chore: add downloads in README, security policy and update ci actions (…

…#401) * add security policy Signed-off-by: Michele Dolfi <[email protected]> * update deprecated actions Signed-off-by: Michele Dolfi <[email protected]> * add comment about licenses for new dependencies Signed-off-by: Michele Dolfi <[email protected]> * add pypi downloads badge Signed-off-by: Michele Dolfi <[email protected]> * add citation file Signed-off-by: Michele Dolfi <[email protected]> --------- Signed-off-by: Michele Dolfi <[email protected]>
DS4SD · Nov 21, 2024 · 97d571a · 97d571a
1 parent eb64f6d
commit 97d571a
Show file tree

Hide file tree

Showing 8 changed files with 47 additions and 4 deletions.
diff --git a/.github/SECURITY.md b/.github/SECURITY.md
@@ -0,0 +1,23 @@
+# Security and Disclosure Information Policy for the Docling Project
+
+The Docling team and community take security bugs seriously. We appreciate your efforts to responsibly disclose your findings, and will make every effort to acknowledge your contributions.
+
+## Reporting a Vulnerability
+
+If you think you've identified a security issue in an Docling project repository, please DO NOT report the issue publicly via the GitHub issue tracker, etc.
+
+Instead, send an email with as many details as possible to [[email protected]](mailto:[email protected]). This is a private mailing list for the maintainers team.
+
+Please do not create a public issue.
+
+## Security Vulnerability Response
+
+Each report is acknowledged and analyzed by the core maintainers within 3 working days.
+
+Any vulnerability information shared with core maintainers stays within the Docling project and will not be disseminated to other projects unless it is necessary to get the issue fixed.
+
+After the initial reply to your report, the security team will keep you informed of the progress towards a fix and full announcement, and may ask for additional information or guidance.
+
+## Security Alerts
+
+We will send announcements of security vulnerabilities and steps to remediate on the [Docling announcements](https://github.com/DS4SD/docling/discussions/categories/announcements).
diff --git a/.github/actions/setup-poetry/action.yml b/.github/actions/setup-poetry/action.yml
@@ -10,7 +10,7 @@ runs:
     - name: Install poetry
       run: pipx install poetry==1.8.3
       shell: bash
-    - uses: actions/setup-python@v4
+    - uses: actions/setup-python@v5
       with:
         python-version: ${{ inputs.python-version }}
         cache: 'poetry'

diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml
@@ -15,7 +15,7 @@ jobs:
     outputs:
       TARGET_TAG_V: ${{ steps.version_check.outputs.TRGT_VERSION }}
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           fetch-depth: 0  # for fetching tags, required for semantic-release
       - uses: ./.github/actions/setup-poetry

diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml
@@ -8,7 +8,7 @@ jobs:
       matrix:
         python-version: ['3.9', '3.10', '3.11', '3.12']
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Install tesseract
         run: sudo apt-get update && sudo apt-get install -y tesseract-ocr tesseract-ocr-eng tesseract-ocr-fra tesseract-ocr-deu tesseract-ocr-spa libleptonica-dev libtesseract-dev pkg-config
       - name: Set TESSDATA_PREFIX

diff --git a/.github/workflows/pypi.yml b/.github/workflows/pypi.yml
@@ -15,7 +15,7 @@ jobs:
   build-and-publish:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - uses: ./.github/actions/setup-poetry
       - name: Build and publish
         run: poetry publish --build --no-interaction --username=__token__ --password=${{ secrets.PYPI_TOKEN }}
diff --git a/CITATION.cff b/CITATION.cff
@@ -0,0 +1,15 @@
+# This CITATION.cff file was generated with cffinit.
+# Visit https://bit.ly/cffinit to generate yours today!
+
+cff-version: 1.2.0
+title: Docling
+message: 'If you use Docling, please consider citing as below.'
+type: software
+authors:
+  - name: Docling Team
+identifiers:
+  - type: url
+    value: 'https://arxiv.org/abs/2408.09869'
+    description: 'arXiv:2408.09869'
+repository-code: 'https://github.com/DS4SD/docling'
+license: MIT
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -71,6 +71,10 @@ local git repository using the following command:
 git commit -s
 ```
 
+### New dependencies
+
+This project strictly adheres to using dependencies that are compatible with the MIT license to ensure maximum flexibility and permissiveness in its usage and distribution. As a result, dependencies licensed under restrictive terms such as GPL, LGPL, AGPL, or similar are explicitly excluded. These licenses impose additional requirements and limitations that are incompatible with the MIT license's minimal restrictions, potentially affecting derivative works and redistribution. By maintaining this policy, the project ensures simplicity and freedom for both developers and users, avoiding conflicts with stricter copyleft provisions.
+
 
 ## Communication
 

diff --git a/README.md b/README.md
@@ -20,6 +20,7 @@
 [![Pydantic v2](https://img.shields.io/endpoint?url=https://raw.githubusercontent.com/pydantic/pydantic/main/docs/badge/v2.json)](https://pydantic.dev)
 [![pre-commit](https://img.shields.io/badge/pre--commit-enabled-brightgreen?logo=pre-commit&logoColor=white)](https://github.com/pre-commit/pre-commit)
 [![License MIT](https://img.shields.io/github/license/DS4SD/docling)](https://opensource.org/licenses/MIT)
+[![PyPI Downloads](https://static.pepy.tech/badge/docling/month)](https://pepy.tech/projects/docling)
 
 Docling parses documents and exports them to the desired format with ease and speed.