bazel: add license checks to //:check target (#1509)

Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2025-09-21 13:34:48 -04:00 · 2023-03-27 04:42:30 -04:00 · 2023-03-27 04:42:30 -04:00 · 00c7611245
commit 00c7611245
parent da4e2521a9
9 changed files with 945 additions and 56 deletions
--- a/bazel/ci/BUILD.bazel
+++ b/bazel/ci/BUILD.bazel
@ -257,6 +257,26 @@ sh_template(
    template = "buf.sh.in",
 )

+sh_template(
+    name = "golicenses_check",
+    data = [
+        "@com_github_google_go_licenses//:go-licenses",
+        "@go_sdk//:bin/go",
+    ],
+    substitutions = {
+        "@@GO@@": "$(rootpath @go_sdk//:bin/go)",
+        "@@GO_LICENSES@@": "$(rootpath @com_github_google_go_licenses//:go-licenses)",
+    },
+    template = "golicenses.sh.in",
+)
+
+sh_template(
+    name = "license_header_check",
+    data = [],
+    substitutions = {},
+    template = "licenseheader.sh.in",
+)
+
 multirun(
    name = "tidy",
    commands = [
@ -281,6 +301,8 @@ multirun(
        ":buildifier_check",
        ":golangci_lint",
        ":terraform_check",
+        ":golicenses_check",
+        ":license_header_check",
    ] + select({
        "@io_bazel_rules_go//go/platform:darwin_arm64": [
            ":shellcheck_noop_warning",
--- a/bazel/ci/golicenses.sh.in
+++ b/bazel/ci/golicenses.sh.in
@ -0,0 +1,78 @@
+#!/usr/bin/env bash
+
+# Compare licenses of Go dependencies against a whitelist.
+
+lib=$(realpath @@BASE_LIB@@) || exit 1
+go=$(realpath @@GO@@) || exit 1
+golicenses=$(realpath @@GO_LICENSES@@) || exit 1
+
+# shellcheck source=../sh/lib.bash
+if ! source "${lib}"; then
+  echo "Error: could not find import"
+  exit 1
+fi
+
+cd "${BUILD_WORKSPACE_DIRECTORY}" || exit 1
+
+not_allowed() {
+  echo "license not allowed for package: ${line}"
+  err=1
+}
+
+${go} mod download
+
+err=0
+
+GOROOT=$(${go} env GOROOT) ${golicenses} csv ./... | {
+  while read -r line; do
+
+    pkg=${line%%,*}
+    lic=${line##*,}
+
+    case ${lic} in
+    Apache-2.0 | BSD-2-Clause | BSD-3-Clause | ISC | MIT) ;;
+
+    MPL-2.0)
+      case ${pkg} in
+      github.com/siderolabs/talos/pkg/machinery/config/encoder) ;;
+
+      github.com/letsencrypt/boulder) ;;
+
+      github.com/hashicorp/*) ;;
+
+      *)
+        not_allowed
+        ;;
+      esac
+      ;;
+
+    AGPL-3.0)
+      case ${pkg} in
+      github.com/edgelesssys/constellation/v2) ;;
+
+      github.com/edgelesssys/constellation/v2/operators/constellation-node-operator/v2/api/v1alpha1) ;;
+
+      *)
+        not_allowed
+        ;;
+      esac
+      ;;
+
+    Unknown)
+      case ${pkg} in
+
+      *)
+        not_allowed
+        ;;
+      esac
+      ;;
+
+    *)
+      echo "unknown license: ${line}"
+      err=1
+      ;;
+    esac
+
+  done
+  exit "${err}"
+}
--- a/bazel/ci/licenseheader.sh.in
+++ b/bazel/ci/licenseheader.sh.in
@ -0,0 +1,36 @@
+#!/usr/bin/env bash
+
+# Compare licenses of Go dependencies against a whitelist.
+
+lib=$(realpath @@BASE_LIB@@) || exit 1
