fix #18 - Add GitHub Action to enforce Apache 2.0 license headers

[fantonangeli]

Closes #18

Summary

Add a GitHub Actions workflow that validates Apache 2.0 license headers are present in all applicable source files and fails the build if headers are missing. The check must execute on every Pull Request.

Goals

Ensure all source files comply with Apache 2.0 licensing requirements.

• Prevent merging code without proper license headers.
• Automate enforcement instead of relying on manual review.
• Maintain CNCF/open-source governance standards.

Non-Goals

• Complex legal compliance tooling beyond header validation.
• Checking third-party dependency licenses.

[ricardozanini]

@fantonangeli you must sign your commits with a key that matches your email.

[Copilot]

Pull request overview

Adds automated license-header enforcement using Apache RAT so pull requests fail if files without approved licensing are introduced, supporting the repository’s Apache 2.0 compliance goal.

Changes:

• Add a CI workflow that runs Apache RAT on pushes to main and on PR events.
• Introduce .rat-excludes to exclude certain non-source/config/generated files from RAT scanning.
• Add Apache 2.0 license headers to README.md and .gitignore.

Reviewed changes

Copilot reviewed 3 out of 4 changed files in this pull request and generated 3 comments.

File	Description
README.md	Adds an Apache 2.0 license header in an HTML comment.
.rat-excludes	Defines files to exclude from Apache RAT scanning.
.gitignore	Adds an Apache 2.0 license header comment block.
.github/workflows/ci_check_license_headers.yaml	New workflow that downloads and runs Apache RAT, failing on unapproved files.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

[Copilot]

This downloads and executes a remote JAR via curl without any integrity verification (checksum/signature) and uses an unpinned actions/checkout@v3. For supply-chain safety, pin actions to a commit SHA (or at least update to the current major) and verify the RAT artifact (e.g., download the corresponding .sha512/signature and validate before running).

Suggested change

	uses: actions/checkout@v3
	- name: Download Apache RAT
	run: |
	curl -LO "https://repo1.maven.org/maven2/org/apache/rat/apache-rat/${APACHE_RAT_VERSION}/apache-rat-${APACHE_RAT_VERSION}.jar"
	uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # actions/checkout@v4
	- name: Download Apache RAT
	run: |
	set -e
	BASE_URL="https://repo1.maven.org/maven2/org/apache/rat/apache-rat/${APACHE_RAT_VERSION}"
	# Download JAR and corresponding SHA-512 checksum
	curl -L -o "apache-rat-${APACHE_RAT_VERSION}.jar" "${BASE_URL}/apache-rat-${APACHE_RAT_VERSION}.jar"
	curl -L -o "apache-rat-${APACHE_RAT_VERSION}.jar.sha512" "${BASE_URL}/apache-rat-${APACHE_RAT_VERSION}.jar.sha512"
	# Verify the downloaded JAR against the published checksum
	EXPECTED_SHA512="$(awk '{print $1}' "apache-rat-${APACHE_RAT_VERSION}.jar.sha512")"
	ACTUAL_SHA512="$(sha512sum "apache-rat-${APACHE_RAT_VERSION}.jar" | awk '{print $1}')"
	if [ "${EXPECTED_SHA512}" != "${ACTUAL_SHA512}" ]; then
	echo "Checksum verification FAILED for apache-rat-${APACHE_RAT_VERSION}.jar" >&2
	exit 1
	fi

[Copilot]

Pull request overview

Copilot reviewed 3 out of 4 changed files in this pull request and generated 4 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

[Copilot]

Pull request overview

Copilot reviewed 3 out of 4 changed files in this pull request and generated 3 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

[ricardozanini]

@lornakelly are you going to review this PR?