Skip to content

Check copyright header with opengrep #78

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
AlexanderLanin merged 5 commits into from
Feb 6, 2026
Merged

Check copyright header with opengrep #78

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
87d33a6
negative return codes are not allowed in scripts
lurtz Feb 5, 2026
190c115
Download opengrep and check copyright
lurtz Feb 4, 2026
609aa49
fix copyright header findings in shell scripts
lurtz Feb 4, 2026
ceb6820
Copyright checks for yaml files
lurtz Feb 5, 2026
4b7c692
do not pass filenames to opengrep
lurtz Feb 6, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 16 additions & 0 deletions .devcontainer/post_create_command.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,23 @@
#!/usr/bin/env bash

# *******************************************************************************
# Copyright (c) 2026 Contributors to the Eclipse Foundation
#
# See the NOTICE file(s) distributed with this work for additional
# information regarding copyright ownership.
#
# This program and the accompanying materials are made available under the
# terms of the Apache License Version 2.0 which is available at
# https://www.apache.org/licenses/LICENSE-2.0
#
# SPDX-License-Identifier: Apache-2.0
# *******************************************************************************

npm install -g @devcontainers/cli
pre-commit install

scripts/create_builder.sh

sudo apt-get update && sudo apt-get install -y shellcheck

scripts/install_opengrep.sh
16 changes: 15 additions & 1 deletion .github/workflows/ci.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,18 @@
---

# *******************************************************************************
# Copyright (c) 2026 Contributors to the Eclipse Foundation
#
# See the NOTICE file(s) distributed with this work for additional
# information regarding copyright ownership.
#
# This program and the accompanying materials are made available under the
# terms of the Apache License Version 2.0 which is available at
# https://www.apache.org/licenses/LICENSE-2.0
#
# SPDX-License-Identifier: Apache-2.0
# *******************************************************************************

name: Validate DevContainer
description: This workflow is checking that updates do not break stuff. If on main branch, publish to "latest" tag.
on:
Expand Down Expand Up @@ -53,7 +67,7 @@ jobs:
set -eux pipefail

# Check
pre-commit run --show-diff-on-failure --color=always --all-files || exit -1
pre-commit run --show-diff-on-failure --color=always --all-files || exit 1

# Create builder for multi-arch builds
./scripts/create_builder.sh
Expand Down
16 changes: 15 additions & 1 deletion .github/workflows/release.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,18 @@
---

# *******************************************************************************
# Copyright (c) 2026 Contributors to the Eclipse Foundation
#
# See the NOTICE file(s) distributed with this work for additional
# information regarding copyright ownership.
#
# This program and the accompanying materials are made available under the
# terms of the Apache License Version 2.0 which is available at
# https://www.apache.org/licenses/LICENSE-2.0
#
# SPDX-License-Identifier: Apache-2.0
# *******************************************************************************

name: Validate & Publish DevContainer
description: This workflow is checking that for releases, updates do not break stuff and publishes the released container.
on:
Expand Down Expand Up @@ -47,7 +61,7 @@ jobs:
set -eux pipefail

# Check
pre-commit run --show-diff-on-failure --color=always --all-files || exit -1
pre-commit run --show-diff-on-failure --color=always --all-files || exit 1

# Create builder for multi-arch builds
./scripts/create_builder.sh
Expand Down
1 change: 1 addition & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,2 +1,3 @@
# Exported image files shall never be committed.
/export.img
build/
8 changes: 8 additions & 0 deletions .pre-commit-config.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,3 +20,11 @@ repos:
rev: 38980559e3a605691d6579f96222c30778e5a69e # 3.0.0
hooks:
- id: shellcheck

- repo: local
hooks:
- id: opengrep
name: Check Mandatory OpenGrep Rules
entry: ./opengrep/run_opengrep.sh
language: system
pass_filenames: false
33 changes: 33 additions & 0 deletions opengrep/mandatory/copyright.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
---

# *******************************************************************************
# Copyright (c) 2026 Contributors to the Eclipse Foundation
#
# See the NOTICE file(s) distributed with this work for additional
# information regarding copyright ownership.
#
# This program and the accompanying materials are made available under the
# terms of the Apache License Version 2.0 which is available at
# https://www.apache.org/licenses/LICENSE-2.0
#
# SPDX-License-Identifier: Apache-2.0
# *******************************************************************************

rules:
- id: copyright_shell_yaml
patterns:
- pattern-regex: |
(?s)(.*)
- pattern-not-regex: (?m)^# \*{79}\n# Copyright \(c\) [0-9]{4} Contributors to the Eclipse Foundation\n#\n# See the NOTICE file\(s\) distributed with
this work for additional\n# information regarding copyright ownership.\n#\n# This program and the accompanying materials are made available under
the\n# terms of the Apache License Version 2.0 which is available at\n# https://www.apache.org/licenses/LICENSE-2.0\n#\n# SPDX-License-Identifier.
Apache-2.0\n# \*{79}$
message: All files must contain the mandatory copyright header.
languages:
- generic
severity: ERROR
paths:
include:
- '*.sh'
- '*.yaml'
- '*.yml'
41 changes: 41 additions & 0 deletions opengrep/run_opengrep.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
#!/usr/bin/env bash

