CI: add Apache RAT audit workflow for license checks

tuhaihe · web-flow · commit a3e05cfdbee3 · 2025-07-29T18:44:53.000+08:00
This commit introduces a new GitHub workflow that:
- Runs Apache Rat to verify license compliance on all files
- Executes automatically on PR submissions and merges to main branch
- Uploads check results as artifacts for debugging purposes
- Provides a clear job summary with appropriate status indicators

This workflow can help us ensure all files comply with ASF requirements,
catching potential licensing issues before they're merged into the
codebase.
diff --git a/.asf.yaml b/.asf.yaml
@@ -85,6 +85,7 @@ github:
         # Actions workflows. They do not include the workflow name as a
         # prefix
         contexts:
+          - rat-check
           - check-skip
           - Build Apache Cloudberry RPM
           - RPM Install Test Apache Cloudberry
diff --git a/.github/workflows/apache-rat-audit.yml b/.github/workflows/apache-rat-audit.yml
@@ -0,0 +1,149 @@
+# --------------------------------------------------------------------
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed
+# with this work for additional information regarding copyright
+# ownership. The ASF licenses this file to You under the Apache
+# License, Version 2.0 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of the
+# License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# permissions and limitations under the License.
+#
+# --------------------------------------------------------------------
+# Apache Rat Audit Workflow
+# Checks if all files comply with Apache licensing requirements
+# This workflow is based on the Apache Rat tool, you can run it locally
+# using the command: `mvn clean verify -Drat.consoleOutput=true`
+# --------------------------------------------------------------------
+
+name: Apache Rat Audit
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+    types: [opened, synchronize, reopened, edited]
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  rat-check:
+    name: Apache Rat License Check
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 1
+
+      - name: Set up Java and Maven
+        uses: actions/setup-java@v3
+        with:
+          distribution: 'temurin'
+          java-version: '11'
+          cache: maven
+
+      - name: Run Apache Rat check
+        id: rat-check
+        run: |
+          echo "Running Apache Rat license check..."
+          mvn clean verify -Drat.consoleOutput=true | tee rat-output.log
+          
+          # Check for build failure
+          if grep -q "\[INFO\] BUILD FAILURE" rat-output.log; then
+            echo "rat_failed=true" >> $GITHUB_OUTPUT
+            echo "::error::Apache Rat check failed - build failure detected"
+            exit 1
+          fi
+          
+          # If we got here, the check passed
+          echo "rat_failed=false" >> $GITHUB_OUTPUT
+          echo "Apache Rat check passed successfully"
+
+      - name: Upload Rat check results
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: rat-check-results
+          path: rat-output.log
+          retention-days: 7
+
+      - name: Generate Job Summary
+        if: always()
+        run: |
+          {
+            echo "## Apache Rat Audit Results"
+            echo "- Run Time: $(date -u +'%Y-%m-%d %H:%M:%S UTC')"
+            echo ""
+
+            if [[ -f rat-output.log ]]; then
+              # First extract and display summary statistics (only once)
+              if grep -q "Rat check: Summary over all files" rat-output.log; then
+                echo "#### 📊 License Summary"
+                summary_line=$(grep "Rat check: Summary over all files" rat-output.log)
+                echo "\`\`\`"
+                echo "$summary_line"
+                echo "\`\`\`"
+                echo ""
+              fi
+
+              # Then determine the result status
+              if grep -q "\[INFO\] BUILD FAILURE" rat-output.log; then
+                echo "### ❌ Check Failed - License Compliance Issues Detected"
+                echo ""
+
+                # Extract and display files with unapproved licenses
+                if grep -q "Files with unapproved licenses:" rat-output.log; then
+                  echo "#### 🚫 Files with Unapproved Licenses"
+                  echo "\`\`\`"
+                  # Get the line with "Files with unapproved licenses:" and all following lines until the dashed line
+                  sed -n '/Files with unapproved licenses:/,/\[INFO\] ------------------------------------------------------------------------/p' rat-output.log | \
+                    grep -v "\[INFO\] ------------------------------------------------------------------------" | \
+                    grep -v "^$" | \
+                    head -20
+                  echo "\`\`\`"
+                  echo ""
+                fi
+
+                echo "💡 **How to fix:**"
+                echo ""
+                echo "**For new original files you created:**"
+                echo "- Add the standard Apache License header to each file"
+                echo ""
+                echo "**For third-party files with different licenses:**"
+                echo "- Add the file to exclusion list in \`pom.xml\` under the rat-maven-plugin configuration"
+                echo "- Ensure the license is compatible with Apache License 2.0"
+                echo "- Avoid introducing components with incompatible licenses"
+                echo ""
+                echo "**Need help?**"
+                echo "- Run \`mvn clean verify -Drat.consoleOutput=true\` locally for the full report"
+                echo "- Email dev@cloudberry.apache.org if you have questions about license compatibility"
+
+              elif grep -q "\[INFO\] BUILD SUCCESS" rat-output.log; then
+                echo "### ✅ Check Passed - All Files Comply with Apache License Requirements"
+
+              else
+                echo "### ⚠️ Indeterminate Result"
+                echo "Check the uploaded log file for details."
+              fi
+            else
+              echo "### ⚠️ No Output Log Found"
+              echo "The rat-output.log file was not generated."
+            fi
+          } >> "$GITHUB_STEP_SUMMARY"
diff --git a/README.md b/README.md
@@ -46,6 +46,7 @@
   <img alt="SonarQube Cloud" src="https://sonarcloud.io/images/project_badges/sonarcloud-highlight.svg" width="100px">
 </a>
 [![Ask DeepWiki](https://deepwiki.com/badge.svg)](https://deepwiki.com/apache/cloudberry)
+[![Apache Rat Audit](https://github.com/apache/cloudberry/actions/workflows/apache-rat-audit.yml/badge.svg)](https://github.com/apache/cloudberry/actions/workflows/apache-rat-audit.yml)
 ---------
 
 ## Introduction
