CI: add Apache RAT audit workflow for license checks

tuhaihe · tuhaihe · commit 6d367cabead3 · 2025-07-02T20:27:58.000+08:00
This commit introduces a new GitHub workflow that:
- Runs Apache Rat to verify license compliance on all files
- Executes automatically on PR submissions and merges to main branch
- Uploads check results as artifacts for debugging purposes
- Provides a clear job summary with appropriate status indicators

This workflow can help us ensure all files comply with ASF requirements,
catching potential licensing issues before they're merged into the
codebase.
diff --git a/.asf.yaml b/.asf.yaml
@@ -85,6 +85,7 @@ github:
         # Actions workflows. They do not include the workflow name as a
         # prefix
         contexts:
+          - rat-check
           - check-skip
           - Build Apache Cloudberry RPM
           - RPM Install Test Apache Cloudberry
diff --git a/.github/workflows/apache-rat-audit.yml b/.github/workflows/apache-rat-audit.yml
@@ -0,0 +1,108 @@
+# --------------------------------------------------------------------
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed
+# with this work for additional information regarding copyright
+# ownership. The ASF licenses this file to You under the Apache
+# License, Version 2.0 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of the
+# License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# permissions and limitations under the License.
+#
+# --------------------------------------------------------------------
+# Apache Rat Audit Workflow
+# Checks if all files comply with Apache licensing requirements
+# This workflow is based on the Apache Rat tool, you can run it locally
+# using the command: `mvn clean verify -Drat.consoleOutput=true`
+# --------------------------------------------------------------------
+
+name: Apache Rat Audit
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+    types: [opened, synchronize, reopened, edited]
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  rat-check:
+    name: Apache Rat License Check
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 1
+
+      - name: Set up Java and Maven
+        uses: actions/setup-java@v3
+        with:
+          distribution: 'temurin'
+          java-version: '11'
+          cache: maven
+
+      - name: Run Apache Rat check
+        id: rat-check
+        run: |
+          echo "Running Apache Rat license check..."
+          mvn clean verify -Drat.consoleOutput=true | tee rat-output.log
+          
+          # Check for build failure
+          if grep -q "\[INFO\] BUILD FAILURE" rat-output.log; then
+            echo "rat_failed=true" >> $GITHUB_OUTPUT
+            echo "::error::Apache Rat check failed - build failure detected"
+            exit 1
+          fi
+          
+          # If we got here, the check passed
+          echo "rat_failed=false" >> $GITHUB_OUTPUT
+          echo "Apache Rat check passed successfully"
+
+      - name: Upload Rat check results
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: rat-check-results
+          path: rat-output.log
+          retention-days: 7
+
+      - name: Generate Job Summary
+        if: always()
+        run: |
+          {
+            echo "## Apache Rat Audit Results"
+            echo "- Run Time: $(date -u +'%Y-%m-%d %H:%M:%S UTC')"
+            
+            if [[ -f rat-output.log ]]; then
+              if grep -q "\[INFO\] BUILD FAILURE" rat-output.log; then
+                echo "### ❌ Check Failed - License Compliance Issues Detected"
+                echo "```"
+                grep -B 5 -A 20 "\[INFO\] BUILD FAILURE" rat-output.log
+                echo "```"
+              elif grep -q "\[INFO\] BUILD SUCCESS" rat-output.log; then
+                echo "### ✅ Check Passed - All Files Comply with Apache License Requirements"
+              else
+                echo "### ⚠️ Indeterminate result - check log for details"
+              fi
+            else
+              echo "### ⚠️ No output log found"
+            fi
+          } >> "$GITHUB_STEP_SUMMARY"
