Add compliance

.github/CODEOWNERS

@@ -1,4 +1,4 @@
-# Copyright the DMorph contributors.
+# SPDX-FileCopyrightText: 2025 The DMorph contributors.
 # SPDX-License-Identifier: MPL-2.0
 
 /.github/ @AlphaOne1

.github/FUNDING.yml

@@ -1,3 +1,6 @@
+# SPDX-FileCopyrightText: 2025 The Dmorph contributors.
+# SPDX-License-Identifier: MPL-2.0
+
 # These are supported funding model platforms
 
 github: [AlphaOne1] # Replace with up to 4 GitHub Sponsors-enabled usernames e.g., [user1, user2]

.github/ISSUE_TEMPLATE/bug_report.md

@@ -1,3 +1,7 @@
+<!-- SPDX-FileCopyrightText: 2025 The DMorph contributors.
+     SPDX-License-Identifier: MPL-2.0
+-->
+
 ---
 name: Bug report
 about: Create a report to help us improve
@@ -14,8 +18,8 @@ A clear and concise description of what the bug is.
 Steps to reproduce the behavior:
 
 1. Go to '...'
-2. Click on '....'
-3. Scroll down to '....'
+2. Click on '...'
+3. Scroll down to '...'
 4. See error
 
 **Expected behavior**

.github/ISSUE_TEMPLATE/feature_request.md

@@ -1,3 +1,7 @@
+<!-- SPDX-FileCopyrightText: 2025 The DMorph contributors.
+     SPDX-License-Identifier: MPL-2.0
+-->
+
 ---
 name: Feature request
 about: Suggest an idea for this project

.github/PULL_REQUEST_TEMPLATE.md

@@ -1,3 +1,7 @@
+<!-- SPDX-FileCopyrightText: 2025 The DMorph contributors.
+     SPDX-License-Identifier: MPL-2.0
+-->
+
 ### All Submissions:
 
 * [ ] Have you followed the guidelines in our Contributing document?
@@ -13,7 +17,7 @@ You can erase any parts of this template not applicable to your Pull Request.
 
 1. [ ] Did you add tests for the new features that cover all major code paths?
 2. [ ] Does your submission pass tests?
-3. [ ] Have you lint your code locally before submission?
+3. [ ] Have you linted your code locally before submission?
 
 **What is the new behavior (if this is a feature change)?**
 

.github/dependabot.yml

@@ -1,4 +1,4 @@
-# Copyright the DMorph contributors.
+# SPDX-FileCopyrightText: 2025 The DMorph contributors.
 # SPDX-License-Identifier: MPL-2.0
 #
 # To get started with Dependabot version updates, you'll need to specify which

.github/workflows/codeql.yml

@@ -1,10 +1,10 @@
-# Copyright the DMorph contributors.
+# SPDX-FileCopyrightText: 2025 The DMorph contributors.
 # SPDX-License-Identifier: MPL-2.0
 #
 # For most projects, this workflow file will not need changing; you simply need
 # to commit it to your repository.
 #
-# You may wish to alter this file to override the set of languages analyzed,
+# You may wish to alter this file to override the set of languages analyzed
 # or to provide custom queries or build logic.
 #
 # ******** NOTE ********
@@ -22,7 +22,7 @@ on:
     schedule:
       - cron: '28 4 * * 2'
 
-# Declare default permissions as read only.
+# Declare default permissions as read-only.
 permissions: read-all
 
 jobs:
@@ -82,7 +82,7 @@ jobs:
                 # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
                 # queries: security-extended,security-and-quality
 
-          # If the "analyze" step fails for one of the languages you are analyzing with
+          # If the analyze-step fails for one of the languages you are analyzing with
           # "We were unable to automatically build your code", modify the matrix above
           # to set the build mode to "manual" for that language. Then modify this step
           # to build your code.

