ci(common): include library solidity and host library in the spdx license check

Author: isaacdecoded

.github/workflows/gateway-contracts-integrity-checks.yml

@@ -32,6 +32,8 @@ jobs:
             gw-contracts:
               - .github/workflows/gateway-contracts-integrity-checks.yml
               - gateway-contracts/**
+              - ci/check_spdx_licenses.sh
+              - ci/contracts_bindings_update.py
   contract-integrity-checks:
     name: gateway-contracts-integrity-checks/contract-integrity-checks (bpr)
     needs: check-changes

.github/workflows/host-contracts-integrity-checks.yml

@@ -32,6 +32,8 @@ jobs:
             host-contracts:
               - .github/workflows/host-contracts-integrity-checks.yml
               - host-contracts/**
+              - ci/check_spdx_licenses.sh
+              - ci/contracts_bindings_update.py
 
   contract-integrity-checks:
     name: host-contracts-integrity-checks/contract-integrity-checks (bpr)

.github/workflows/library-solidity-integrity-checks.yml

@@ -0,0 +1,50 @@
+# This workflow verifies that:
+# - Dependency licenses compliance
+name: library-solidity-integrity-checks
+
+on:
+  pull_request:
+
+permissions: {}
+
+concurrency:
+  group: library-solidity-integrity-checks-${{ github.ref }}
+  cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
+
+jobs:
+  check-changes:
+    name: library-solidity-integrity-checks/check-changes
+    permissions:
+      contents: 'read' # Required to checkout repository code
+    runs-on: ubuntu-latest
+    outputs:
+      changes-library-solidity: ${{ steps.filter.outputs.library-solidity }}
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: 'false'
+      - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36  # v3.0.2
+        id: filter
+        with:
+          filters: |
+            library-solidity:
+              - .github/workflows/library-solidity-integrity-checks.yml
+              - library-solidity/**
+              - ci/check_spdx_licenses.sh
+
+  contract-integrity-checks:
+    name: library-solidity-integrity-checks/contract-integrity-checks (bpr)
+    needs: check-changes
+    if: ${{ needs.check-changes.outputs.changes-library-solidity == 'true' }}
+    permissions:
+      contents: 'read' # Required to checkout repository code
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout project
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: 'false'
+
+      - name: Check SPDX license headers
+        working-directory: library-solidity
+        run: make check-spdx-headers

ci/check_spdx_licenses.sh

@@ -4,18 +4,52 @@
 set -euo pipefail
 
 EXPECTED_LICENSE="BSD-3-Clause-Clear"
-CONTRACTS_DIR="${1:-contracts}"
 EXIT_CODE=0
+DIRS=()
+EXCLUDES=()
 
-while IFS= read -r -d '' file; do
-    first_line=$(head -n 1 "$file")
-    if [[ "$first_line" != "// SPDX-License-Identifier: ${EXPECTED_LICENSE}" ]]; then
-        echo "ERROR: Wrong or missing license in $file"
-        echo "  Found:    $first_line"
-        echo "  Expected: // SPDX-License-Identifier: ${EXPECTED_LICENSE}"
-        EXIT_CODE=1
-    fi
-done < <(find "$CONTRACTS_DIR" -name '*.sol' -print0 | sort -z)
+# Parse arguments
+while [[ $# -gt 0 ]]; do
+    case "$1" in
+        --exclude)
+            EXCLUDES+=("$2")
+            shift 2
+            ;;
+        *)
+            DIRS+=("$1")
+            shift
+            ;;
+    esac
+done
+
+# Default to contracts/ if no directories specified
+if [[ ${#DIRS[@]} -eq 0 ]]; then
+    DIRS=("contracts")
+fi
+
+for dir in "${DIRS[@]}"; do
+    while IFS= read -r -d '' file; do
+        # Check if file matches any exclude pattern
+        skip=false
+        for exclude in ${EXCLUDES[@]+"${EXCLUDES[@]}"}; do
+            if [[ "$file" == *"$exclude"* ]]; then
+                skip=true
+                break
+            fi
+        done
+        if "$skip"; then
+            continue
+        fi
+
+        first_line=$(head -n 1 "$file")
+        if [[ "$first_line" != "// SPDX-License-Identifier: ${EXPECTED_LICENSE}" ]]; then
+            echo "ERROR: Wrong or missing license in $file"
+            echo "  Found:    $first_line"
+            echo "  Expected: // SPDX-License-Identifier: ${EXPECTED_LICENSE}"
+            EXIT_CODE=1
+        fi
+    done < <(find "$dir" -name '*.sol' -print0 | sort -z)
+done
 
 if [ "$EXIT_CODE" -eq 0 ]; then
     echo "All Solidity files use SPDX-License-Identifier: ${EXPECTED_LICENSE}"

host-contracts/Makefile

@@ -61,8 +61,9 @@ lint-bindings:
 update-conformance: update-bindings update-selectors
 
 # Make sure all Solidity contracts use the expected SPDX license identifier (BSD-3-Clause-Clear)
+# We also check lib/ but exclude external dependencies (forge-std, OpenZeppelin-derived FhevmECDSA).
 check-spdx-headers:
-	bash ../ci/check_spdx_licenses.sh contracts
+	bash ../ci/check_spdx_licenses.sh contracts lib --exclude forge-std --exclude cryptography/FhevmECDSA.sol
 
 # Conform to pre-commit checks
 conformance: prettier update-conformance

library-solidity/Makefile

@@ -0,0 +1,4 @@
+# Make sure all Solidity source files use the expected SPDX license identifier (BSD-3-Clause-Clear).
+# We check lib/ and config/ but exclude external dependencies (OpenZeppelin-derived FhevmECDSA).
+check-spdx-headers:
+	bash ../ci/check_spdx_licenses.sh lib config --exclude cryptography/FhevmECDSA.sol