From ca8031bad18fdc054ed43b2b709fb9d4e07e1888 Mon Sep 17 00:00:00 2001
From: "Matthias J. Kannwischer" <matthias@kannwischer.eu>
Date: Thu, 23 May 2024 18:46:22 +0800
Subject: [PATCH] Automatically check for SPDX headers and linting (#40)

---
 .astylerc                            |  1 +
 .github/actions/setup-nix/action.yml |  2 +-
 .github/workflows/build.yml          | 10 +---
 .github/workflows/scorecard.yaml     |  2 +-
 CODEOWNERS                           |  2 -
 CODE_OF_CONDUCT.md                   |  2 +-
 CONTRIBUTING.md                      |  2 +-
 GOVERNANCE.md                        |  2 +-
 Makefile                             |  2 +
 SECURITY.md                          |  2 +-
 SUPPORT.md                           |  2 +-
 checksum.sh                          |  8 ++--
 fips202/LICENSE                      |  2 +-
 flake.nix                            | 12 ++---
 scripts/ci/lint                      | 71 ++++++++++++++++++++++++++++
 scripts/format                       | 40 ++++++++++++++++
 16 files changed, 134 insertions(+), 28 deletions(-)
 create mode 100755 scripts/ci/lint
 create mode 100755 scripts/format

diff --git a/.astylerc b/.astylerc
index 6b94c01eb..923db4181 100644
--- a/.astylerc
+++ b/.astylerc
@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: Apache-2.0
 --style=google 
 --indent=spaces
 --indent-preproc-define
diff --git a/.github/actions/setup-nix/action.yml b/.github/actions/setup-nix/action.yml
index 6a58d38fb..e2ef09fa7 100644
--- a/.github/actions/setup-nix/action.yml
+++ b/.github/actions/setup-nix/action.yml
@@ -10,4 +10,4 @@ runs:
       with: {load_nixConfig: false}
     - name: Prepare nix dev shell
       shell: nix develop .#ci -c bash -e {0}
-      run: |
\ No newline at end of file
+      run: |
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index cc75d375b..36c1adf15 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -13,16 +13,10 @@ jobs:
       - uses: actions/checkout@v4
       - name: Setup nix
         uses: ./.github/actions/setup-nix
-      - name: Astyle
+      - name: Lint
         shell: nix develop .#ci -c bash -e {0}
         run: |
-          err=$(astyle $(git ls-files "*.c" "*.h") --options=.astylerc --dry-run --formatted | awk '{print $2}')
-          if [[ ${#err} != 0 ]]; then
-            echo "$err" | while IFS= read -r file; do
-              echo "::error file={"$file"},title={checking}::Formatted $file"
-            done
-            exit 1
-          fi
+          lint
       - name: Build targets
         shell: nix develop .#ci -c bash -e {0}
         run: |
diff --git a/.github/workflows/scorecard.yaml b/.github/workflows/scorecard.yaml
index 2411d605f..0f733ccbb 100644
--- a/.github/workflows/scorecard.yaml
+++ b/.github/workflows/scorecard.yaml
@@ -58,4 +58,4 @@ jobs:
       - name: "Upload SARIF results to code scanning"
         uses: github/codeql-action/upload-sarif@592977e6ae857384aa79bb31e7a1d62d63449ec5 # v2.16.3
         with:
-          sarif_file: results.sarif
\ No newline at end of file
+          sarif_file: results.sarif
diff --git a/CODEOWNERS b/CODEOWNERS
index 1f6576922..eb74fcb9a 100644
--- a/CODEOWNERS
+++ b/CODEOWNERS
@@ -1,6 +1,4 @@
 # SPDX-License-Identifier: Apache-2.0
 # Last matching pattern has precedence
 
-# Default owner
 * @pq-code-package/pqcp-embedded-maintainers-aarch64
- 
diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md
index 2dd102ea6..9af549938 100644
--- a/CODE_OF_CONDUCT.md
+++ b/CODE_OF_CONDUCT.md
@@ -3,4 +3,4 @@
 
