feat: license check ci and commands

Signed-off-by: Alano Terblanche <18033717+Benehiko@users.noreply.github.com>

Author: Benehiko

.github/workflows/lint.yml

@@ -4,16 +4,25 @@ on:
     branches:
       - main
   pull_request:
+permissions:
+  contents: read # to fetch code (actions/checkout)
 jobs:
-  lint:
-    name: Lint
+  validate:
+    name: Validate license and lint
     runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        target:
+          - validate-headers
+          - lint
     permissions:
       id-token: write
       pull-requests: write
       contents: write
     steps:
-      - uses: actions/checkout@v4
+      - name: Checkout
+        uses: actions/checkout@v4
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
@@ -31,4 +40,4 @@ jobs:
           endpoint: "docker/secrets-engine"
           install: true
       - name: Lint
-        run: make BUILDER=${{ steps.buildx.outputs.name }} lint
+        run: make BUILDER=${{ steps.buildx.outputs.name }} ${{ matrix.target }}

Dockerfile

@@ -1,8 +1,13 @@
 #syntax=docker/dockerfile:1
 
+ARG ALPINE_VERSION=3.23.3
 ARG GO_VERSION=latest
 ARG GOLANGCI_LINT_VERSION=v2.2.1
 ARG OSXCROSS_VERSION=15.5
+ARG ADDLICENSE_VERSION=v1.2.0
+ARG LICENSE_ARGS="-c 'Docker, Inc.' -l apache -ignore '**/*.yaml' -ignore '**/*.yml' -ignore '.github/**' -ignore 'store/keychain/internal/go-keychain/**' -ignore 'vendor/**' -ignore '.git/**' ."
+
+FROM ghcr.io/google/addlicense:${ADDLICENSE_VERSION} AS addlicense
 
 FROM --platform=${BUILDPLATFORM} golangci/golangci-lint:${GOLANGCI_LINT_VERSION}-alpine AS lint-base
 
@@ -13,6 +18,32 @@ FROM --platform=${BUILDPLATFORM} crazymax/osxcross:${OSXCROSS_VERSION}-alpine AS
 FROM --platform=${BUILDPLATFORM} golang:${GO_VERSION}-alpine AS gobase
 RUN apk add --no-cache findutils build-base git
 
+FROM alpine:${ALPINE_VERSION} AS license-validate
+ARG LICENSE_ARGS
+COPY --link --from=addlicense /app/addlicense /usr/bin/addlicense
+WORKDIR /src
+RUN --mount=type=bind,target=.,ro <<EOT
+    set -eu
+    echo "== Checking license headers =="
+    eval "/usr/bin/addlicense -check $LICENSE_ARGS"
+EOT
+
+FROM alpine:${ALPINE_VERSION} AS do-license-update
+ARG LICENSE_ARGS
+COPY --from=addlicense /app/addlicense /usr/bin/addlicense
+RUN mkdir -p /generate/out
+WORKDIR /src
+RUN apk add --no-cache git
+RUN --mount=type=bind,target=.,rw <<EOT
+    set -eu
+    echo "== Checking license headers =="
+    eval "/usr/bin/addlicense -v $LICENSE_ARGS"
+    ./scripts/copy-only-diff /generate/out
+EOT
+
+FROM scratch AS license-update
+COPY --from=do-license-update /generate/out .
+
 FROM gobase AS linux-base
 ARG TARGETARCH
 ENV GOOS=linux

Makefile

@@ -132,4 +132,12 @@ help: ## Show this help
 	@echo Please specify a build target. The choices are:
 	@grep -E '^[0-9a-zA-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) | awk 'BEGIN {FS = ":.*?## "}; {printf "$(INFO_COLOR)%-30s$(NO_COLOR) %s\n", $$1, $$2}'
 
-.PHONY: run bin format lint proto-lint proto-generate clean help keychain-linux-unit-tests keychain-unit-tests
+.PHONY: validate-headers
+validate-headers: ## Check license header for all files
+	@docker buildx build --progress=plain --platform=linux/amd64 --target=license-validate .
+
+.PHONY: update-license-headers
+update-license-headers: ## Update license headers for all files
+	@docker buildx build -o . --progress=plain --platform=linux/amd64 --target=license-update .
+
+.PHONY: run bin format lint proto-lint proto-generate clean help keychain-linux-unit-tests keychain-unit-tests validate-headers