Skip to content

fix #18 - Add GitHub Action to enforce Apache 2.0 license headers #27

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
fantonangeli wants to merge 4 commits into
base: main
Choose a base branch
from
+117 −0
Open

fix #18 - Add GitHub Action to enforce Apache 2.0 license headers #27

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
35e5193
GHA creation
fantonangeli Mar 5, 2026
c614475
fix missing license
fantonangeli Mar 5, 2026
68eca73
Fixes comment: https://github.com/serverlessworkflow/editor/pull/27#d…
fantonangeli Mar 6, 2026
b095ee2
Fix copilot comments
fantonangeli Mar 6, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
76 changes: 76 additions & 0 deletions .github/workflows/ci_check_license_headers.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,76 @@
#
# Copyright 2021-Present The Serverless Workflow Specification Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#

name: "CI :: License headers"

on:
push:
branches: [main]
pull_request:
branches: ["**"]
types: [opened, reopened, ready_for_review, synchronize]

env:
APACHE_RAT_VERSION: 0.17

jobs:
check:
runs-on: ubuntu-latest

steps:
- name: Checkout code
uses: actions/checkout@v3

- name: "Setup JDK 17"
uses: actions/setup-java@v4
with:
java-version: 17
distribution: "temurin"

- name: Download Apache RAT
Copy link
Member

@ricardozanini ricardozanini Mar 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can't we cache this jar?

run: |
set -e
BASE_URL="https://repo1.maven.org/maven2/org/apache/rat/apache-rat/${APACHE_RAT_VERSION}"
APACHE_RAT_JAR="apache-rat-${APACHE_RAT_VERSION}.jar"
APACHE_RAT_SHA="apache-rat-${APACHE_RAT_VERSION}.jar.sha1"

# Download JAR and corresponding SHA-1 checksum
curl -LO "${BASE_URL}/${APACHE_RAT_JAR}"
curl -LO "${BASE_URL}/${APACHE_RAT_SHA}"

# Verify the downloaded JAR against the published checksum
EXPECTED_SHA1="$(awk '{print $1}' $APACHE_RAT_SHA)"
ACTUAL_SHA1="$(sha1sum $APACHE_RAT_JAR| awk '{print $1}')"
if [ "${EXPECTED_SHA1}" != "${ACTUAL_SHA1}" ]; then
echo "Checksum verification FAILED for ${APACHE_RAT_JAR}" >&2
exit 1
fi
rm $APACHE_RAT_SHA
Comment on lines +48 to +61
Copy link

Copilot AI Mar 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Checksum verification is currently based on Maven Central's .sha1 file. SHA-1 is considered weak; Maven Central typically provides stronger digests (e.g., .sha512) and/or signature files. Prefer verifying with SHA-512 (or GPG signature verification) to improve supply-chain integrity.

Suggested change
APACHE_RAT_SHA="apache-rat-${APACHE_RAT_VERSION}.jar.sha1"
# Download JAR and corresponding SHA-1 checksum
curl -LO "${BASE_URL}/${APACHE_RAT_JAR}"
curl -LO "${BASE_URL}/${APACHE_RAT_SHA}"
# Verify the downloaded JAR against the published checksum
EXPECTED_SHA1="$(awk '{print $1}' $APACHE_RAT_SHA)"
ACTUAL_SHA1="$(sha1sum $APACHE_RAT_JAR| awk '{print $1}')"
if [ "${EXPECTED_SHA1}" != "${ACTUAL_SHA1}" ]; then
echo "Checksum verification FAILED for ${APACHE_RAT_JAR}" >&2
exit 1
fi
rm $APACHE_RAT_SHA
APACHE_RAT_SHA512="apache-rat-${APACHE_RAT_VERSION}.jar.sha512"
# Download JAR and corresponding SHA-512 checksum
curl -LO "${BASE_URL}/${APACHE_RAT_JAR}"
curl -LO "${BASE_URL}/${APACHE_RAT_SHA512}"
# Verify the downloaded JAR against the published checksum
EXPECTED_SHA512="$(awk '{print $1}' $APACHE_RAT_SHA512)"
ACTUAL_SHA512="$(sha512sum $APACHE_RAT_JAR | awk '{print $1}')"
if [ "${EXPECTED_SHA512}" != "${ACTUAL_SHA512}" ]; then
echo "Checksum verification FAILED for ${APACHE_RAT_JAR}" >&2
exit 1
fi
rm $APACHE_RAT_SHA512

Copilot uses AI. Check for mistakes.
Comment on lines +45 to +61
Copy link

Copilot AI Mar 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The download step uses set -e but relies on pipelines (sha1sum ... | awk ...) without pipefail, and curl is invoked without --fail. A failed download or checksum command can be masked by pipeline behavior, making failures harder to diagnose. Consider set -euo pipefail and curl -fsSLO for more reliable failure handling.