 # Code of Conduct
 
-Please see [open issue](https://github.com/pq-code-package/tsc/issues/9)
\ No newline at end of file
+Please see [open issue](https://github.com/pq-code-package/tsc/issues/9)
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index fdfd0ff64..1240c5d16 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -3,4 +3,4 @@
 
 # Contributing
 
-to be completed
\ No newline at end of file
+to be completed
diff --git a/GOVERNANCE.md b/GOVERNANCE.md
index efece5b88..9c9dcb3a8 100644
--- a/GOVERNANCE.md
+++ b/GOVERNANCE.md
@@ -3,4 +3,4 @@
 
 # Governance
 
-to be documented
\ No newline at end of file
+to be documented
diff --git a/Makefile b/Makefile
index 9ab5ac38f..a4e52dde3 100644
--- a/Makefile
+++ b/Makefile
@@ -1,3 +1,5 @@
+# SPDX-License-Identifier: Apache-2.0
+
 CC ?= /usr/bin/cc
 INCLUDE_FIPS202 = -I fips202
 INCLUDE_MLKEM = -I mlkem
diff --git a/SECURITY.md b/SECURITY.md
index afb5d6875..26b29e2ec 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -3,4 +3,4 @@
 
 # Security
 
-Please see [open issue](https://github.com/pq-code-package/tsc/issues/8)
\ No newline at end of file
+Please see [open issue](https://github.com/pq-code-package/tsc/issues/8)
diff --git a/SUPPORT.md b/SUPPORT.md
index f2a2b49ba..ead4aa114 100644
--- a/SUPPORT.md
+++ b/SUPPORT.md
@@ -3,4 +3,4 @@
 
 # Support
 
-To be written.
\ No newline at end of file
+To be written.
diff --git a/checksum.sh b/checksum.sh
index 9a5747e33..f7e509f1f 100755
--- a/checksum.sh
+++ b/checksum.sh
@@ -6,9 +6,9 @@
 output_hash=$(./$1 | sha256sum | awk '{ print $1 }')
 
 if [[ ${output_hash} == "${2}" ]]; then
-	echo "${1} Hashes match."
-	exit 0
+  echo "${1} Hashes match."
+  exit 0
 else
-	echo "${1} Hashes do not match: ${output_hash} vs ${2}"
-	exit 1
+  echo "${1} Hashes do not match: ${output_hash} vs ${2}"
+  exit 1
 fi
diff --git a/fips202/LICENSE b/fips202/LICENSE
index 138fdf8d3..19bf4f9e2 100644
--- a/fips202/LICENSE
+++ b/fips202/LICENSE
@@ -4,4 +4,4 @@ crypto_hash/keccakc512/simple/ from http://bench.cr.yp.to/supercop.html
 by Ronny Van Keer
 and the public domain "TweetFips202" implementation
 from https://twitter.com/tweetfips202
-by Gilles Van Assche, Daniel J. Bernstein, and Peter Schwabe
\ No newline at end of file
+by Gilles Van Assche, Daniel J. Bernstein, and Peter Schwabe
diff --git a/flake.nix b/flake.nix
index 0c6aa5761..90b0a8f64 100644
--- a/flake.nix
+++ b/flake.nix
@@ -21,6 +21,8 @@
           core = with pkgs; [
             # formatter & linters
             astyle # 3.4.10
+            nixpkgs-fmt
+            shfmt
           ];
         in
         {
@@ -28,20 +30,18 @@
             packages = core ++ [
               direnv
               nix-direnv
-
-              # formatter & linters
-              nixpkgs-fmt
-              shfmt
-              codespell
             ];
 
             shellHook = ''
-              export PATH=$PWD/dev-support/bin:$PATH
+              export PATH=$PWD/scripts:$PWD/scripts/ci:$PATH
             '';
           };
 
           devShells.ci = with pkgs; mkShellNoCC {
             packages = core;
+            shellHook = ''
+              export PATH=$PWD/scripts:$PWD/scripts/ci:$PATH
+            '';
           };
 
