chore: check copyright header with opengrep (#78)

Author: lurtz

.devcontainer/post_create_command.sh

@@ -1,7 +1,23 @@
 #!/usr/bin/env bash
+
+# *******************************************************************************
+# Copyright (c) 2026 Contributors to the Eclipse Foundation
+#
+# See the NOTICE file(s) distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Apache License Version 2.0 which is available at
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# SPDX-License-Identifier: Apache-2.0
+# *******************************************************************************
+
 npm install -g @devcontainers/cli
 pre-commit install
 
 scripts/create_builder.sh
 
 sudo apt-get update && sudo apt-get install -y shellcheck
+
+scripts/install_opengrep.sh

.github/workflows/ci.yaml

@@ -1,4 +1,18 @@
 ---
+
+# *******************************************************************************
+# Copyright (c) 2026 Contributors to the Eclipse Foundation
+#
+# See the NOTICE file(s) distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Apache License Version 2.0 which is available at
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# SPDX-License-Identifier: Apache-2.0
+# *******************************************************************************
+
 name: Validate DevContainer
 description: This workflow is checking that updates do not break stuff. If on main branch, publish to "latest" tag.
 on:
@@ -53,7 +67,7 @@ jobs:
             set -eux pipefail
 
             # Check
-            pre-commit run --show-diff-on-failure --color=always --all-files || exit -1
+            pre-commit run --show-diff-on-failure --color=always --all-files || exit 1
 
             # Create builder for multi-arch builds
             ./scripts/create_builder.sh

.github/workflows/release.yaml

@@ -1,4 +1,18 @@
 ---
+
+# *******************************************************************************
+# Copyright (c) 2026 Contributors to the Eclipse Foundation
+#
+# See the NOTICE file(s) distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Apache License Version 2.0 which is available at
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# SPDX-License-Identifier: Apache-2.0
+# *******************************************************************************
+
 name: Validate & Publish DevContainer
 description: This workflow is checking that for releases, updates do not break stuff and publishes the released container.
 on:
@@ -47,7 +61,7 @@ jobs:
             set -eux pipefail
 
             # Check
-            pre-commit run --show-diff-on-failure --color=always --all-files || exit -1
+            pre-commit run --show-diff-on-failure --color=always --all-files || exit 1
 
             # Create builder for multi-arch builds
             ./scripts/create_builder.sh

.gitignore

@@ -1,2 +1,3 @@
 # Exported image files shall never be committed.
 /export.img
+build/

.pre-commit-config.yaml

@@ -20,3 +20,11 @@ repos:
     rev: 38980559e3a605691d6579f96222c30778e5a69e # 3.0.0
     hooks:
       - id: shellcheck
+
+  - repo: local
+    hooks:
+      - id: opengrep
+        name: Check Mandatory OpenGrep Rules
+        entry: ./opengrep/run_opengrep.sh
+        language: system
+        pass_filenames: false

opengrep/mandatory/copyright.yaml

@@ -0,0 +1,33 @@
+---
+
+# *******************************************************************************
+# Copyright (c) 2026 Contributors to the Eclipse Foundation
+#
+# See the NOTICE file(s) distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Apache License Version 2.0 which is available at
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# SPDX-License-Identifier: Apache-2.0
+# *******************************************************************************
+
+rules:
+  - id: copyright_shell_yaml
+    patterns:
+      - pattern-regex: |
+          (?s)(.*)
+      - pattern-not-regex: (?m)^# \*{79}\n# Copyright \(c\) [0-9]{4} Contributors to the Eclipse Foundation\n#\n# See the NOTICE file\(s\) distributed with
+          this work for additional\n# information regarding copyright ownership.\n#\n# This program and the accompanying materials are made available under
+          the\n# terms of the Apache License Version 2.0 which is available at\n# https://www.apache.org/licenses/LICENSE-2.0\n#\n# SPDX-License-Identifier.
+          Apache-2.0\n# \*{79}$
+    message: All files must contain the mandatory copyright header.
+    languages:
+      - generic
+    severity: ERROR
+    paths:
+      include:
+        - '*.sh'
+        - '*.yaml'
+        - '*.yml'