# *******************************************************************************
# Copyright (c) 2026 Contributors to the Eclipse Foundation
#
# See the NOTICE file(s) distributed with this work for additional
# information regarding copyright ownership.
#
# This program and the accompanying materials are made available under the
# terms of the Apache License Version 2.0 which is available at
# https://www.apache.org/licenses/LICENSE-2.0
#
# SPDX-License-Identifier: Apache-2.0
# *******************************************************************************

set -exuo pipefail

# This script runs opengrep in such a way that it only works on the changeset that is to be checked
# when running opengrep in the scope of a precommit hook.
# The CI system runs the same script, but in that context no changeset exists, so all files are to
# be checked. This also solves the problem that it is technically possible to work around the
# precommit checks.

changeset="$(git diff --staged --diff-filter=ACM --name-only)"
length="${#changeset}"
if [[ ${length} -gt 2048 ]]; then
# The changeset is too long, it would result in errors from opengrep/underlying OS about filenames
# being too long. Workaround: ignore the changeset and run opengrep on all files.
changeset=""
fi
if [[ -z "${changeset}" ]]; then
# Limit concurrency to 2 threads to reduce memory consumption
OPENGREP_MAX_CONCURRENCY="--jobs=1"
Comment on lines +32 to +33
Copy link
Member

@AlexanderLanin AlexanderLanin Feb 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

minor: 2 or 1?

Copy link
Contributor Author

@lurtz lurtz Feb 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

could be an artifact from yesterdays build instabilities I was fighting. Since we want to try https://git.fsfe.org/reuse/reuse-tool I would leave it as is for the time being.

# No changeset, run opengrep on all files
changeset="."
opengrep scan "${OPENGREP_MAX_CONCURRENCY}" --error --disable-version-check --skip-unknown-extensions --emacs --sarif-output=build/opengrep.sarif -f ./opengrep/mandatory/ "${changeset}"
else
# When changing ${changeset} to "${changeset}" it will break the script, ${changeset} actually contains *multiple* filenames
# shellcheck disable=SC2086
opengrep scan --error --disable-version-check --skip-unknown-extensions --emacs -f ./opengrep/mandatory/ ${changeset}
fi
14 changes: 14 additions & 0 deletions scripts/build.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,18 @@
#!/usr/bin/env bash

# *******************************************************************************
# Copyright (c) 2026 Contributors to the Eclipse Foundation
#
# See the NOTICE file(s) distributed with this work for additional
# information regarding copyright ownership.
#
# This program and the accompanying materials are made available under the
# terms of the Apache License Version 2.0 which is available at
# https://www.apache.org/licenses/LICENSE-2.0
#
# SPDX-License-Identifier: Apache-2.0
# *******************************************************************************

set -euxo pipefail

if [[ "$#" -lt 1 || "${1}" != "--arm64" && "${1}" != "--amd64" ]]; then
Expand Down
14 changes: 14 additions & 0 deletions scripts/create_builder.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,18 @@
#!/usr/bin/env bash

# *******************************************************************************
# Copyright (c) 2026 Contributors to the Eclipse Foundation
#
# See the NOTICE file(s) distributed with this work for additional
# information regarding copyright ownership.
#
# This program and the accompanying materials are made available under the
# terms of the Apache License Version 2.0 which is available at
# https://www.apache.org/licenses/LICENSE-2.0
#
# SPDX-License-Identifier: Apache-2.0
# *******************************************************************************

set -euxo pipefail

# Function to check if builder has correct proxy configuration
Expand Down
39 changes: 39 additions & 0 deletions scripts/install_opengrep.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
#!/usr/bin/env bash

set -euo pipefail

# *******************************************************************************
# Copyright (c) 2026 Contributors to the Eclipse Foundation
#
# See the NOTICE file(s) distributed with this work for additional
# information regarding copyright ownership.
#
# This program and the accompanying materials are made available under the
# terms of the Apache License Version 2.0 which is available at
# https://www.apache.org/licenses/LICENSE-2.0
#
# SPDX-License-Identifier: Apache-2.0
# *******************************************************************************

echo "installing opengrep..."

