From df7459f21d08fe04c5f8b46b3070378ee3c054a6 Mon Sep 17 00:00:00 2001 From: Austin Vazquez Date: Thu, 23 May 2024 18:35:01 +0000 Subject: [PATCH 1/2] Import third party license validation code from ECR cred helper project This change is a raw import of the third party license validation code from https://github.com/awslabs/amazon-ecr-credential-helper/tree/6bae25fb558e48ec1359a54dc58d163b53f9cd0d Signed-off-by: Austin Vazquez --- .../third_party_license_usage_request.yaml | 30 ++++++++++++++++ scripts/check_third_party_licenses.sh | 36 +++++++++++++++++++ 2 files changed, 66 insertions(+) create mode 100644 .github/ISSUE_TEMPLATE/third_party_license_usage_request.yaml create mode 100644 scripts/check_third_party_licenses.sh diff --git a/.github/ISSUE_TEMPLATE/third_party_license_usage_request.yaml b/.github/ISSUE_TEMPLATE/third_party_license_usage_request.yaml new file mode 100644 index 000000000..f1d009155 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/third_party_license_usage_request.yaml @@ -0,0 +1,30 @@ +name: 3rd Party License Request +description: File a request for usage of a 3rd party license in the Amazon ECR credential helpers project. +title: "[3rd Party License Request]: " +labels: "license-request" +body: + - type: markdown + attributes: + value: | + Thanks for taking the time to fill out this request! + + - type: textarea + id: license-request + attributes: + label: License request + value: | + License: + + - type: textarea + id: use-case + attributes: + label: Use case + description: | + Briefly describe the use case the dependency would resolve. + validations: + required: true + + - type: textarea + id: other-solutions + attributes: + label: Other solutions considered \ No newline at end of file diff --git a/scripts/check_third_party_licenses.sh b/scripts/check_third_party_licenses.sh new file mode 100644 index 000000000..855231f50 --- /dev/null +++ b/scripts/check_third_party_licenses.sh @@ -0,0 +1,36 @@ +#!/usr/bin/env bash + +# Copyright 2024 Amazon.com, Inc. or its affiliates. All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"). You +# may not use this file except in compliance with the License. A copy of +# the License is located at +# +# http://aws.amazon.com/apache2.0/ +# +# or in the "license" file accompanying this file. This file is +# distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF +# ANY KIND, either express or implied. See the License for the specific +# language governing permissions and limitations under the License. + +set -euo pipefail + +# Normalize to working directory being root (up one level from ./scripts) +root=$( cd "$( dirname "${BASH_SOURCE[0]}" )/.." && pwd ) + +pushd "${root}/ecr-login" + +# Fail third party dependency usage if not covered by the curated set of pre-approved licenses. +# +# List was generated from guidance set forth by Amazon open source usage policies. +# +# Additional usage of third party dependencies not covered by the following licenses +# will need maintainer approval in alignment with Amazon open source usage policies. +# +# Requests can be made via https://github.com/awslabs/amazon-ecr-credential-helper/issues/new/choose +go-licenses check \ + --include_tests \ + --ignore github.com/awslabs/amazon-ecr-credential-helper \ + --allowed_licenses=Apache-2.0,BSD-3-Clause,MIT,ISC, ./... + +popd \ No newline at end of file From d392c738fa3ded174701c60b3fd1b5fe98f60358 Mon Sep 17 00:00:00 2001 From: Austin Vazquez Date: Thu, 23 May 2024 19:45:46 +0000 Subject: [PATCH 2/2] Add go licenses check to CI Signed-off-by: Austin Vazquez --- .../third_party_license_usage_request.yaml | 18 +++++++++++------- .github/workflows/prebuild.yml | 8 ++++++++ scripts/check-all.sh | 1 + ...censes.sh => check-third-party-licenses.sh} | 17 +++++++++++------ scripts/install-check-tools.sh | 1 + 5 files changed, 32 insertions(+), 13 deletions(-) rename scripts/{check_third_party_licenses.sh => check-third-party-licenses.sh} (62%) mode change 100644 => 100755 diff --git a/.github/ISSUE_TEMPLATE/third_party_license_usage_request.yaml b/.github/ISSUE_TEMPLATE/third_party_license_usage_request.yaml index f1d009155..c99132897 100644 --- a/.github/ISSUE_TEMPLATE/third_party_license_usage_request.yaml +++ b/.github/ISSUE_TEMPLATE/third_party_license_usage_request.yaml @@ -1,19 +1,23 @@ -name: 3rd Party License Request -description: File a