fix #18 - Add GitHub Action to enforce Apache 2.0 license headers by fantonangeli · Pull Request #27 · serverlessworkflow/editor

fantonangeli · 2026-03-05T16:31:46Z

Closes #18

Summary

Add a GitHub Actions workflow that validates Apache 2.0 license headers are present in all applicable source files and fails the build if headers are missing. The check must execute on every Pull Request.

Goals

Ensure all source files comply with Apache 2.0 licensing requirements.

Prevent merging code without proper license headers.
Automate enforcement instead of relying on manual review.
Maintain CNCF/open-source governance standards.

Non-Goals

Complex legal compliance tooling beyond header validation.
Checking third-party dependency licenses.

ricardozanini · 2026-03-05T16:33:50Z

@fantonangeli you must sign your commits with a key that matches your email.

.rat-excludes

.github/workflows/ci_check_license_headers.yaml

Signed-off-by: fantonangeli <fabrizio.antonangeli@gmail.com>

Copilot

Pull request overview

Adds automated license-header enforcement using Apache RAT so pull requests fail if files without approved licensing are introduced, supporting the repository’s Apache 2.0 compliance goal.

Changes:

Add a CI workflow that runs Apache RAT on pushes to main and on PR events.
Introduce .rat-excludes to exclude certain non-source/config/generated files from RAT scanning.
Add Apache 2.0 license headers to README.md and .gitignore.

Reviewed changes

Copilot reviewed 3 out of 4 changed files in this pull request and generated 3 comments.

File	Description
README.md	Adds an Apache 2.0 license header in an HTML comment.
.rat-excludes	Defines files to exclude from Apache RAT scanning.
.gitignore	Adds an Apache 2.0 license header comment block.
.github/workflows/ci_check_license_headers.yaml	New workflow that downloads and runs Apache RAT, failing on unapproved files.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

.github/workflows/ci_check_license_headers.yaml

Copilot · 2026-03-06T17:23:19Z

.github/workflows/ci_check_license_headers.yaml

+        uses: actions/checkout@v3
+
+      - name: Download Apache RAT
+        run: |
+          curl -LO "https://repo1.maven.org/maven2/org/apache/rat/apache-rat/${APACHE_RAT_VERSION}/apache-rat-${APACHE_RAT_VERSION}.jar"
+


This downloads and executes a remote JAR via curl without any integrity verification (checksum/signature) and uses an unpinned actions/checkout@v3. For supply-chain safety, pin actions to a commit SHA (or at least update to the current major) and verify the RAT artifact (e.g., download the corresponding .sha512/signature and validate before running).

Suggested change

uses: actions/checkout@v3

- name: Download Apache RAT

run: |

curl -LO "https://repo1.maven.org/maven2/org/apache/rat/apache-rat/${APACHE_RAT_VERSION}/apache-rat-${APACHE_RAT_VERSION}.jar"

uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # actions/checkout@v4

- name: Download Apache RAT

run: |

set -e

BASE_URL="https://repo1.maven.org/maven2/org/apache/rat/apache-rat/${APACHE_RAT_VERSION}"

# Download JAR and corresponding SHA-512 checksum

curl -L -o "apache-rat-${APACHE_RAT_VERSION}.jar" "${BASE_URL}/apache-rat-${APACHE_RAT_VERSION}.jar"

curl -L -o "apache-rat-${APACHE_RAT_VERSION}.jar.sha512" "${BASE_URL}/apache-rat-${APACHE_RAT_VERSION}.jar.sha512"

# Verify the downloaded JAR against the published checksum

EXPECTED_SHA512="$(awk '{print $1}' "apache-rat-${APACHE_RAT_VERSION}.jar.sha512")"

ACTUAL_SHA512="$(sha512sum "apache-rat-${APACHE_RAT_VERSION}.jar" | awk '{print $1}')"

if [ "${EXPECTED_SHA512}" != "${ACTUAL_SHA512}" ]; then

echo "Checksum verification FAILED for apache-rat-${APACHE_RAT_VERSION}.jar" >&2

exit 1

fi

.github/workflows/ci_check_license_headers.yaml

Signed-off-by: fantonangeli <fabrizio.antonangeli@gmail.com>

Copilot

Pull request overview

Copilot reviewed 3 out of 4 changed files in this pull request and generated 4 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

Copilot · 2026-03-06T18:44:08Z

.github/workflows/ci_check_license_headers.yaml

+
+          # Download JAR and corresponding SHA-1 checksum
+          curl -LO "${BASE_URL}/${APACHE_RAT_JAR}"
+          curl -LO "${BASE_URL}/${APACHE_RAT_SHA}"
+
+          # Verify the downloaded JAR against the published checksum
+          EXPECTED_SHA1="$(awk '{print $1}' $APACHE_RAT_SHA)"
+          ACTUAL_SHA1="$(sha1sum $APACHE_RAT_JAR| awk '{print $1}')"
+          if [ "${EXPECTED_SHA1}" != "${ACTUAL_SHA1}" ]; then
+            echo "Checksum verification FAILED for ${APACHE_RAT_JAR}" >&2
+            exit 1
+          fi
+          rm $APACHE_RAT_SHA
+
+      - name: Run Apache RAT
+        run: |
+          APACHE_RAT_JAR="apache-rat-${APACHE_RAT_VERSION}.jar"
+
+          # Redirect output to .rat-reports file, continue even if RAT returns non-zero exit code because we want to print Unapproved documents
+          java -jar $APACHE_RAT_JAR --input-exclude-file .rat-excludes -- . > .rat-reports 2>&1 || true


