Migrate to addlicense

Author: danischm

.github/workflows/ci.yml

@@ -150,7 +150,50 @@ jobs:
         go-version: '1.25.x'
 
     - name: Install govulncheck
-      run: go install golang.org/x/vuln/cmd/govulncheck@latest
+      run: go install golang.org/x/vuln/cmd/govulncheck@v1.1.3
 
     - name: Run govulncheck
       run: govulncheck ./...
+
+  # License header check job
+  # Security: pull_request_target grants write access and secrets to fork PRs
+  # Malicious PR could exfiltrate secrets via modified Makefile targets
+  # Gated by security_check requiring 'safe-to-test' label from maintainer
+  # See security_check job for fork PR protection details
+  license:
+    name: License Check
+    runs-on: ubuntu-latest
+    needs: [security_check]
+    if: |
+      always() &&
+      (github.event_name == 'push' ||
+       (github.event_name == 'pull_request_target' && needs.security_check.outputs.is_safe == 'true'))
+    permissions:
+      contents: read
+
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      with:
+        ref: ${{ github.event.pull_request.head.sha || github.sha }}
+
+    - name: Set up Go
+      uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v5.2.0
+      with:
+        go-version: '1.25.x'
+
+    - name: Cache Go modules
+      uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
+      with:
+        path: |
+          ~/.cache/go-build
+          ~/go/pkg/mod
+        key: ${{ runner.os }}-go-1.25.x-addlicense-v1.1.1-${{ hashFiles('**/go.sum') }}
+        restore-keys: |
+          ${{ runner.os }}-go-1.25.x-addlicense-
+
+    - name: Install addlicense
+      run: go install github.com/google/[email protected]
+
+    - name: Check license headers
+      run: make check-license