.github/workflows/compliance.yml

@@ -0,0 +1,153 @@
+# SPDX-FileCopyrightText: 2025 The DMorph contributors.
+# SPDX-License-Identifier: MPL-2.0
+
+name: Compliance Checks
+
+on:
+  push:
+      branches:
+          - master
+  pull_request:
+      branches:
+          - master
+
+concurrency:
+    group: ${{ github.workflow }}-${{ github.ref }}
+    cancel-in-progress: true
+
+permissions:
+    contents: read
+
+jobs:
+    REUSE:
+        runs-on: ubuntu-latest
+        steps:
+          - name: Harden Runner
+            uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+            with:
+                egress-policy: audit
+
+          - name: Checkout
+            uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+            with:
+                fetch-depth: 1
+
+          - name: REUSE Compliance Check
+            uses: fsfe/reuse-action@bb774aa972c2a89ff34781233d275075cbddf542 #v5.0.0
+
+    CheckSignedOffCommit:
+        if: >
+          github.event_name == 'push' &&
+          !startsWith(github.actor, 'dependabot') &&
+          github.event.pusher.name != 'web-flow' &&
+          github.event.pusher.name != 'github-actions[bot]' &&
+          github.event.pusher.name != 'github-merge-queue[bot]'
+        runs-on: ubuntu-latest
+        permissions:
+            contents: read
+        steps:
+            - name: Harden Runner
+              uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+              with:
+                  egress-policy: audit
+
+            - name: Checkout
+              uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+              with:
+                  fetch-depth: 0
+
+            - name: Determine pushed commits
+              id: range
+              run: |
+                  set -euo pipefail
+
+                  # Use GitHub-provided SHAs to build the range for this push
+                  BEFORE="${{ github.event.before }}"
+                  AFTER="${{ github.sha }}"
+
+                  if [ "$BEFORE" = "0000000000000000000000000000000000000000" ]
+                  then
+                      # New branch or force push without previous SHA
+                      git rev-list --no-merges "$AFTER" > shas.txt
+                  else
+                      git rev-list --no-merges "$BEFORE".."$AFTER" > shas.txt
+                  fi
+
+            - name: Check for Signed-off-by
+              run: |
+                  set -euo pipefail
+                  missing=""
+
+                  while read -r sha
+                  do
+                      [ -n "$sha" ] || continue
+                      msg=`git log --format=%B -n 1 "$sha"`
+
+                      if ! printf '%s' "$msg" | grep -Eqi '^[[:space:]]*Signed[- ]off[- ]by:'
+                      then
+                          echo "Commit $sha missing Signed-off-by"
+                          missing="true"
+                      fi
+                  done < shas.txt
+
+                  if [ "$missing" = "true" ]
+                  then
+                      echo "DCO check failed on push"
+                      exit 1
+                  fi
+
+                  echo "All pushed commits are signed"
+
+    CheckSignedOffPullRequest:
+        if: github.event_name == 'pull_request' && !contains(github.event.pull_request.labels.*.name, 'bypass-dco')
+        runs-on: ubuntu-latest
+        permissions:
+            contents: read
+            pull-requests: read
+        steps:
+          - name: Harden Runner
+            uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+            with:
+              egress-policy: audit
+
+          - name: Checkout
+            uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+            with:
+              fetch-depth: 0
+
+          - name: Get PR commits
+            env:
+              GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+            run: |
+              set -euo pipefail
+              gh --version
+              jq --version
+
+              # Fetch all commits of the PR with pagination and extract SHAs
+              gh api -H "Accept: application/vnd.github+json" --paginate \
+                repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}/commits \
+                | jq -r '.[].sha' > shas.txt
+
+          - name: Check for Signed-off-by
+            run: |
+                set -euo pipefail
+                missing=""
+
+                while read -r sha
+                do
+                    [ -n "$sha" ] || continue
+                    msg=`git log --format=%B -n 1 "$sha"`
+
+                    if ! printf '%s' "$msg" | grep -Eqi '^[[:space:]]*Signed[- ]off[- ]by:'
+                    then
+                        echo "Commit $sha missing Signed-off-by"
+                        missing="true"
+                    fi
+                done < shas.txt
+
+                if [ "$missing" = "true" ]
+                then
+                    echo "DCO check failed"; exit 1
+                fi
+
+                echo "All commits are signed"