The workflow downloads apache-rat-${APACHE_RAT_VERSION}.jar into the repository root and then runs RAT over .. This means the freshly-downloaded JAR itself is included in the scan, which can cause RAT to report it as an unapproved/binary file and fail the job. Download the JAR into a temp directory outside the scan root (e.g., $RUNNER_TEMP) or add an exclude pattern for apache-rat-*.jar and scan only tracked repo files.

Suggested change

# Download JAR and corresponding SHA-1 checksum

curl -LO "${BASE_URL}/${APACHE_RAT_JAR}"

curl -LO "${BASE_URL}/${APACHE_RAT_SHA}"

# Verify the downloaded JAR against the published checksum

EXPECTED_SHA1="$(awk '{print $1}' $APACHE_RAT_SHA)"

ACTUAL_SHA1="$(sha1sum $APACHE_RAT_JAR| awk '{print $1}')"

if [ "${EXPECTED_SHA1}" != "${ACTUAL_SHA1}" ]; then

echo "Checksum verification FAILED for ${APACHE_RAT_JAR}" >&2

exit 1

fi

rm $APACHE_RAT_SHA

- name: Run Apache RAT

run: |

APACHE_RAT_JAR="apache-rat-${APACHE_RAT_VERSION}.jar"

# Redirect output to .rat-reports file, continue even if RAT returns non-zero exit code because we want to print Unapproved documents

java -jar $APACHE_RAT_JAR --input-exclude-file .rat-excludes -- . > .rat-reports 2>&1 || true

APACHE_RAT_DIR="${RUNNER_TEMP:-/tmp}"

mkdir -p "${APACHE_RAT_DIR}"

cd "${APACHE_RAT_DIR}"

# Download JAR and corresponding SHA-1 checksum

curl -LO "${BASE_URL}/${APACHE_RAT_JAR}"

curl -LO "${BASE_URL}/${APACHE_RAT_SHA}"

# Verify the downloaded JAR against the published checksum

EXPECTED_SHA1="$(awk '{print $1}' "${APACHE_RAT_SHA}")"

ACTUAL_SHA1="$(sha1sum "${APACHE_RAT_JAR}" | awk '{print $1}')"

if [ "${EXPECTED_SHA1}" != "${ACTUAL_SHA1}" ]; then

echo "Checksum verification FAILED for ${APACHE_RAT_JAR}" >&2

exit 1

fi

rm "${APACHE_RAT_SHA}"

- name: Run Apache RAT

run: |

APACHE_RAT_JAR="${RUNNER_TEMP:-/tmp}/apache-rat-${APACHE_RAT_VERSION}.jar"

# Redirect output to .rat-reports file, continue even if RAT returns non-zero exit code because we want to print Unapproved documents

java -jar "$APACHE_RAT_JAR" --input-exclude-file .rat-excludes -- . > .rat-reports 2>&1 || true

.github/workflows/ci_check_license_headers.yaml

.rat-excludes

.github/workflows/ci_check_license_headers.yaml

Signed-off-by: fantonangeli <fabrizio.antonangeli@gmail.com>

…hanges#r2897289283 Signed-off-by: fantonangeli <fabrizio.antonangeli@gmail.com>

…hanges#r2897676663 Signed-off-by: fantonangeli <fabrizio.antonangeli@gmail.com>

Signed-off-by: fantonangeli <fabrizio.antonangeli@gmail.com>

Copilot

Pull request overview

Copilot reviewed 3 out of 4 changed files in this pull request and generated 3 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

Copilot · 2026-03-09T17:22:13Z

.github/workflows/ci_check_license_headers.yaml

+      - name: Cache Apache RAT
+        uses: actions/cache@v5
+        id: cache-rat
+        with:
+          path: ${{ runner.temp }}/apache-rat-${{ env.APACHE_RAT_VERSION }}.jar
+          key: apache-rat-${{ env.APACHE_RAT_VERSION }}
+
+      - name: Download Apache RAT
+        if: steps.cache-rat.outputs.cache-hit != 'true'
+        run: |


The RAT JAR’s checksum is only verified on fresh download. When the cache is hit, the workflow uses the cached JAR without any integrity check, so a corrupted/poisoned cache entry could go undetected. Consider always verifying the checksum (even on cache-hit) or incorporate the expected digest into the cache key and validate the restored file before running RAT.