opengrep/run_opengrep.sh

@@ -0,0 +1,41 @@
+#!/usr/bin/env bash
+
+# *******************************************************************************
+# Copyright (c) 2026 Contributors to the Eclipse Foundation
+#
+# See the NOTICE file(s) distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Apache License Version 2.0 which is available at
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# SPDX-License-Identifier: Apache-2.0
+# *******************************************************************************
+
+set -exuo pipefail
+
+# This script runs opengrep in such a way that it only works on the changeset that is to be checked
+# when running opengrep in the scope of a precommit hook.
+# The CI system runs the same script, but in that context no changeset exists, so all files are to
+# be checked. This also solves the problem that it is technically possible to work around the
+# precommit checks.
+
+changeset="$(git diff --staged --diff-filter=ACM --name-only)"
+length="${#changeset}"
+if [[ ${length} -gt 2048 ]]; then
+  # The changeset is too long, it would result in errors from opengrep/underlying OS about filenames
+  # being too long. Workaround: ignore the changeset and run opengrep on all files.
+  changeset=""
+fi
+if [[ -z "${changeset}" ]]; then
+  # Limit concurrency to 2 threads to reduce memory consumption
+  OPENGREP_MAX_CONCURRENCY="--jobs=1"
+  # No changeset, run opengrep on all files
+  changeset="."
+  opengrep scan "${OPENGREP_MAX_CONCURRENCY}" --error --disable-version-check --skip-unknown-extensions --emacs --sarif-output=build/opengrep.sarif -f ./opengrep/mandatory/ "${changeset}"
+else
+  # When changing ${changeset} to "${changeset}" it will break the script, ${changeset} actually contains *multiple* filenames
+  # shellcheck disable=SC2086
+  opengrep scan --error --disable-version-check --skip-unknown-extensions --emacs -f ./opengrep/mandatory/ ${changeset}
+fi

scripts/build.sh

@@ -1,4 +1,18 @@
 #!/usr/bin/env bash
+
+# *******************************************************************************
+# Copyright (c) 2026 Contributors to the Eclipse Foundation
+#
+# See the NOTICE file(s) distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Apache License Version 2.0 which is available at
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# SPDX-License-Identifier: Apache-2.0
+# *******************************************************************************
+
 set -euxo pipefail
 
 if [[ "$#" -lt 1 || "${1}" != "--arm64" && "${1}" != "--amd64" ]]; then

scripts/create_builder.sh

@@ -1,4 +1,18 @@
 #!/usr/bin/env bash
+
+# *******************************************************************************
+# Copyright (c) 2026 Contributors to the Eclipse Foundation
+#
+# See the NOTICE file(s) distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Apache License Version 2.0 which is available at
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# SPDX-License-Identifier: Apache-2.0
+# *******************************************************************************
+
 set -euxo pipefail
 
 # Function to check if builder has correct proxy configuration

scripts/install_opengrep.sh

@@ -0,0 +1,39 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+# *******************************************************************************
+# Copyright (c) 2026 Contributors to the Eclipse Foundation
+#
+# See the NOTICE file(s) distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Apache License Version 2.0 which is available at
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# SPDX-License-Identifier: Apache-2.0
+# *******************************************************************************
+
+echo "installing opengrep..."
+
+OPENGREP_NAME="/tmp/opengrep"
+
+VERSION="1.15.1"
+
+ARCHITECTURE="$(uname -m)"
+if [ "${ARCHITECTURE}" = "x86_64" ]; then
+  ARCH="x86"
+  SHA256SUM="c4f6aab1edc8130c7a46e8f5e5215763420740fb94198fc9301215135a372900"
+else
+  ARCH="aarch64"
+  SHA256SUM="08932db32f4cbfd6e3af6bda82adac41754275d18a91c0fe065181e6a5291be7"
+fi
+
+curl -L "https://github.com/opengrep/opengrep/releases/download/v${VERSION}/opengrep_manylinux_${ARCH}" -o /tmp/opengrep
+echo "${SHA256SUM} /tmp/opengrep" | sha256sum -c - || exit 1
+chmod +x "${OPENGREP_NAME}"
+sudo mv /tmp/opengrep /usr/local/bin/opengrep
+
+# Verify installation
+opengrep --version