bazel: add license checks to //:check target (#1509)

Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2025-09-26 03:21:06 -04:00 · 2023-03-27 04:42:30 -04:00 · 2023-03-27 04:42:30 -04:00 · 00c7611245
commit 00c7611245
parent da4e2521a9
9 changed files with 945 additions and 56 deletions
--- a/bazel/ci/BUILD.bazel
+++ b/bazel/ci/BUILD.bazel
@ -257,6 +257,26 @@ sh_template(
    template = "buf.sh.in",
 )

+sh_template(
+    name = "golicenses_check",
+    data = [
+        "@com_github_google_go_licenses//:go-licenses",
+        "@go_sdk//:bin/go",
+    ],
+    substitutions = {
+        "@@GO@@": "$(rootpath @go_sdk//:bin/go)",
+        "@@GO_LICENSES@@": "$(rootpath @com_github_google_go_licenses//:go-licenses)",
+    },
+    template = "golicenses.sh.in",
+)
+
+sh_template(
+    name = "license_header_check",
+    data = [],
+    substitutions = {},
+    template = "licenseheader.sh.in",
+)
+
 multirun(
    name = "tidy",
    commands = [
@ -281,6 +301,8 @@ multirun(
        ":buildifier_check",
        ":golangci_lint",
        ":terraform_check",
+        ":golicenses_check",
+        ":license_header_check",
    ] + select({
        "@io_bazel_rules_go//go/platform:darwin_arm64": [
            ":shellcheck_noop_warning",
--- a/bazel/ci/golicenses.sh.in
+++ b/bazel/ci/golicenses.sh.in
@ -0,0 +1,78 @@
+#!/usr/bin/env bash
+
+# Compare licenses of Go dependencies against a whitelist.
+
+lib=$(realpath @@BASE_LIB@@) || exit 1
+go=$(realpath @@GO@@) || exit 1
+golicenses=$(realpath @@GO_LICENSES@@) || exit 1
+
+# shellcheck source=../sh/lib.bash
+if ! source "${lib}"; then
+  echo "Error: could not find import"
+  exit 1
+fi
+
+cd "${BUILD_WORKSPACE_DIRECTORY}" || exit 1
+
+not_allowed() {
+  echo "license not allowed for package: ${line}"
+  err=1
+}
+
+${go} mod download
+
+err=0
+
+GOROOT=$(${go} env GOROOT) ${golicenses} csv ./... | {
+  while read -r line; do
+
+    pkg=${line%%,*}
+    lic=${line##*,}
+
+    case ${lic} in
+    Apache-2.0 | BSD-2-Clause | BSD-3-Clause | ISC | MIT) ;;
+
+    MPL-2.0)
+      case ${pkg} in
+      github.com/siderolabs/talos/pkg/machinery/config/encoder) ;;
+
+      github.com/letsencrypt/boulder) ;;
+
+      github.com/hashicorp/*) ;;
+
+      *)
+        not_allowed
+        ;;
+      esac
+      ;;
+
+    AGPL-3.0)
+      case ${pkg} in
+      github.com/edgelesssys/constellation/v2) ;;
+
+      github.com/edgelesssys/constellation/v2/operators/constellation-node-operator/v2/api/v1alpha1) ;;
+
+      *)
+        not_allowed
+        ;;
+      esac
+      ;;
+
+    Unknown)
+      case ${pkg} in
+
+      *)
+        not_allowed
+        ;;
+      esac
+      ;;
+
+    *)
+      echo "unknown license: ${line}"
+      err=1
+      ;;
+    esac
+
+  done
+  exit "${err}"
+}
--- a/bazel/ci/licenseheader.sh.in
+++ b/bazel/ci/licenseheader.sh.in
@ -0,0 +1,36 @@
+#!/usr/bin/env bash
+
+# Compare licenses of Go dependencies against a whitelist.
+
+lib=$(realpath @@BASE_LIB@@) || exit 1
+
+# shellcheck source=../sh/lib.bash
+if ! source "${lib}"; then
+  echo "Error: could not find import"
+  exit 1
+fi
+
+cd "${BUILD_WORKSPACE_DIRECTORY}" || exit 1
+
+echo "Checking files for missing company license header..."
+
+noHeader=$(
+  grep \
+    -rL \
+    --include='*.go' \
+    --exclude-dir 3rdparty \
+    -e'SPDX-License-Identifier: AGPL-3.0-only' \
+    -e'DO NOT EDIT'
+)
+
+if [[ -z ${noHeader} ]]; then
+  exit 0
+fi
+
+echo "The following files are missing a license header:"
+readarray -t <<< "${noHeader}"
+for file in "${MAPFILE[@]}"; do
+  echo "  ${file}"
+done
+
+exit 1