chore(common): introduce integrity check for contract licenses (#2154)

isaacdecoded · zmalatrax · web-flow · commit 89d38f8ab8c1 · 2026-03-26T17:21:13.000Z
* chore(common): introduce integrity check for contract licenses

* Update ci/check_spdx_licenses.sh

Co-authored-by: malatrax &lt;71888134+zmalatrax@users.noreply.github.com&gt;

* ci(common): include library solidity and host library in the spdx license check

---------

Co-authored-by: malatrax &lt;71888134+zmalatrax@users.noreply.github.com&gt;
diff --git a/.github/workflows/gateway-contracts-integrity-checks.yml b/.github/workflows/gateway-contracts-integrity-checks.yml
@@ -32,6 +32,8 @@ jobs:
             gw-contracts:
               - .github/workflows/gateway-contracts-integrity-checks.yml
               - gateway-contracts/**
+              - ci/check_spdx_licenses.sh
+              - ci/contracts_bindings_update.py
   contract-integrity-checks:
     name: gateway-contracts-integrity-checks/contract-integrity-checks (bpr)
     needs: check-changes
@@ -72,6 +74,10 @@ jobs:
         working-directory: gateway-contracts
         run: make check-mocks
 
+      - name: Check SPDX license headers
+        working-directory: gateway-contracts
+        run: make check-spdx-headers
+
       - name: Check licenses compliance
         working-directory: gateway-contracts
         run: make check-licenses
diff --git a/.github/workflows/host-contracts-integrity-checks.yml b/.github/workflows/host-contracts-integrity-checks.yml
@@ -32,6 +32,8 @@ jobs:
             host-contracts:
               - .github/workflows/host-contracts-integrity-checks.yml
               - host-contracts/**
+              - ci/check_spdx_licenses.sh
+              - ci/contracts_bindings_update.py
 
   contract-integrity-checks:
     name: host-contracts-integrity-checks/contract-integrity-checks (bpr)
@@ -68,3 +70,7 @@ jobs:
       - name: Check contract selectors are up-to-date
         working-directory: host-contracts
         run: make check-selectors
+
+      - name: Check SPDX license headers
+        working-directory: host-contracts
+        run: make check-spdx-headers
diff --git a/.github/workflows/library-solidity-integrity-checks.yml b/.github/workflows/library-solidity-integrity-checks.yml
@@ -0,0 +1,50 @@
+# This workflow verifies that:
+# - Dependency licenses compliance
+name: library-solidity-integrity-checks
+
+on:
+  pull_request:
+
+permissions: {}
+
+concurrency:
+  group: library-solidity-integrity-checks-${{ github.ref }}
+  cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
+
+jobs:
+  check-changes:
+    name: library-solidity-integrity-checks/check-changes
+    permissions:
+      contents: 'read' # Required to checkout repository code
+    runs-on: ubuntu-latest
+    outputs:
+      changes-library-solidity: ${{ steps.filter.outputs.library-solidity }}
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: 'false'
+      - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36  # v3.0.2
+        id: filter
+        with:
+          filters: |
+            library-solidity:
+              - .github/workflows/library-solidity-integrity-checks.yml
+              - library-solidity/**
+              - ci/check_spdx_licenses.sh
+
+  contract-integrity-checks:
+    name: library-solidity-integrity-checks/contract-integrity-checks (bpr)
+    needs: check-changes
+    if: ${{ needs.check-changes.outputs.changes-library-solidity == 'true' }}
+    permissions:
+      contents: 'read' # Required to checkout repository code
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout project
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: 'false'
+
+      - name: Check SPDX license headers
+        working-directory: library-solidity
+        run: make check-spdx-headers
diff --git a/ci/check_spdx_licenses.sh b/ci/check_spdx_licenses.sh
@@ -0,0 +1,58 @@
+#!/usr/bin/env bash
+# Check that all Solidity contracts use the expected SPDX license identifier.
+
+set -euo pipefail
+
+EXPECTED_LICENSE="BSD-3-Clause-Clear"
+EXIT_CODE=0
+DIRS=()
+EXCLUDES=()
+
+# Parse arguments
+while [[ $# -gt 0 ]]; do
+    case "$1" in
+        --exclude)
+            EXCLUDES+=("$2")
+            shift 2
+            ;;
+        *)
+            DIRS+=("$1")
+            shift
+            ;;
+    esac
+done
+
+# Default to contracts/ if no directories specified
+if [[ ${#DIRS[@]} -eq 0 ]]; then
+    DIRS=("contracts")
+fi
+
+for dir in "${DIRS[@]}"; do
+    while IFS= read -r -d '' file; do
+        # Check if file matches any exclude pattern
+        skip=false
+        for exclude in ${EXCLUDES[@]+"${EXCLUDES[@]}"}; do
+            if [[ "$file" == *"$exclude"* ]]; then
+                skip=true
+                break
+            fi
+        done
+        if "$skip"; then
+            continue
+        fi
+
+        first_line=$(head -n 1 "$file")
+        if [[ "$first_line" != "// SPDX-License-Identifier: ${EXPECTED_LICENSE}" ]]; then
+            echo "ERROR: Wrong or missing license in $file"
+            echo "  Found:    $first_line"
+            echo "  Expected: // SPDX-License-Identifier: ${EXPECTED_LICENSE}"
+            EXIT_CODE=1
+        fi
+    done < <(find "$dir" -name '*.sol' -print0 | sort -z)
+done
+
+if [ "$EXIT_CODE" -eq 0 ]; then
+    echo "All Solidity files use SPDX-License-Identifier: ${EXPECTED_LICENSE}"
+fi
+
+exit "$EXIT_CODE"
diff --git a/gateway-contracts/Makefile b/gateway-contracts/Makefile
@@ -106,6 +106,10 @@ deploy-setup-contracts:
 ensure-addresses:
 	ENV_PATH=$(ENV_PATH) npx ts-node scripts/ensure_proxy_addresses.ts
 
+# Make sure all Solidity contracts use the expected SPDX license identifier (BSD-3-Clause-Clear)
+check-spdx-headers:
+	bash ../ci/check_spdx_licenses.sh contracts
+
 # Make sure we only use allowed licenses for dependencies
 # Full list of SPDX identifiers can be found here: https://spdx.org/licenses/
 # The following packages are exceptionally excluded from the check:
diff --git a/host-contracts/Makefile b/host-contracts/Makefile
@@ -60,5 +60,10 @@ lint-bindings:
 # Update auto-generated files for conformance checks
 update-conformance: update-bindings update-selectors
 
+# Make sure all Solidity contracts use the expected SPDX license identifier (BSD-3-Clause-Clear)
+# We also check lib/ but exclude external dependencies (forge-std, OpenZeppelin-derived FhevmECDSA).
+check-spdx-headers:
+	bash ../ci/check_spdx_licenses.sh contracts lib --exclude forge-std --exclude cryptography/FhevmECDSA.sol
+
 # Conform to pre-commit checks
 conformance: prettier update-conformance
diff --git a/library-solidity/Makefile b/library-solidity/Makefile
@@ -0,0 +1,4 @@
+# Make sure all Solidity source files use the expected SPDX license identifier (BSD-3-Clause-Clear).
+# We check lib/ and config/ but exclude external dependencies (OpenZeppelin-derived FhevmECDSA).
+check-spdx-headers:
+	bash ../ci/check_spdx_licenses.sh lib config --exclude cryptography/FhevmECDSA.sol