CONTRIBUTING.md

@@ -31,7 +31,7 @@ Feature suggestions are welcome! Please:
 1. Fork the repository and create a branch from `main`
 2. Make your changes following the coding guidelines below
 3. Add tests for any new functionality
-4. Add SPDX headers to all new Go files (see Headers section)
+4. Add SPDX headers to new Go files - see Headers section (contributors: add manually with YOUR copyright, do NOT run `make license`)
 5. Ensure all checks pass: `make test`, `make lint`, `make security`
 6. Update documentation as needed
 7. Write clear commit messages following conventional commits
@@ -73,7 +73,40 @@ All Go source files must include SPDX license identifier and copyright notice:
 package netconf
 ```
 
-Use provided scripts: `bash scripts/add-headers.sh` or `bash scripts/check-headers.sh`
+#### Adding Headers
+
+The project uses [Google's addlicense](https://github.com/google/addlicense) tool for license header management.
+
+**Install addlicense:**
+```bash
+go install github.com/google/[email protected]
+# Or use: make tools
+```
+
+**Version Note**: Use the exact version shown above (`@v1.1.1`) to match the CI environment. Using `@latest` may cause version mismatches between local development and CI checks.
+
+**Add headers to new files:**
+```bash
+make license
+```
+
+**Verify headers:**
+```bash
+make check-license
+```
+
+**Important Notes:**
+- **For Maintainers**: Use `make license` to add headers with project default copyright holder
+- **For Contributors**: Do NOT use `make license` - it will overwrite your copyright holder
+- **For Contributors**: Manually add headers to new files with YOUR organization's copyright:
+  ```go
+  // SPDX-License-Identifier: MPL-2.0
+  // Copyright (c) 2025 Your Organization Name
+
+  package netconf
+  ```
+- Then run `make check-license` to verify format compliance (accepts any copyright holder)
+- Both SPDX-first and Copyright-first formats are accepted by the check command
 
 ### Testing
 

Makefile

@@ -1,18 +1,20 @@
-.PHONY: help test lint security coverage benchmark clean fmt verify tools ci
+.PHONY: help test lint security coverage benchmark clean fmt verify tools ci license check-license
 
 # Default target
 help:
 	@echo "Available targets:"
-	@echo "  test       - Run all tests"
-	@echo "  lint       - Run linters (golangci-lint with gosec)"
-	@echo "  security   - Run vulnerability check (govulncheck)"
-	@echo "  coverage   - Run tests with coverage report"
-	@echo "  benchmark  - Run benchmarks"
-	@echo "  clean      - Clean build artifacts"
-	@echo "  fmt        - Format code"
-	@echo "  verify     - Run all checks (test, lint, security)"
-	@echo "  tools      - Install development tools"
-	@echo "  ci         - Run CI pipeline checks"
+	@echo "  test          - Run all tests"
+	@echo "  lint          - Run linters (golangci-lint with gosec)"
+	@echo "  security      - Run vulnerability check (govulncheck)"
+	@echo "  coverage      - Run tests with coverage report"
+	@echo "  benchmark     - Run benchmarks"
+	@echo "  clean         - Clean build artifacts"
+	@echo "  fmt           - Format code"
+	@echo "  license       - Add license headers to all Go files"
+	@echo "  check-license - Verify license headers are present"
+	@echo "  verify        - Run all checks (test, lint, security, license)"
+	@echo "  tools         - Install development tools"
+	@echo "  ci            - Run CI pipeline checks (test, lint, security, license)"
 
 # Run tests
 test:
@@ -60,15 +62,52 @@ fmt:
 	gofmt -s -w .
 
 # Run all checks
-verify: fmt test lint security
+verify: fmt test lint security check-license
 	@echo "All checks passed!"
 
 # Install development tools
 tools:
 	@echo "Installing development tools..."
-	go install github.com/golangci/golangci-lint/cmd/golangci-lint@latest
-	go install golang.org/x/vuln/cmd/govulncheck@latest
+	go install github.com/golangci/golangci-lint/cmd/[email protected]
+	go install golang.org/x/vuln/cmd/[email protected]
+	go install github.com/google/[email protected]
+
+# Add license headers to all Go files
+# Uses Google's addlicense tool (github.com/google/addlicense)
+# Adds MPL-2.0 + SPDX headers with your name as copyright holder
+# Existing headers are preserved (no re-processing)
+# Note: Requires addlicense in PATH or ~/go/bin - install with 'make tools'
+license:
+	@echo "Adding license headers to Go files..."
+	@if [ -z "$(HOME)" ] || [ ! -d "$(HOME)" ]; then \
+		echo "Error: Invalid HOME directory (required for ~/go/bin tool installation)"; \
+		echo "       If running in Docker/container, ensure HOME is set and ~/go/bin exists"; exit 1; \
+	fi
+	@PATH="$(HOME)/go/bin:$$PATH" && \
+	command -v addlicense >/dev/null 2>&1 || { echo "Error: addlicense not found. Install with: make tools"; exit 1; } && \
+	find . -name "*.go" -not -path "./vendor/*" -not -path "./examples/*" -print0 | \
+		xargs -0 addlicense -c "Daniel Schmidt" -l mpl -s=only -y 2025 -v
+	@echo "License header addition complete!"
+
+# Check that all Go files have license headers
+# Uses addlicense in check mode - accepts ANY copyright holder name
+# Only verifies that MPL-2.0 + SPDX headers exist
+# Note: Requires addlicense in PATH or ~/go/bin - install with 'make tools'
+check-license:
+	@echo "Checking license headers..."
+	@if [ -z "$(HOME)" ] || [ ! -d "$(HOME)" ]; then \
+		echo "Error: Invalid HOME directory (required for ~/go/bin tool installation)"; \
+		echo "       If running in Docker/container, ensure HOME is set and ~/go/bin exists"; exit 1; \
+	fi
+	@PATH="$(HOME)/go/bin:$$PATH" && \
+	command -v addlicense >/dev/null 2>&1 || { echo "Error: addlicense not found. Install with: make tools"; exit 1; } && \
+	find . -name "*.go" -not -path "./vendor/*" -not -path "./examples/*" -print0 | \
+		if xargs -0 addlicense -check -l mpl -s=only -y 2025; then \
+			echo "✓ All Go files have license headers!"; \
+		else \
+			echo "✗ Some files are missing license headers. Run 'make license' to add them."; exit 1; \
+		fi
 
 # CI pipeline checks (used in GitHub Actions)
-ci: test lint security
+ci: test lint security check-license
 	@echo "CI checks passed!"