Description

HashiCorp repositories with GitHub Actions workflows will soon be enforced to use commit SHA pinning in uses: to curb potential supply chain issues. Currently the README.md section on GitHub Actions points to @main for using setup-copywrite.

Annoying to update (🙁 ) but I'm guessing the preference for the documentation would be to suggest:

uses: hashicorp/setup-copywrite@3ace06ad72e6ec679ea8572457b17dbc3960b8ce # v1.0.0

Or (less securely):

uses: hashicorp/[email protected]

Either which way though, Dependabot should suggest version updates.

Is the scope of this tool Hashicorp only?

The read me suggests it is intended to be generic, but there non-configurable items such as

which bind it to Hashicorp.

Thanks!

It seems like, if i use this tool with pre-commit, it tries to search Go files not in pre-commit .cache directory, but from root path of the repo. Could you please check with some empty git repo to use this pre-commit configuration to get same errors.

After creating .pre-commit-config.yaml and commiting files \ executing pre-commit run

repos:
- repo: https://github.com/hashicorp/copywrite
  rev: v0.16.4
  hooks:
    - id: add-headers
    - id: check-headers

have such error:

Add copyright headers....................................................Failed
- hook id: add-headers
- exit code: 1
go: cannot find main module, but found .git/config in /Users/gabenov/git/sandbox/pre-commit
	to create a module there, run:
	go mod init

or after executing go mod init pre-commit

Validate copyright headers...............................................Failed
- hook id: check-headers
- exit code: 1
no Go files in /Users/gabenov/git/sandbox/pre-commit

version: pre-commit 3.3.2

Context

Currently copywrite headers can be quite chatty on bigger repositories, practically printing out every single file, esp. because it prints out the ones it skips. I can see how this can be useful for debugging!

I would argue though this is far less useful in day2day use, esp. when it's used to just add headers to a handful of new files. The new files just get drowned in the long output.

Proposal

Allow suppressing/hiding the cli: skipping: log lines, or even making that the default option, with a -verbose or -debug flag to enable them.

Interesting project. Please consider adding a .pre-commit-hooks.yaml so this can be utilised as a pre-commit hook also.

When a repository uses a mix of different licenses for different parts/directories (BUSL or MPL), then it is currently necessary to run copywrite in those nested directories in order for it to notice those nested directories.

For example, Terraform uses the following script to work around this limitation:

https://github.com/hashicorp/terraform/blob/2a5ff48e3d0342c1978adf97c63414fa06c8b9ed/scripts/copyright.sh#L12-L17

directories=$(find . -type f -name '.copywrite.hcl' -execdir pwd \;)

for dir in $directories; do
    cd $dir && go run github.com/hashicorp/copywrite headers
done

It would be great if this could be built into the tool, so we would not have to maintain this shell wrapper.

Currently the copyright text is provided as a comment.

In the same way the license is prefixed with the SPDX-License-Identifer: tag, should this be prefixed with the SPDX-FileCopyrightText: tag per https://spdx.github.io/spdx-spec/v2.3/file-tags/#h2-file-tags-format ?

👋 Hi! We're using this GH action in the TFE provider, and with a recent run, I'm seeing the error:

GET /repos/hashicorp/copywrite/releases/latest - 403 in 119ms
Error: API rate limit exceeded for 40.77.45.146. (But here's the good news: Authenticated requests get a higher rate limit. Check out the documentation for more details.)

Go build tags need to be at the top line of the file to be considered by go compiler.

Right now, running copyright headers in go file with build tags would break the tags as the header will be inserted before the build tags.

The expected result is for copywrite headers to either:

• offer a way to exclude/include files based on build tags
• detect build tags and insert the header after

When you run copywrite on files with unsupported extensions, you get no information that these files are skipped.

Getting a debug output of why the file was skipped would be nice.

The only other way to find out is to look at the source code.

It was discussed during a review: #85 (comment)

I want to manage not only copyright header, but also years in it.

For example, my header should look like:
copyright_holder = "HashiCorp, Inc. 2014-2023"

1. So, when i run copywrite headers over file having already created header "HashiCorp, Inc. 2014-2022" will be changed into --> "HashiCorp, Inc. 2014-2023"
2. .copywrite.hcl config file should support variables, so i can template headers like

copyright_holder = "HashiCorp, Inc. ${var.copyright_year}-2023"
copyright_year = 2014

When running the copywrite headers --plan command within the Nomad repository, the output details files missing headers even though these are ignored via the .copywrite.hcl file and the command exits with status code 0. It is a little confusing to detail these files when they are expected to be ignored.