OPENGREP_NAME="/tmp/opengrep"

VERSION="1.15.1"

ARCHITECTURE="$(uname -m)"
if [ "${ARCHITECTURE}" = "x86_64" ]; then
ARCH="x86"
SHA256SUM="c4f6aab1edc8130c7a46e8f5e5215763420740fb94198fc9301215135a372900"
else
ARCH="aarch64"
SHA256SUM="08932db32f4cbfd6e3af6bda82adac41754275d18a91c0fe065181e6a5291be7"
fi

curl -L "https://github.com/opengrep/opengrep/releases/download/v${VERSION}/opengrep_manylinux_${ARCH}" -o /tmp/opengrep
echo "${SHA256SUM} /tmp/opengrep" | sha256sum -c - || exit 1
chmod +x "${OPENGREP_NAME}"
sudo mv /tmp/opengrep /usr/local/bin/opengrep

# Verify installation
opengrep --version
14 changes: 14 additions & 0 deletions scripts/merge.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,18 @@
#!/usr/bin/env bash

# *******************************************************************************
# Copyright (c) 2026 Contributors to the Eclipse Foundation
#
# See the NOTICE file(s) distributed with this work for additional
# information regarding copyright ownership.
#
# This program and the accompanying materials are made available under the
# terms of the Apache License Version 2.0 which is available at
# https://www.apache.org/licenses/LICENSE-2.0
#
# SPDX-License-Identifier: Apache-2.0
# *******************************************************************************

set -euxo pipefail

if [ "$#" -eq 0 ]; then
Expand Down
14 changes: 14 additions & 0 deletions scripts/publish.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,18 @@
#!/usr/bin/env bash

# *******************************************************************************
# Copyright (c) 2026 Contributors to the Eclipse Foundation
#
# See the NOTICE file(s) distributed with this work for additional
# information regarding copyright ownership.
#
# This program and the accompanying materials are made available under the
# terms of the Apache License Version 2.0 which is available at
# https://www.apache.org/licenses/LICENSE-2.0
#
# SPDX-License-Identifier: Apache-2.0
# *******************************************************************************

set -euxo pipefail

if [[ "$#" -lt 1 || "${1}" != "--arm64" && "${1}" != "--amd64" ]]; then
Expand Down
14 changes: 14 additions & 0 deletions scripts/test.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,18 @@
#!/usr/bin/env bash

# *******************************************************************************
# Copyright (c) 2026 Contributors to the Eclipse Foundation
#
# See the NOTICE file(s) distributed with this work for additional
# information regarding copyright ownership.
#
# This program and the accompanying materials are made available under the
# terms of the Apache License Version 2.0 which is available at
# https://www.apache.org/licenses/LICENSE-2.0
#
# SPDX-License-Identifier: Apache-2.0
# *******************************************************************************

set -euxo pipefail

IMAGE="s-core-devcontainer"
Expand Down
14 changes: 14 additions & 0 deletions src/s-core-devcontainer/.devcontainer/bazel-feature/install.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,18 @@
#!/usr/bin/env bash

# *******************************************************************************
# Copyright (c) 2026 Contributors to the Eclipse Foundation
#
# See the NOTICE file(s) distributed with this work for additional
# information regarding copyright ownership.
#
# This program and the accompanying materials are made available under the
# terms of the Apache License Version 2.0 which is available at
# https://www.apache.org/licenses/LICENSE-2.0
#
# SPDX-License-Identifier: Apache-2.0
# *******************************************************************************

set -euo pipefail

# Copy feature sources and tests to expected location
Expand Down
14 changes: 14 additions & 0 deletions src/s-core-devcontainer/.devcontainer/bazel-feature/install_matching_bazel_version.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,18 @@
#!/usr/bin/env bash

# *******************************************************************************
# Copyright (c) 2026 Contributors to the Eclipse Foundation
#
# See the NOTICE file(s) distributed with this work for additional
# information regarding copyright ownership.
#
# This program and the accompanying materials are made available under the
# terms of the Apache License Version 2.0 which is available at
# https://www.apache.org/licenses/LICENSE-2.0
#
# SPDX-License-Identifier: Apache-2.0
# *******************************************************************************

set -eo pipefail

. /devcontainer/features/bazel/bazel_setup.sh || true
Expand Down
14 changes: 14 additions & 0 deletions src/s-core-devcontainer/.devcontainer/bazel-feature/on_create_command.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,18 @@
#!/usr/bin/env bash

# *******************************************************************************
# Copyright (c) 2026 Contributors to the Eclipse Foundation
#
# See the NOTICE file(s) distributed with this work for additional
# information regarding copyright ownership.
#
# This program and the accompanying materials are made available under the
# terms of the Apache License Version 2.0 which is available at
# https://www.apache.org/licenses/LICENSE-2.0
#
# SPDX-License-Identifier: Apache-2.0
# *******************************************************************************

set -euo pipefail

# Enable persistent Bazel cache
Expand Down
14 changes: 14 additions & 0 deletions src/s-core-devcontainer/.devcontainer/bazel-feature/tests/test_default.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,18 @@
#!/usr/bin/env bash

# *******************************************************************************
# Copyright (c) 2026 Contributors to the Eclipse Foundation
#
# See the NOTICE file(s) distributed with this work for additional
# information regarding copyright ownership.
#
# This program and the accompanying materials are made available under the
# terms of the Apache License Version 2.0 which is available at
# https://www.apache.org/licenses/LICENSE-2.0
#
# SPDX-License-Identifier: Apache-2.0
# *******************************************************************************

set -euo pipefail

# Read tool versions + metadata into environment variables
Expand Down
Loading