.github/workflows/dependency-review.yml

@@ -1,4 +1,4 @@
-# Copyright the DMorph contributors.
+# SPDX-FileCopyrightText: 2025 The DMorph contributors.
 # SPDX-License-Identifier: MPL-2.0
 #
 # Dependency Review Action

.github/workflows/release.yml

@@ -0,0 +1,113 @@
+# SPDX-FileCopyrightText: 2025 The DMorph contributors.
+# SPDX-License-Identifier: MPL-2.0
+
+name: Release
+
+on:
+    release:
+        types:
+            - published
+
+permissions: read-all
+
+concurrency:
+    group: release-${{ github.event.release.tag_name }}
+    cancel-in-progress: true
+
+jobs:
+    Build:
+        permissions:
+            contents: write
+        runs-on: ubuntu-latest
+        steps:
+            - name: Harden Runner
+              uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+              with:
+                  egress-policy: audit
+
+            - name: Checkout
+              uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+              with:
+                  fetch-depth: 0
+                  ref: ${{ github.event.release.tag_name }}
+
+            - name: Generate source archive
+              shell: bash
+              run: |
+                  set -euo pipefail
+
+                  TAG=`echo "${{ github.event.release.tag_name }}" | sed 's/\//-/g'`
+                  git archive \
+                    --format=tar.gz \
+                    --prefix="dmorph-src-${TAG}/" \
+                    --output="dmorph-src-${TAG}.tar.gz" \
+                    "${{ github.event.release.tag_name }}"
+
+            - name: Upload Release (via GitHub CLI)
+              env:
+                  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+              shell: bash
+              run: |
+                  set -euo pipefail
+                  gh release upload "${{ github.event.release.tag_name }}" dmorph-src-*.tar.gz --clobber
+
+    ChecksumReleaseAssets:
+        needs: Build
+        runs-on: ubuntu-latest
+        name: Checksum Release Assets
+        outputs:
+            hashBase64File: ${{ steps.hashes.outputs.handle }}
+        steps:
+            - name: Harden Runner
+              uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+              with:
+                  egress-policy: audit
+
+            - name: Checkout
+              uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+              with:
+                  fetch-depth: 1
+
+            - name: Download all release assets via GitHub CLI
+              env:
+                  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+              run: |
+                  set -euo pipefail
+
+                  mkdir -p release-assets
+                  cd release-assets
+                  # gets all assets of the release
+                  gh release download "${{ github.event.release.tag_name }}" --clobber
+                  echo "Downloaded assets:"
+                  ls -lah
+
+            - name: Generate Checksums
+              working-directory: release-assets
+              run: |
+                  set -euo pipefail
+
+                  # Robustly hash all regular files in this directory, then base64 and write via tee.
+                  LC_ALL=C find . -maxdepth 1 -type f -printf '%P\0' \
+                    | sort -z \
+                    | xargs -0 sha256sum -- \
+                    | base64 -w0 \
+                    > check.sha256
+
+            - name: Upload Checksums
+              id: hashes
+              uses: slsa-framework/slsa-github-generator/actions/generator/generic/create-base64-subjects-from-file@f7dd8c54c2067bafc12ca7a55595d5ee9b75204a # 2.1.0
+              with:
+                  path: release-assets/check.sha256
+
+    AssetProvenance:
+        permissions:
+            actions:  read  # Needed for detection of GitHub Actions environment.
+            id-token: write # Needed for provenance signing and ID
+            contents: write # Needed for release uploads
+        needs: ChecksumReleaseAssets
+        uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0 #must have semver!
+        with:
+            base64-subjects-as-file: |
+                ${{ needs.ChecksumReleaseAssets.outputs.hashBase64File }}
+            upload-assets: true
+            upload-tag-name: "${{ github.event.release.tag_name }}"