From 52a68e3ed68f687d058b556b4f938412f30dcec0 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 16 Jan 2026 08:16:06 +0000 Subject: [PATCH 1/4] Initial plan From 3018fd64889662f410f014d9ae254bda4132241e Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 16 Jan 2026 08:18:35 +0000 Subject: [PATCH 2/4] feat: Add SPDX header check workflow MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Created `.github/workflows/spdx-check.yml` to automatically check SPDX copyright headers in pull requests. The workflow: - Triggers on pull requests to the main branch - Uses zccrs/github-actions-spdx-checker@v1 action - Checks multiple file types (py, js, ts, java, cpp, go, rs, etc.) - Excludes vendor and node_modules directories - Validates new files have current year SPDX headers - Ensures modified files update year ranges correctly This will help maintain consistent copyright headers across all linuxdeepin projects and ensure compliance with SPDX standards. Influence: 1. All future PRs to main branch will automatically check SPDX headers 2. Non-compliant files will cause workflow to fail with bilingual error messages 3. Developers must include proper SPDX headers in all new and modified files 4. Test by creating a PR with files missing SPDX headers feat: 添加 SPDX 头部检查工作流 创建 `.github/workflows/spdx-check.yml` 以自动检查拉取请求中的 SPDX 版权头部。 此工作流: - 在向 main 分支提交 PR 时触发 - 使用 zccrs/github-actions-spdx-checker@v1 action - 检查多种文件类型(py, js, ts, java, cpp, go, rs 等) - 排除 vendor 和 node_modules 目录 - 验证新文件包含当前年份的 SPDX 头部 - 确保修改的文件正确更新年份范围 这将有助于在所有 linuxdeepin 项目中保持一致的版权头部,并确保符合 SPDX 标准。 Influence: 1. 所有未来向 main 分支提交的 PR 都会自动检查 SPDX 头部 2. 不符合规范的文件会导致工作流失败并提供双语错误消息 3. 开发者必须在所有新文件和修改的文件中包含适当的 SPDX 头部 4. 通过创建缺少 SPDX 头部的文件的 PR 来测试 Co-authored-by: zccrs <13449038+zccrs@users.noreply.github.com> --- .github/workflows/spdx-check.yml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 .github/workflows/spdx-check.yml diff --git a/.github/workflows/spdx-check.yml b/.github/workflows/spdx-check.yml new file mode 100644 index 000000000..4fdf549c4 --- /dev/null +++ b/.github/workflows/spdx-check.yml @@ -0,0 +1,15 @@ +name: SPDX Header Check + +on: + pull_request: + branches: [main] + +jobs: + spdx-check: + runs-on: ubuntu-latest + steps: + - uses: zccrs/github-actions-spdx-checker@v1 + with: + base: origin/main + include: '*.py,*.js,*.ts,*.jsx,*.tsx,*.java,*.cpp,*.c,*.h,*.hpp,*.go,*.rs,*.rb,*.php,*.sh,*.xml,*.yaml,*.yml,*.json,CMakeLists.txt,Makefile' + exclude: 'vendor/**,node_modules/**' From bfb1606581eb86efa4e37fb6a095415ed713e9b3 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 16 Jan 2026 08:20:04 +0000 Subject: [PATCH 3/4] fix: Add checkout step to SPDX header check workflow MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Added actions/checkout@v5 step before the SPDX checker to ensure the repository code is available for checking. Configured with fetch-depth: 0 to fetch full git history, which is required for the SPDX checker to compare against the base branch and determine which files have been added or modified. This ensures the workflow can properly: - Access all files in the pull request - Compare changes against the base branch (origin/main) - Determine new vs modified files for appropriate SPDX header validation Influence: 1. The workflow will now function correctly when triggered 2. Files in PRs will be properly checked for SPDX headers 3. Git history is available for year range validation in modified files fix: 为 SPDX 头部检查工作流添加检出步骤 在 SPDX 检查器之前添加 actions/checkout@v5 步骤,以确保仓库代码可用于检查。 配置 fetch-depth: 0 以获取完整的 git 历史记录,这是 SPDX 检查器比较基础分支 并确定哪些文件已添加或修改所必需的。 这确保工作流可以正确地: - 访问拉取请求中的所有文件 - 将更改与基础分支(origin/main)进行比较 - 确定新文件与修改文件以进行适当的 SPDX 头部验证 Influence: 1. 工作流现在将在触发时正常运行 2. PR 中的文件将正确检查 SPDX 头部 3. Git 历史可用于修改文件中的年份范围验证 Co-authored-by: zccrs <13449038+zccrs@users.noreply.github.com> --- .github/workflows/spdx-check.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/spdx-check.yml b/.github/workflows/spdx-check.yml index 4fdf549c4..5b6ec5172 100644 --- a/.github/workflows/spdx-check.yml +++ b/.github/workflows/spdx-check.yml @@ -8,6 +8,9 @@ jobs: spdx-check: runs-on: ubuntu-latest steps: + - uses: actions/checkout@v5 + with: + fetch-depth: 0 - uses: zccrs/github-actions-spdx-checker@v1 with: base: origin/main From 53ec31d70741d4494c7a7b5ff7d9f82b423f0f7d Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 16 Jan 2026 08:21:36 +0000 Subject: [PATCH 4/4] fix: Add explicit permissions to SPDX check workflow MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Added explicit permissions block to limit GITHUB_TOKEN permissions for security. The workflow now only has the minimal required permissions: - contents: read - to checkout repository code - pull-requests: read - to read PR information This follows GitHub Actions security best practices by implementing the principle of least privilege, ensuring the workflow only has access to what it needs. Influence: 1. Improves workflow security posture 2. Prevents potential token misuse 3. Follows GitHub Actions security recommendations 4. Resolves CodeQL security alert about missing workflow permissions fix: 为 SPDX 检查工作流添加明确的权限 添加明确的权限块以限制 GITHUB_TOKEN 权限以提高安全性。 工作流现在只有最小的必需权限: - contents: read - 检出仓库代码 - pull-requests: read - 读取 PR 信息 这遵循 GitHub Actions 安全最佳实践,通过实施最小权限原则,确保工作流仅 有权访问其所需内容。 Influence: 1. 提高工作流安全性 2. 防止潜在的令牌滥用 3. 遵循 GitHub Actions 安全建议 4. 解决关于缺少工作流权限的 CodeQL 安全警报 Co-authored-by: zccrs <13449038+zccrs@users.noreply.github.com> --- .github/workflows/spdx-check.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/spdx-check.yml b/.github/workflows/spdx-check.yml index 5b6ec5172..2489bd71b 100644 --- a/.github/workflows/spdx-check.yml +++ b/.github/workflows/spdx-check.yml @@ -7,6 +7,9 @@ on: jobs: spdx-check: runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: read steps: - uses: actions/checkout@v5 with: