Add CI job to verify all Rust files have license headers (#512)

* Add script and CI job to check license headers in Rust files

Co-authored-by: simongdavies <[email protected]>
Signed-off-by: Simon Davies <[email protected]>

* Add license headers to files that were missing them

Co-authored-by: simongdavies <[email protected]>
Signed-off-by: Simon Davies <[email protected]>

* Add just target for checking license headers

Co-authored-by: simongdavies <[email protected]>
Signed-off-by: Simon Davies <[email protected]>

* Fix Label Checker test and improve license header script

Co-authored-by: simongdavies <[email protected]>
Signed-off-by: Simon Davies <[email protected]>

* Add license headers to files in src/hyperlight_guest_capi/

Co-authored-by: simongdavies <[email protected]>
Signed-off-by: Simon Davies <[email protected]>

* Add license header to idtr.rs and fix imports

Co-authored-by: simongdavies <[email protected]>
Signed-off-by: Simon Davies <[email protected]>

* Update README with DCO sign-off information

Signed-off-by: Simon Davies <[email protected]>

* Add documentation for DCO compliance

Signed-off-by: copilot-swe-agent[bot] <[email protected]>
Signed-off-by: Simon Davies <[email protected]>

* Update documentation on GPG signing and DCO requirements

Signed-off-by: copilot-swe-agent[bot] <[email protected]>
Signed-off-by: Simon Davies <[email protected]>

* Fix markdown linting issues in CONTRIBUTING.md and add markdownlint config

Co-authored-by: marosset <[email protected]>
Signed-off-by: Simon Davies <[email protected]>

* Address review feedback: update copyright year to 2025, simplify docs, use just in CI, remove markdownlint config

- Remove .markdownlint.json file as it wasn't being used
- Update copyright year from 2024 to 2025 in license header check script and all files with license headers
- Simplify docs/commit-signing.md to remove duplication and reference GitHub's documentation
- Update CONTRIBUTING.md to reference GitHub docs instead of duplicating GPG setup instructions
- Update CI workflow to use `just check-license-headers` for consistency

Co-authored-by: jsturtevant <[email protected]>

* Remove commit signing docs and simplify references per review feedback

- Remove docs/commit-signing.md file as requested
- Update CONTRIBUTING.md to point to GitHub's documentation instead
- Restore the credit comment in CONTRIBUTING.md
- Remove commit signing section from README.md

Signed-off-by: Copilot AI <[email protected]>

Co-authored-by: jsturtevant <[email protected]>

* Revert GH PR workflow to use ./dev/check-license-headers.sh

Cannot use the just command since just is not available on this runner

Signed-off-by: Simon Davies <[email protected]>

* Update copyright year to 2025 in all remaining Rust files

Complete the copyright year update that was started in commit 3ea4801 but only partially finished. This updates all remaining Rust files from "Copyright 2024" to "Copyright 2025" for consistency across the codebase.

Signed-off-by: Copilot AI <[email protected]>

Co-authored-by: simongdavies <[email protected]>

* Fix PR review issues: restore original files and update workflow

Co-authored-by: jsturtevant <[email protected]>

* Update ValidatePullRequest.yml to use script directly instead of just command

Co-authored-by: jsturtevant <[email protected]>

* Revert copyright year changes for files with existing license headers

Files that already had license headers should not have their copyright
years modified. This commit reverts all copyright year changes from
2025 back to 2024 for files that already had license headers, while
preserving the license headers that were legitimately added to files
that were completely missing them.

Signed-off-by: Copilot AI <[email protected]>

Co-authored-by: jsturtevant <[email protected]>

---------

Signed-off-by: Simon Davies <[email protected]>
Signed-off-by: copilot-swe-agent[bot] <[email protected]>
Co-authored-by: copilot-swe-agent[bot] <[email protected]>
Co-authored-by: simongdavies <[email protected]>
Co-authored-by: marosset <[email protected]>
Co-authored-by: jsturtevant <[email protected]>
Co-authored-by: Simon Davies <[email protected]>
Co-authored-by: James Sturtevant <[email protected]>

