A Github Action that verifies whether project files include a SPDX license header. If any files do not pass the ruleset for their file type, the test will fail with some guidance about how to fix it.
Include the action as part of a workflow that performs a checkout. You'll also need to provide input:
licenses: The accepted SPDX License Identifiers.
Here's an example:
name: spdx
on:
pull_request
jobs:
check-spdx-headers:
runs-on: ubuntu-latest
steps:
- name: checkout
uses: actions/checkout@v2
- uses: enarx/spdx@master
with:
licenses: Apache-2.0 MITThis script basically performs two actions:
- It identifies the source code language for each file.
- It validates the SPDX header using the semantics for the language.
If this script cannot identify the language for a file, it is skipped. Likewise, if the language of the file is known but it has no SPDX semantics defined, it is skipped.
We identify the source code of a language using two strategies.
- We map the extension to a known language.
- We evaluate a shebang line, if present.
Adding support for new languages should be trivial. See the examples for Ruby and C/C++.