Suggested change
set -e
BASE_URL="https://repo1.maven.org/maven2/org/apache/rat/apache-rat/${APACHE_RAT_VERSION}"
APACHE_RAT_JAR="apache-rat-${APACHE_RAT_VERSION}.jar"
APACHE_RAT_SHA="apache-rat-${APACHE_RAT_VERSION}.jar.sha1"
# Download JAR and corresponding SHA-1 checksum
curl -LO "${BASE_URL}/${APACHE_RAT_JAR}"
curl -LO "${BASE_URL}/${APACHE_RAT_SHA}"
# Verify the downloaded JAR against the published checksum
EXPECTED_SHA1="$(awk '{print $1}' $APACHE_RAT_SHA)"
ACTUAL_SHA1="$(sha1sum $APACHE_RAT_JAR| awk '{print $1}')"
if [ "${EXPECTED_SHA1}" != "${ACTUAL_SHA1}" ]; then
echo "Checksum verification FAILED for ${APACHE_RAT_JAR}" >&2
exit 1
fi
rm $APACHE_RAT_SHA
set -euo pipefail
BASE_URL="https://repo1.maven.org/maven2/org/apache/rat/apache-rat/${APACHE_RAT_VERSION}"
APACHE_RAT_JAR="apache-rat-${APACHE_RAT_VERSION}.jar"
APACHE_RAT_SHA="apache-rat-${APACHE_RAT_VERSION}.jar.sha1"
# Download JAR and corresponding SHA-1 checksum
curl -fsSLO "${BASE_URL}/${APACHE_RAT_JAR}"
curl -fsSLO "${BASE_URL}/${APACHE_RAT_SHA}"
# Verify the downloaded JAR against the published checksum
EXPECTED_SHA1="$(awk '{print $1}' "${APACHE_RAT_SHA}")"
ACTUAL_SHA1="$(sha1sum "${APACHE_RAT_JAR}" | awk '{print $1}')"
if [ "${EXPECTED_SHA1}" != "${ACTUAL_SHA1}" ]; then
echo "Checksum verification FAILED for ${APACHE_RAT_JAR}" >&2
exit 1
fi
rm "${APACHE_RAT_SHA}"

Copilot uses AI. Check for mistakes.

Comment on lines +35 to +62
Copy link

Copilot AI Mar 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This downloads and executes a remote JAR via curl without any integrity verification (checksum/signature) and uses an unpinned actions/checkout@v3. For supply-chain safety, pin actions to a commit SHA (or at least update to the current major) and verify the RAT artifact (e.g., download the corresponding .sha512/signature and validate before running).

Suggested change
uses: actions/checkout@v3
- name: Download Apache RAT
run: |
curl -LO "https://repo1.maven.org/maven2/org/apache/rat/apache-rat/${APACHE_RAT_VERSION}/apache-rat-${APACHE_RAT_VERSION}.jar"
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # actions/checkout@v4
- name: Download Apache RAT
run: |
set -e
BASE_URL="https://repo1.maven.org/maven2/org/apache/rat/apache-rat/${APACHE_RAT_VERSION}"
# Download JAR and corresponding SHA-512 checksum
curl -L -o "apache-rat-${APACHE_RAT_VERSION}.jar" "${BASE_URL}/apache-rat-${APACHE_RAT_VERSION}.jar"
curl -L -o "apache-rat-${APACHE_RAT_VERSION}.jar.sha512" "${BASE_URL}/apache-rat-${APACHE_RAT_VERSION}.jar.sha512"
# Verify the downloaded JAR against the published checksum
EXPECTED_SHA512="$(awk '{print $1}' "apache-rat-${APACHE_RAT_VERSION}.jar.sha512")"
ACTUAL_SHA512="$(sha512sum "apache-rat-${APACHE_RAT_VERSION}.jar" | awk '{print $1}')"
if [ "${EXPECTED_SHA512}" != "${ACTUAL_SHA512}" ]; then
echo "Checksum verification FAILED for apache-rat-${APACHE_RAT_VERSION}.jar" >&2
exit 1
fi

Copilot uses AI. Check for mistakes.
- name: Run Apache RAT
run: |
APACHE_RAT_JAR="apache-rat-${APACHE_RAT_VERSION}.jar"

# Redirect output to .rat-reports file, continue even if RAT returns non-zero exit code because we want to print Unapproved documents
java -jar $APACHE_RAT_JAR --input-exclude-file .rat-excludes -- . > .rat-reports 2>&1 || true
Comment on lines +49 to +68
Copy link

Copilot AI Mar 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The workflow downloads apache-rat-${APACHE_RAT_VERSION}.jar into the repository root and then runs RAT over .. This means the freshly-downloaded JAR itself is included in the scan, which can cause RAT to report it as an unapproved/binary file and fail the job. Download the JAR into a temp directory outside the scan root (e.g., $RUNNER_TEMP) or add an exclude pattern for apache-rat-*.jar and scan only tracked repo files.