Author: 4 people

.github/workflows/ValidatePullRequest.yml

@@ -67,6 +67,14 @@ jobs:
     - name: Spell Check Repo
       uses: crate-ci/[email protected]
 
+  license-headers:
+    name: check license headers
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+    - name: Check License Headers
+      run: ./dev/check-license-headers.sh
+
   # Gate PR merges on this specific "join-job" which requires all other
   # jobs to run first. We need this job since we cannot gate on particular jobs
   # in the workflow, since they can sometimes be skipped (e.g. if the PR only touches docs).
@@ -77,6 +85,7 @@ jobs:
       - rust
       - fuzzing
       - spelling
+      - license-headers
     if: always()
     runs-on: ubuntu-latest
     steps:

CONTRIBUTING.md

@@ -4,7 +4,7 @@ This project welcomes contributions. Most contributions require you to signoff o
 the Developer Certificate of Origin (DCO). When you submit a pull request, a DCO-bot will automatically determine
 whether you need to provide signoff for your commit. Please follow the instructions provided by DCO-bot, as pull
 requests cannot be merged until the author(s) have provided signoff to fulfill the DCO requirement.
-You may find more information on the DCO requirements [below](#developer-certificate-of-origin-signing-your-work).
+You may find more information on the DCO requirements [below](#developer-certificate-of-origin-and-gpg-signing).
 
 ## Issues
 
@@ -31,20 +31,28 @@ All contributions come through pull requests. To submit a proposed change, we re
     - Code changes require tests
     - Make sure to run the linters to check and format the code
 4. Update relevant documentation for the change
-5. Commit with [DCO sign-off](#developer-certificate-of-origin-signing-your-work) and open a PR
+5. Commit with [DCO sign-off](#developer-certificate-of-origin-and-gpg-signing) and open a PR
 6. Wait for the CI process to finish and make sure all checks are green
 7. A maintainer of the project will be assigned, and you can expect a review within a few days
 
 #### Use work-in-progress PRs for early feedback
 
 A good way to communicate before investing too much time is to create a "Work-in-progress" PR and share it with your reviewers. The standard way of doing this is to add a "[WIP]" prefix in your PR's title and open the pull request as a draft.
 
-### Developer Certificate of Origin: Signing your work
+### Developer Certificate of Origin and GPG Signing
 
 #### Every commit needs to be signed
 
+This project requires two types of signatures on all commits:
+
+1. **Developer Certificate of Origin (DCO) Sign-off**: A text attestation that you have the right to submit the code
+2. **GPG Signature**: A cryptographic signature verifying your identity
+
+**For DCO Sign-offs:**
+
 The Developer Certificate of Origin (DCO) is a lightweight way for contributors to certify that they wrote or otherwise have the right to submit the code they are contributing to the project. Here is the full text of the [DCO](https://developercertificate.org/), reformatted for readability:
-```
+
+```text
 By making a contribution to this project, I certify that:
 