Example output:

The following files are missing headers:
  
  Using copyright holder: HashiCorp, Inc.
  
  command/asset/*.hcl
  command/agent/bindata_assetfs.go

Example GHA run: https://github.com/hashicorp/nomad/actions/runs/5519757257/jobs/10065442205?pr=17889

Can we please have a feature that lets us turn off this error if the file extension is present, e.g. .md?

As I'm testing I've noticed copywrite correctly updates scripts that have a file extension, e.g. .sh, .js etc. but doesn't update scripts that don't.

E.g. it would detect and update check-release.sh but not check-release

Is there a way to update this files, either through explicit configuration or automagically?

This is probably more a stylistic thing but if you have a yaml file

%YAML 1.2
# yaml-language-server: $schema=https://json.schemastore.org/pre-commit-config.json
---
default_install_hook_types:
  - pre-commit
...

and update it with copywrite headers you end up with

# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0

%YAML 1.2
# yaml-language-server: $schema=https://json.schemastore.org/pre-commit-config.json
---
default_install_hook_types:
  - pre-commit
...

This contrasts with the behaviour of shell scripts which maintain the shebang as the first line.

I don't think it particularly matters for TAG directives but in the case of the YAML directive should this be handled similarly?

I tried onboarding this repository https://github.com/hashicorp/vscode-terraform and added testFixture/ into the ignorelist:

schema_version = 1

project {
  license        = "MPL-2.0"
  copyright_year = 2016

  header_ignore = [
    ".vscode-test",
    ".vscode-test-web",
    "out/",
    "node_modules/",
    "syntaxes/",
    "testFixture/",
  ]
}

Despite that copywrite headers attempts to add the header to files under that path:

copywrite headers --plan
Executing in dry-run mode. Rerun without the `--plan` flag to apply changes.

Using license identifier: MPL-2.0

Exempting the following search patterns:
.vscode-test
.vscode-test-web
out/
node_modules/
syntaxes/
testFixture/

The following files are missing headers:
...
2023-01-31T17:22:18.563Z [INFO]  cli: testFixture/actions.tf
2023-01-31T17:22:18.563Z [INFO]  cli: testFixture/modules/sample.tf
2023-01-31T17:22:18.564Z [INFO]  cli: testFixture/sample.tf
Error: missing license header

Is this a bug?

The bot is creating PRs with headers like

Copyright (c) HashiCorp, Inc.

which appear to assume HashiCorp is the sole copyright holder for all files. How does the bot check that external contributors assigned copyright to HashiCorp?

For example this PR seems definitely incorrect: hashicorp/terraform-provider-azurerm#22657 (comment)

For reference see also https://reuse.software/faq/#copyright-holder-author

Description

Hey there 👋 Thanks for this great tool! While looking at some of the configuration file handling for this tool, I noticed:

Which is the help description from the headers command that talks about a .headerignore file. However, in my brief code searching here, I'm not seeing that text appear elsewhere such as code which might load those files.

Is this functionality supported, upcoming, or was it replaced with the "regular" configuration file? Much appreciated!

It appears the copywrite will not detect or attempt to fix wrong license, for example in hashicorp/terraform:

If I attempt to change provider_source.go in root to contain

// SPDX-License-Identifier: MPL-2.0

$ copywrite headers
Using license identifier: BUSL-1.1
Using copyright holder: HashiCorp, Inc.

Exempting the following search patterns:
**/*.tf
**/testdata/**
**/*.pb.go
**/*_string.go
**/mock*.go
docs/plugin-protocol/**
internal/tfplugin*/**

The following files are missing headers:

$ head -2 provider_source.go
// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: MPL-2.0

I ran copywrite init without a LICENSE file and hit a panic. I was able to work around by specifying --spdx flag. I noticed here:

• *data may be nil if an error is returned from Get
• GetLicense() may return nil if no LICENSE is added to the repo yet

The read me makes reference to vs code settings being in the repo to ensure a consistent developer experience however this are not actually present.

In an attempt to build the Vault Secrets Operator for s390x architecture, I ran into issues because copywrite does not support s390x but is required by VSO. Is s390x support possible/on the roadmap?