:
+  push:
+    branches:
</code_context>
<issue_to_address>
**🚨 question (security):** Using `pull_request_target` has security implications when labeling untrusted forks.

Because `pull_request_target` runs with base-repo privileges, it can be risky if any PR-supplied files or config are interpreted. In this workflow you read `.github/labeler.yml` from the target branch, which is safer than reading from the PR branch, but please double-check that no other untrusted PR content is used. If you don’t rely on `pull_request_target` semantics (e.g., for secrets), prefer `pull_request` to minimize the attack surface.
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}