+
+# shellcheck source=../sh/lib.bash
+if ! source "${lib}"; then
+  echo "Error: could not find import"
+  exit 1
+fi
+
+cd "${BUILD_WORKSPACE_DIRECTORY}" || exit 1
+
+echo "Checking files for missing company license header..."
+
+noHeader=$(
+  grep \
+    -rL \
+    --include='*.go' \
+    --exclude-dir 3rdparty \
+    -e'SPDX-License-Identifier: AGPL-3.0-only' \
+    -e'DO NOT EDIT'
+)
+
+if [[ -z ${noHeader} ]]; then
+  exit 0
+fi
+
+echo "The following files are missing a license header:"
+readarray -t <<< "${noHeader}"
+for file in "${MAPFILE[@]}"; do
+  echo "  ${file}"
+done
+
+exit 1
--- a/bazel/toolchains/go_module_deps.bzl
+++ b/bazel/toolchains/go_module_deps.bzl
@ -2710,8 +2710,8 @@ def go_dependencies():
        build_file_generation = "on",
        build_file_proto_mode = "disable_global",
        importpath = "github.com/google/go-licenses",
-        sum = "h1:JtmsUf+m+KdwCOgLG578T0Mvd0+l+dezPrJh5KYnXZg=",
-        version = "v0.0.0-20210329231322-ce1d9163b77d",
+        sum = "h1:MM+VCXf0slYkpWO0mECvdYDVCxZXIQNal5wqUIXEZ/A=",
+        version = "v1.6.0",
    )
    go_repository(
        name = "com_github_google_go_querystring",
@ -2734,8 +2734,8 @@ def go_dependencies():
        build_file_generation = "on",
        build_file_proto_mode = "disable_global",
        importpath = "github.com/google/go-replayers/httpreplay",
-        sum = "h1:AX7FUb4BjrrzNvblr/OlgwrmFiep6soj5K2QSDW7BGk=",
-        version = "v0.1.0",
+        sum = "h1:H91sIMlt1NZzN7R+/ASswyouLJfW0WLW7fhyUFvDEkY=",
+        version = "v1.1.1",
    )
    go_repository(
        name = "com_github_google_go_sev_guest",
@ -2790,8 +2790,8 @@ def go_dependencies():
        build_file_generation = "on",
        build_file_proto_mode = "disable_global",
        importpath = "github.com/google/licenseclassifier",
-        sum = "h1:EfzlPF5MRmoWsCGvSkPZ1Nh9uVzHf4FfGnDQ6CXd2NA=",
-        version = "v0.0.0-20210325184830-bb04aff29e72",
+        sum = "h1:TJsAqW6zLRMDTyGmc9TPosfn9OyVlHs8Hrn3pY6ONSY=",
+        version = "v0.0.0-20210722185704-3043a050f148",
    )
    go_repository(
        name = "com_github_google_logger",
@ -4965,8 +4965,8 @@ def go_dependencies():
        build_file_generation = "on",
        build_file_proto_mode = "disable_global",
        importpath = "github.com/otiai10/copy",
-        sum = "h1:HvG945u96iNadPoG2/Ja2+AUJeW5YuFQMixq9yirC+k=",
-        version = "v1.2.0",
+        sum = "h1:IinKAryFFuPONZ7cm6T6E2QX/vcJwSnlaA5lfoaXIiQ=",
+        version = "v1.6.0",
    )
    go_repository(
        name = "com_github_otiai10_curr",
@ -4981,8 +4981,8 @@ def go_dependencies():
        build_file_generation = "on",
        build_file_proto_mode = "disable_global",
        importpath = "github.com/otiai10/mint",
-        sum = "h1:BCmzIS3n71sGfHB5NMNDB3lHYPz8fWSkCAErHed//qc=",
-        version = "v1.3.1",
+        sum = "h1:VYWnrP5fXmz1MXvjuUvcBrXSjGE6xjON+axB/UrpO3E=",
+        version = "v1.3.2",
    )

    go_repository(