Suggested change
# Download JAR and corresponding SHA-1 checksum
curl -LO "${BASE_URL}/${APACHE_RAT_JAR}"
curl -LO "${BASE_URL}/${APACHE_RAT_SHA}"
# Verify the downloaded JAR against the published checksum
EXPECTED_SHA1="$(awk '{print $1}' $APACHE_RAT_SHA)"
ACTUAL_SHA1="$(sha1sum $APACHE_RAT_JAR| awk '{print $1}')"
if [ "${EXPECTED_SHA1}" != "${ACTUAL_SHA1}" ]; then
echo "Checksum verification FAILED for ${APACHE_RAT_JAR}" >&2
exit 1
fi
rm $APACHE_RAT_SHA
- name: Run Apache RAT
run: |
APACHE_RAT_JAR="apache-rat-${APACHE_RAT_VERSION}.jar"
# Redirect output to .rat-reports file, continue even if RAT returns non-zero exit code because we want to print Unapproved documents
java -jar $APACHE_RAT_JAR --input-exclude-file .rat-excludes -- . > .rat-reports 2>&1 || true
APACHE_RAT_DIR="${RUNNER_TEMP:-/tmp}"
mkdir -p "${APACHE_RAT_DIR}"
cd "${APACHE_RAT_DIR}"
# Download JAR and corresponding SHA-1 checksum
curl -LO "${BASE_URL}/${APACHE_RAT_JAR}"
curl -LO "${BASE_URL}/${APACHE_RAT_SHA}"
# Verify the downloaded JAR against the published checksum
EXPECTED_SHA1="$(awk '{print $1}' "${APACHE_RAT_SHA}")"
ACTUAL_SHA1="$(sha1sum "${APACHE_RAT_JAR}" | awk '{print $1}')"
if [ "${EXPECTED_SHA1}" != "${ACTUAL_SHA1}" ]; then
echo "Checksum verification FAILED for ${APACHE_RAT_JAR}" >&2
exit 1
fi
rm "${APACHE_RAT_SHA}"
- name: Run Apache RAT
run: |
APACHE_RAT_JAR="${RUNNER_TEMP:-/tmp}/apache-rat-${APACHE_RAT_VERSION}.jar"
# Redirect output to .rat-reports file, continue even if RAT returns non-zero exit code because we want to print Unapproved documents
java -jar "$APACHE_RAT_JAR" --input-exclude-file .rat-excludes -- . > .rat-reports 2>&1 || true

Copilot uses AI. Check for mistakes.
if grep -q "^! Unapproved:" .rat-reports; then
echo "❌ Apache RAT check FAILED - Files with unapproved licenses found:"
echo ""
grep "^! /" .rat-reports
Copy link

Copilot AI Mar 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

grep "^! /" .rat-reports is very likely to miss the file list because RAT typically reports paths as relative (e.g., ! ./path or ! path) rather than absolute (/path). This makes failures hard to diagnose. Broaden the match (e.g., ^! ) or parse the report section that lists offending files so the workflow reliably prints the unapproved paths.

Suggested change
grep "^! /" .rat-reports
grep "^! " .rat-reports

Copilot uses AI. Check for mistakes.
exit 1
Comment on lines +67 to +73
Copy link

Copilot AI Mar 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The workflow unconditionally swallows Apache RAT’s exit code (|| true) and only greps for a specific report line. If java is missing, the JAR download fails/corrupts, or RAT errors for any other reason, this step can incorrectly report success because the report won’t contain ! Unapproved:. Capture and check RAT’s exit status (or explicitly detect tool/runtime errors) and fail the job when RAT cannot run successfully; you can still print the report for debugging before exiting non-zero.

Copilot uses AI. Check for mistakes.
else
echo "✅ Apache RAT check PASSED - All files have approved licenses."
fi
16 changes: 16 additions & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,19 @@
#
# Copyright 2021-Present The Serverless Workflow Specification Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#

# Logs
logs
*.log
Expand Down
9 changes: 9 additions & 0 deletions .rat-excludes
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
.gitattributes
.npmrc
.prettierignore
.rat-excludes
.rat-reports
pnpm-lock.yaml
Comment on lines +1 to +6
Copy link

Copilot AI Mar 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If the RAT JAR continues to be downloaded into the workspace, consider adding an exclude entry for apache-rat-*.jar here. Otherwise the CI job may end up scanning artifacts created during the workflow run rather than only repository content.

Copilot uses AI. Check for mistakes.
pnpm-workspace.yaml
repo/graph.dot
repo/repo.iml
16 changes: 16 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,2 +1,18 @@
<!--
Copyright 2021-Present The Serverless Workflow Specification Authors

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->

# editor
CNCF Serverless Workflow Specification Visual Editor
Loading