feat: Add SPDX header check workflow for pull requests

[Copilot]

Adds automated SPDX copyright header validation for all PRs targeting main branch.

Changes

• Created .github/workflows/spdx-check.yml
  • Triggers on pull requests to main branch
  • Uses zccrs/github-actions-spdx-checker@main action
  • Validates SPDX headers with correct year format (single year or range)
  • Excludes vendor/**, node_modules/**, 3rdparty/**, and *.json files
  • Provides bilingual (Chinese/English) error messages on violations

Behavior

New and modified files will be checked for:

• Proper SPDX-FileCopyrightText header format
• Current year in new files
• Correct year range (YYYY-YYYY) in modified files when creation year differs from modification year
• Single year format when file created and modified in same year

Non-compliant files will fail the check with detailed feedback.

Original prompt

Add SPDX Header Check Workflow

Overview

需要在 .github/workflows/ 目录下创建一个新的 GitHub Actions 工作流文件，用于自动检查 Pull Request 中文件的 SPDX 版权头部。

Requirements

创建文件

创建文件：.github/workflows/spdx-check.yml

文件内容

name: SPDX Header Check

on:
  pull_request:
    branches: [main]

jobs:
  spdx-check:
    runs-on: ubuntu-latest
    steps:
      - uses: zccrs/github-actions-spdx-checker@main
        with:
          base: origin/main
          exclude: 'vendor/**,node_modules/**,3rdparty/**,*.json'

工作流功能

• 当有 PR 提交到 main 分支时自动触发
• 使用 zccrs/github-actions-spdx-checker@main action 检查 SPDX 头部
• 不限制文件类型，检查所有支持的文件
• 自动排除 vendor、node_modules、3rdparty 目录和 JSON 文件
• 验证新文件包含当前年份的 SPDX 头部
• 确保修改文件正确更新年份范围

预期结果

• 所有后续的 Pull Request 都会自动进行 SPDX 头部检查
• JSON 文件不会被检查
• 不符合规范的文件会导致检查失败
• 提供中英文双语错误提示

This pull request was created from Copilot chat.

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[deepin-ci-robot]

Hi @Copilot. Thanks for your PR.

I'm waiting for a linuxdeepin member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[deepin-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: Copilot

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• debian/deepin/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[github-actions]

CLA Assistant Lite bot:
提交邮箱中包含我们的合作伙伴，但您似乎并非合作伙伴的成员或对接人，请联系相关对接人将您添加至组织之中，或由其重新发起 Pull Request。
The commit email domain belongs to one of our partners, but it seems you are not yet a member of the current organization, please contact the contact person to add you to the organization or let them submit the Pull Request.

2 out of 2 committers have signed the CLA.
✅ @Copilot
✅ @zccrs
_{You can retrigger this bot by commenting recheck in this Pull Request}

[BLumia]

不太能合。问题如下：

1. 目前的 linuxdeepin 下的 CI 工作方式是每个项目下有个 call-xxx.yaml 的形式调 linuxdeepin/.github 下的工作流，这个提交并不会变成组织级别的公共工作流。
2. 此类 CI 应当仅检查特定著作权人（deepin/uniontech之类）所声明的著作权的时间，避免确有需要 vendor 代码时的误伤
3. 针对 vendor 代码的情况，REUSE 规范允许通过 REUSE.toml/dep5/.license 文件来声明许可，当前的 action 看上去不支持此类情况

可能的可行建议：

1. 整合到现有的 license check CI 里（比如多写一个 job，或者追加到现有的 job 里）
2. 针对第二条的描述，差异化检查/跳过检查
3. 可以考虑利用 reuse spdx 的输出来核对每个文件所对应的著作权信息列表，然后结合 2 以及 PR 的变动情况做相应的检查