request for usage of a 3rd party license in the Amazon ECR credential helpers project. -title: "[3rd Party License Request]: " +name: 3rd Party License Usage Request +title: "[3rd Party License Usage Request]: " +description: File a request for usage of a 3rd party license in the SOCI project. labels: "license-request" body: - type: markdown attributes: value: | - Thanks for taking the time to fill out this request! + Thanks for taking the time to fill out this request! The SOCI project adheres to the guidance set forth by + Amazon Open Source Usage policies and [CNCF Allowlist License Policy](https://github.com/cncf/foundation/blob/88f1a47550eb2df71b4b6e9c148a1c2f99a1d92e/allowed-third-party-license-policy.md) (with the exception of MPL-2.0). - type: textarea id: license-request attributes: - label: License request + label: License usage request value: | + Dependency: License: + validations: + required: true - type: textarea id: use-case @@ -25,6 +29,6 @@ body: required: true - type: textarea - id: other-solutions + id: alternative-solutions attributes: - label: Other solutions considered \ No newline at end of file + label: Alternative solutions considered diff --git a/.github/workflows/prebuild.yml b/.github/workflows/prebuild.yml index f09471634..ca8895141 100644 --- a/.github/workflows/prebuild.yml +++ b/.github/workflows/prebuild.yml @@ -75,3 +75,11 @@ jobs: steps: - uses: actions/checkout@v4 - run: shellcheck ./**/*.sh + + licensing: + runs-on: ubuntu-20.04 + steps: + - uses: actions/checkout@v4 + - uses: actions/setup-go@v5 + - run: ./scripts/install-check-tools.sh + - run: ./scripts/check-third-party-licenses.sh diff --git a/scripts/check-all.sh b/scripts/check-all.sh index d378f550b..dfa3bdcda 100755 --- a/scripts/check-all.sh +++ b/scripts/check-all.sh @@ -20,3 +20,4 @@ set -eux -o pipefail ./check-flatc.sh ./check-ltag.sh ./check-lint.sh +./check-third-party-licenses.sh diff --git a/scripts/check_third_party_licenses.sh b/scripts/check-third-party-licenses.sh old mode 100644 new mode 100755 similarity index 62% rename from scripts/check_third_party_licenses.sh rename to scripts/check-third-party-licenses.sh index 855231f50..949a8836e --- a/scripts/check_third_party_licenses.sh +++ b/scripts/check-third-party-licenses.sh @@ -1,6 +1,6 @@ #!/usr/bin/env bash -# Copyright 2024 Amazon.com, Inc. or its affiliates. All Rights Reserved. +# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. # # Licensed under the Apache License, Version 2.0 (the "License"). You # may not use this file except in compliance with the License. A copy of @@ -18,19 +18,24 @@ set -euo pipefail # Normalize to working directory being root (up one level from ./scripts) root=$( cd "$( dirname "${BASH_SOURCE[0]}" )/.." && pwd ) -pushd "${root}/ecr-login" +pushd "${root}" # Fail third party dependency usage if not covered by the curated set of pre-approved licenses. # # List was generated from guidance set forth by Amazon open source usage policies. # +# The SOCI project, with the exception of its usage of MPL-2.0, additionally follows the guidance +# set forth by the CNCF Allowlist License Policy. +# +# https://github.com/cncf/foundation/blob/88f1a47550eb2df71b4b6e9c148a1c2f99a1d92e/allowed-third-party-license-policy.md +# # Additional usage of third party dependencies not covered by the following licenses # will need maintainer approval in alignment with Amazon open source usage policies. # -# Requests can be made via https://github.com/awslabs/amazon-ecr-credential-helper/issues/new/choose +# Requests can be made via https://github.com/awslabs/soci-snapshotter/issues/new/choose go-licenses check \ --include_tests \ - --ignore github.com/awslabs/amazon-ecr-credential-helper \ - --allowed_licenses=Apache-2.0,BSD-3-Clause,MIT,ISC, ./... + --ignore github.com/awslabs/soci-snapshotter \ + --allowed_licenses=Apache-2.0,BSD-2-Clause,BSD-2-Clause-FreeBSD,BSD-3-Clause,MIT,ISC,Python-2.0,PostgreSQL,X11,Zlib,MPL-2.0 ./... -popd \ No newline at end of file +popd diff --git a/scripts/install-check-tools.sh b/scripts/install-check-tools.sh index b7cf8ed41..af1c37ea0 100755 --- a/scripts/install-check-tools.sh +++ b/scripts/install-check-tools.sh @@ -19,3 +19,4 @@ set -eux -o pipefail go install github.com/kunalkushwaha/ltag@v0.2.4 go install github.com/vbatts/git-validation@v1.2.0 +go install github.com/google/go-licenses@v1.6.0