         };
diff --git a/scripts/ci/lint b/scripts/ci/lint
new file mode 100755
index 000000000..54ba5e292
--- /dev/null
+++ b/scripts/ci/lint
@@ -0,0 +1,71 @@
+#!/usr/bin/env bash
+# SPDX-License-Identifier: Apache-2.0
+
+set -o errexit
+set -o errtrace
+set -o nounset
+set -o pipefail
+
+# consts
+ROOT="$(realpath "$(dirname "$0")"/../../)"
+
+checkerr()
+{
+  if [[ $? == 127 ]]; then
+    SUCCESS=false
+    return
+  fi
+
+  if [[ ${#1} != 0 ]]; then
+    echo "$1" | while read -r file line; do
+      echo "::error file=$file,line=${line:-1},title=Format error::$file require to be formatted"
+    done
+    SUCCESS=false
+  fi
+}
+
+# Formatting
+SUCCESS=true
+
+echo "::group::Linting nix files with nixpkgs-fmt"
+checkerr "$(nixpkgs-fmt --check "$ROOT")"
+echo "::endgroup::"
+
+echo "::group::Linting shell scripts with shfmt"
+checkerr "$(shfmt -s -l -i 2 -ci -fn $(shfmt -f $(git grep -l '' :/)))"
+echo "::endgroup::"
+
+echo "::group::Linting c files with astyle"
+checkerr "$(astyle $(git ls-files ":/*.c" ":/*.h") --options="$ROOT/.astylerc" --dry-run --formatted | awk '{print $2}')"
+echo "::endgroup::"
+
+check-eol-dry-run()
+{
+  for file in $(git ls-files -- ":/"); do
+    if [[ $(tail -c1 "$file" | wc -l) == 0 ]]; then
+      l=$(wc -l <"$file")
+      echo "$file $l"
+    fi
+  done
+}
+echo "::group::Checking eol"
+checkerr "$(check-eol-dry-run)"
+echo "::endgroup::"
+
+check-spdx()
+{
+  for file in $(git ls-files -- ":/" ":/!:*LICENSE*" ":/!:.git*" ":/!:flake.lock"); do
+    if [[ $(grep "SPDX-License-Identifier:" $file | wc -l) == 0 ]]; then
+      echo "$file is missing SPDX License header"
+      SUCCESS=false
+    fi
+  done
+}
+echo "::group::Checking SPDX headers"
+check-spdx
+echo "::endgroup::"
+
+#
+if ! $SUCCESS; then
+  exit 1
+fi
diff --git a/scripts/format b/scripts/format
new file mode 100755
index 000000000..1d9478c19
--- /dev/null
+++ b/scripts/format
@@ -0,0 +1,40 @@
+#!/usr/bin/env bash
+# SPDX-License-Identifier: Apache-2.0
+
+set -o errexit
+set -o errtrace
+set -o nounset
+set -o pipefail
+
+# consts
+ROOT="$(realpath "$(dirname "$0")"/../)"
+
+GREEN="$(tput setaf 2)"
+NORMAL="$(tput sgr0)"
+
+# utility
+info()
+{
+  printf "%s %b\n" "${GREEN}info" "${NORMAL}${*}"
+}
+
+info "Formatting nix files"
+nixpkgs-fmt "$ROOT"
+
+info "Formatting shell scripts"
+shfmt -s -w -l -i 2 -ci -fn $(shfmt -f $(git grep -l '' :/))
+
+info "Formatting c files"
+astyle $(git ls-files ":/*.c" ":/*.h") --options="$ROOT/.astylerc" --formatted | awk '{print $2}'
+
+info "Checking for eol"
+check-eol()
+{
+  for file in $(git ls-files -- ":/"); do
+    if [[ $(tail -c1 "$file" | wc -l) == 0 ]]; then
+      echo "" >>"$file"
+      echo "$file"
+    fi
+  done
+}
+check-eol