     (a) The contribution was created in whole or in part by me and I have the right to submit it under the open source license indicated in the file; or
@@ -70,18 +78,41 @@ Git even has a `-s` command line option to append this automatically to your com
 git commit -s -m 'This is my commit message'
 ```
 
-Each Pull Request is checked  whether or not commits in a Pull Request do contain a valid Signed-off-by line.
+**For GPG Signatures:**
+
+GPG signatures verify the identity of the committer. For detailed setup instructions, see GitHub's documentation on [signing commits](https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits).
+
+Quick setup:
 
-#### I didn't sign my commit, now what?!
+```sh
+git config --global user.signingkey YOUR_KEY_ID
+git config --global commit.gpgsign true
+```
+
+**For both DCO sign-off and GPG signature in one command:**
+
+```sh
+git commit -S -s -m 'This is my signed and signed-off commit message'
+```
+
+For detailed instructions on setting up GPG signing, see [GitHub's documentation on signing commits](https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits).
+
+Each Pull Request is checked to ensure all commits contain valid DCO sign-offs and GPG signatures.
+
+#### I didn't sign my commit, now what?
 
 No worries - You can easily replay your changes, sign them and force push them!
 
+**For adding both DCO sign-off and GPG signature:**
+
 ```sh
 git checkout <branch-name>
-git commit --amend --no-edit --signoff
+git commit --amend --no-edit -S -s
 git push --force-with-lease <remote-name> <branch-name>
 ```
 
+For more detailed instructions on setting up GPG signing, see [GitHub's documentation on signing commits](https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits).
+
 *Credit: This doc was cribbed from Dapr.*
 
 ### Rust Analyzer

Justfile

@@ -131,6 +131,9 @@ fmt-check:
     cargo +nightly fmt --manifest-path src/tests/rust_guests/dummyguest/Cargo.toml -- --check
     cargo +nightly fmt --manifest-path src/hyperlight_guest_capi/Cargo.toml -- --check
 
+check-license-headers:
+    ./dev/check-license-headers.sh
+
 fmt-apply:
     cargo +nightly fmt --all
     cargo +nightly fmt --manifest-path src/tests/rust_guests/callbackguest/Cargo.toml

dev/check-license-headers.sh

@@ -0,0 +1,60 @@
+#!/bin/bash
+# This script checks for the presence of the required license header in Rust source files.
+
+# Get the repository root
+REPO_ROOT="$(git rev-parse --show-toplevel)"
+cd "$REPO_ROOT" || exit 1
+
+# Define the license header pattern to look for
+LICENSE_PATTERN="Copyright .* The Hyperlight Authors..*Licensed under the Apache License, Version 2.0"
+
+# Define the full license header for files that need it
+LICENSE_HEADER='/*
+Copyright 2025 The Hyperlight Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+'
+
+# Initialize a variable to track missing headers
+MISSING_HEADERS=0
+MISSING_FILES=""
+
+# Find all Rust files, excluding target directory
+while IFS= read -r file; do
+    # Skip auto-generated files
+    if grep -q "@generated" "$file" || grep -q "Automatically generated" "$file"; then
+        continue
+    fi
+
+    # Check if the file has the license header (allowing for multi-line matching)
+    if ! grep -q -z "$LICENSE_PATTERN" "$file"; then
+        echo "Missing or invalid license header in $file"
+        MISSING_FILES="$MISSING_FILES\n  $file"
+        MISSING_HEADERS=$((MISSING_HEADERS + 1))
+    fi
+done < <(find src -name "*.rs" -type f)
+
+if [ $MISSING_HEADERS -gt 0 ]; then
+    echo "Found $MISSING_HEADERS files with missing or invalid license headers:"
+    echo -e "$MISSING_FILES"
+    echo ""
+    echo "Please add the following license header to these files:"
+    echo "$LICENSE_HEADER"
+    echo "You can also run: just check-license-headers to verify your changes."
+    exit 1
+else
+    echo "All Rust files have the required license header"
+    exit 0
+fi

src/hyperlight_common/src/outb.rs

@@ -1,3 +1,19 @@
+/*
+Copyright 2025 The Hyperlight Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
 use core::convert::TryFrom;
 
 use anyhow::{anyhow, Error};

src/hyperlight_guest_bin/src/exceptions/idtr.rs

@@ -1,3 +1,20 @@
+/*
+Copyright 2025 The Hyperlight Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+use core::mem::size_of;
 use core::ptr::addr_of;
 
 use crate::exceptions::idt::{init_idt, IdtEntry, IDT};

src/hyperlight_guest_capi/build.rs

@@ -1,3 +1,19 @@
+/*
+Copyright 2025 The Hyperlight Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
 use std::env;
 
 fn main() {

src/hyperlight_guest_capi/src/dispatch.rs

@@ -1,3 +1,19 @@
+/*
+Copyright 2025 The Hyperlight Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
 use alloc::boxed::Box;
 use alloc::slice;
 use alloc::vec::Vec;

src/hyperlight_guest_capi/src/error.rs

@@ -1,3 +1,19 @@
+/*
+Copyright 2025 The Hyperlight Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
 use core::ffi::c_char;
 
 use hyperlight_common::flatbuffer_wrappers::guest_error::ErrorCode;

src/hyperlight_guest_capi/src/flatbuffer.rs

@@ -1,3 +1,19 @@
+/*
+Copyright 2025 The Hyperlight Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
 use alloc::boxed::Box;
 use core::ffi::{c_char, CStr};