I would skip this comment @ricardozanini

README.md

fantonangeli requested review from Copilot, lornakelly and ricardozanini and removed request for Copilot March 5, 2026 16:31

ricardozanini requested changes Mar 5, 2026

View reviewed changes

.rat-excludes Show resolved Hide resolved

.github/workflows/ci_check_license_headers.yaml Outdated Show resolved Hide resolved

GHA creation

35e5193

Signed-off-by: fantonangeli <fabrizio.antonangeli@gmail.com>

fantonangeli force-pushed the issue-18-Add-GitHub-Action-to-enforce-Apache-20-license-headers-2 branch from 5dd02f0 to 40a08ea Compare March 6, 2026 16:42

fantonangeli added a commit to fantonangeli/serverlessworkflow-editor that referenced this pull request Mar 6, 2026

Fixes comment: serverlessworkflow#27 (comment)

69a4aef

Copilot AI review requested due to automatic review settings March 6, 2026 17:19

Copilot started reviewing on behalf of fantonangeli March 6, 2026 17:20 View session

Copilot AI reviewed Mar 6, 2026

View reviewed changes

fantonangeli added 2 commits March 6, 2026 18:27

fix missing license

c614475

Signed-off-by: fantonangeli <fabrizio.antonangeli@gmail.com>

Fixes comment: serverlessworkflow#27 (comment)

68eca73

Signed-off-by: fantonangeli <fabrizio.antonangeli@gmail.com>

fantonangeli force-pushed the issue-18-Add-GitHub-Action-to-enforce-Apache-20-license-headers-2 branch from 2947dc9 to 68eca73 Compare March 6, 2026 17:29

Fix copilot comments

b095ee2

Signed-off-by: fantonangeli <fabrizio.antonangeli@gmail.com>

Copilot AI review requested due to automatic review settings March 6, 2026 18:39

Copilot started reviewing on behalf of fantonangeli March 6, 2026 18:39 View session

Copilot AI reviewed Mar 6, 2026

View reviewed changes

ricardozanini reviewed Mar 6, 2026

View reviewed changes

.github/workflows/ci_check_license_headers.yaml Show resolved Hide resolved

fantonangeli added 5 commits March 9, 2026 12:12

Fix comment serverlessworkflow#27 (comment)

b3ac5f0

Signed-off-by: fantonangeli <fabrizio.antonangeli@gmail.com>

Updated actions version

22bfafc

Signed-off-by: fantonangeli <fabrizio.antonangeli@gmail.com>

Fixes comment: https://github.com/serverlessworkflow/editor/pull/27/c…

b088800

…hanges#r2897289283 Signed-off-by: fantonangeli <fabrizio.antonangeli@gmail.com>

Fixes comment: https://github.com/serverlessworkflow/editor/pull/27/c…

8c73f46

…hanges#r2897676663 Signed-off-by: fantonangeli <fabrizio.antonangeli@gmail.com>

Update action/cache

0b6dce4

Signed-off-by: fantonangeli <fabrizio.antonangeli@gmail.com>

Copilot AI review requested due to automatic review settings March 9, 2026 17:13

Copilot started reviewing on behalf of fantonangeli March 9, 2026 17:16 View session

Copilot AI reviewed Mar 9, 2026

View reviewed changes

-        uses: actions/checkout@v3
-      - name: Download Apache RAT
-        run: |
-          curl -LO "https://repo1.maven.org/maven2/org/apache/rat/apache-rat/${APACHE_RAT_VERSION}/apache-rat-${APACHE_RAT_VERSION}.jar"
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # actions/checkout@v4
+      - name: Download Apache RAT
+        run: |
+          set -e
+          BASE_URL="https://repo1.maven.org/maven2/org/apache/rat/apache-rat/${APACHE_RAT_VERSION}"
+          # Download JAR and corresponding SHA-512 checksum
+          curl -L -o "apache-rat-${APACHE_RAT_VERSION}.jar" "${BASE_URL}/apache-rat-${APACHE_RAT_VERSION}.jar"
+          curl -L -o "apache-rat-${APACHE_RAT_VERSION}.jar.sha512" "${BASE_URL}/apache-rat-${APACHE_RAT_VERSION}.jar.sha512"
+          # Verify the downloaded JAR against the published checksum
+          EXPECTED_SHA512="$(awk '{print $1}' "apache-rat-${APACHE_RAT_VERSION}.jar.sha512")"
+          ACTUAL_SHA512="$(sha512sum "apache-rat-${APACHE_RAT_VERSION}.jar" | awk '{print $1}')"
+          if [ "${EXPECTED_SHA512}" != "${ACTUAL_SHA512}" ]; then
+            echo "Checksum verification FAILED for apache-rat-${APACHE_RAT_VERSION}.jar" >&2
+            exit 1
+          fi

Conversation

fantonangeli commented Mar 5, 2026

Summary

Goals

Non-Goals

Uh oh!

ricardozanini commented Mar 5, 2026

Uh oh!

Uh oh!

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Reviewed changes

Uh oh!

Uh oh!

Copilot AI Mar 6, 2026

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Uh oh!

Copilot AI Mar 6, 2026

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Uh oh!

Copilot AI Mar 9, 2026

Choose a reason for hiding this comment

Uh oh!

fantonangeli Mar 9, 2026

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants