From 60ae79d717ba7f4a5e8ac6624e483922a9f5f394 Mon Sep 17 00:00:00 2001
From: mw <mw@teuto.net>
Date: Wed, 9 Oct 2024 12:32:25 +0200
Subject: [PATCH] feat(ci/license-check): check if specifed images have been
 manually license checked

---
 .github/scripts/licenseList           | 70 +++++++++++++++++++++++++++
 .github/workflows/check-licenses.yaml | 16 +++++-
 2 files changed, 85 insertions(+), 1 deletion(-)
 create mode 100644 .github/scripts/licenseList

diff --git a/.github/scripts/licenseList b/.github/scripts/licenseList
new file mode 100644
index 0000000000..0885a8ddde
--- /dev/null
+++ b/.github/scripts/licenseList
@@ -0,0 +1,70 @@
+docker.io/aelbakry/kdave-server;MIT;https://github.com/wayfair-incubator/kdave/blob/main/LICENSE
+docker.io/bats/bats;MIT;https://github.com/bats-core/bats-core/blob/master/LICENSE.md
+docker.io/bitnami/external-dns;Apache-2.0;https://hub.docker.com/r/bitnami/external-dns
+docker.io/bitnami/grafana-tempo;Apache-2.0;https://hub.docker.com/r/bitnami/grafana-tempo
+docker.io/bitnami/grafana-tempo-vulture;Apache-2.0;https://hub.docker.com/r/bitnami/grafana-tempo-vulture
+docker.io/bitnami/kubectl;Apache-2.0;https://hub.docker.com/r/bitnami/kubectl
+docker.io/bitnami/memcached;Apache-2.0;https://hub.docker.com/r/bitnami/memcached
+docker.io/bitnami/metrics-server;Apache-2.0;https://hub.docker.com/r/bitnami/metrics-server
+docker.io/bitnami/postgresql;PostgreSQL;https://www.postgresql.org/about/licence/
+docker.io/bitnami/redis;SSPL-1.0;https://redis.io/legal/licenses/
+docker.io/bitnami/zookeeper;Apache-2.0;https://zookeeper.apache.org/
+docker.io/busybox;GPL-2.0;http://www.busybox.net/license.html
+docker.io/ckan/ckan-base-datapusher;AGPL-3.0-only;https://github.com/ckan/datapusher
+docker.io/confluentinc/cp-kafka;Apache-2.0;https://github.com/confluentinc/kafka-images/blob/master/LICENSE
+docker.io/curlimages/curl;curl;https://curl.se/docs/copyright.html
+docker.io/emberstack/kubernetes-reflector;MIT;https://github.com/emberstack/kubernetes-reflector/blob/main/LICENSE
+docker.io/fluxcd/flux-cli;Apache-2.0;https://github.com/fluxcd/flux2/blob/main/LICENSE
+docker.io/grafana/grafana;AGPL-3.0-only;https://github.com/grafana/grafana/blob/main/LICENSING.md
+docker.io/grafana/grafana-image-renderer;Apache-2.0;https://github.com/grafana/grafana-image-renderer/blob/master/LICENSE
+docker.io/grafana/loki;AGPL-3.0;https://github.com/grafana/loki/blob/main/LICENSE
+docker.io/grafana/promtail;AGPL-3.0;https://github.com/grafana/loki/blob/main/tools/LICENSE_APACHE2
+docker.io/hjacobs/kube-janitor;AGPL-3.0;https://github.com/hjacobs/kube-janitor/blob/main/LICENSE
+docker.io/otel/opentelemetry-collector-contrib;Apache-2.0;https://github.com/open-telemetry/opentelemetry-collector-contrib/blob/main/LICENSE
+docker.io/stellio/stellio-api-gateway;Apache-2.0;https://github.com/stellio-hub/stellio-context-broker/blob/develop/LICENSE.txt
+docker.io/stellio/stellio-search-service;Apache-2.0;https://github.com/stellio-hub/stellio-context-broker/blob/develop/LICENSE.txt
+docker.io/stellio/stellio-subscription-service;Apache-2.0;https://github.com/stellio-hub/stellio-context-broker/blob/develop/LICENSE.txt
+docker.io/stellio/stellio-timescale-postgis;Apache-2.0;https://github.com/stellio-hub/stellio-context-broker/blob/develop/LICENSE.txt
+docker.io/velero/velero;Apache-2.0;https://github.com/vmware-tanzu/velero-plugin-for-aws/blob/main/LICENSE
+docker.io/velero/velero-plugin-for-aws;Apache-2.0;https://github.com/vmware-tanzu/velero-plugin-for-aws/blob/main/LICENSE
+docker.io/vladgh/gpg;Apache-2.0;https://github.com/vladgh/docker_base_images/blob/main/LICENSE
+ghcr.io/aquasecurity/trivy-operator;Apache-2.0;https://github.com/aquasecurity/trivy-operator/blob/main/LICENSE
+ghcr.io/kyverno/background-controller;Apache-2.0;https://github.com/kyverno/kyverno/pkgs/container/background-controller
+ghcr.io/kyverno/cleanup-controller;Apache-2.0;https://github.com/kyverno/kyverno/pkgs/container/cleanup-controller
+ghcr.io/kyverno/kyverno;Apache-2.0;https://github.com/kyverno/kyverno/pkgs/container/kyverno
+ghcr.io/kyverno/kyverno-cli;Apache-2.0;https://github.com/kyverno/kyverno/pkgs/container/kyverno-cli
+ghcr.io/kyverno/kyvernopre;Apache-2.0;https://github.com/kyverno/kyverno/pkgs/container/kyvernopre
+ghcr.io/kyverno/reports-controller;Apache-2.0;https://github.com/kyverno/kyverno/pkgs/container/reports-controller
+ghcr.io/teutonet/oci-images/ckan;MIT;https://github.com/teutonet/oci-images/blob/main/LICENSE
+ghcr.io/teutonet/oci-images/solr-ckan;MIT;https://github.com/teutonet/oci-images/blob/main/LICENSE
+k8s.gcr.io/sig-storage/csi-attacher;Apache-2.0;https://github.com/kubernetes-csi/external-attacher/blob/master/LICENSE
+k8s.gcr.io/sig-storage/csi-node-driver-registrar;Apache-2.0;https://github.com/kubernetes-csi/node-driver-registrar/blob/master/LICENSE
+k8s.gcr.io/sig-storage/csi-provisioner;Apache-2.0;https://github.com/kubernetes-csi/external-provisioner/blob/master/LICENSE
+k8s.gcr.io/sig-storage/csi-resizer;Apache-2.0;https://github.com/kubernetes-csi/external-resizer/blob/master/LICENSE
+k8s.gcr.io/sig-storage/csi-snapshotter;Apache-2.0;https://github.com/kubernetes-csi/external-snapshotter/blob/master/LICENSE
+k8s.gcr.io/sig-storage/livenessprobe;Apache-2.0;https://github.com/kubernetes-csi/livenessprobe/blob/master/LICENSE
+quay.io/cilium/cilium;Apache-2.0;https://github.com/cilium/cilium/blob/main/LICENSE
+quay.io/cilium/cilium-envoy;Apache-2.0;https://github.com/cilium/cilium/blob/main/LICENSE
+quay.io/cilium/hubble-relay;Apache-2.0;https://github.com/cilium/cilium/blob/main/LICENSE
+quay.io/cilium/hubble-ui;Apache-2.0;https://github.com/cilium/cilium/blob/main/LICENSE
+quay.io/cilium/hubble-ui-backend;Apache-2.0;https://github.com/cilium/hubble-ui/blob/master/LICENSE
+quay.io/cilium/operator-generic;Apache-2.0;https://hub.docker.com/r/cilium/operator-generic
+quay.io/jetstack/cert-manager-cainjector;Apache-2.0;https://github.com/cert-manager/cert-manager/blob/master/LICENSE
+quay.io/jetstack/cert-manager-controller;Apache-2.0;https://github.com/cert-manager/cert-manager/blob/master/LICENSE
+quay.io/jetstack/cert-manager-startupapicheck;Apache-2.0;https://github.com/cert-manager/cert-manager/blob/master/LICENSE
+quay.io/jetstack/cert-manager-webhook;Apache-2.0;https://github.com/cert-manager/cert-manager/blob/master/LICENSE
+quay.io/kiwigrid/k8s-sidecar;MIT;https://github.com/kiwigrid/k8s-sidecar/blob/master/LICENSE
+quay.io/prometheus/alertmanager;Apache-2.0;https://github.com/prometheus/alertmanager/blob/main/LICENSE
+quay.io/prometheus/node-exporter;Apache-2.0;https://github.com/prometheus/node_exporter/blob/master/LICENSE
+quay.io/prometheus-operator/prometheus-operator;Apache-2.0;https://github.com/prometheus-operator/prometheus-operator/blob/main/LICENSE
+quay.io/prometheus/prometheus;Apache-2.0;https://github.com/prometheus/prometheus/blob/main/LICENSE
+registry-gitlab.teuto.net/4teuto/dev/teuto-portal/teuto-portal-k8s-worker/teuto-portal-k8s-worker;Apache-2.0;https://gitlab.teuto.net/4teuto/dev/teuto-portal/teuto-portal-k8s-worker/-/blob/main/gradlew?ref_type=heads
+registry.k8s.io/descheduler/descheduler;Apache-2.0;https://github.com/kubernetes-sigs/descheduler/blob/master/LICENSE
+registry.k8s.io/etcd;Apache-2.0;https://github.com/kubernetes/kubernetes/blob/master/LICENSE
+registry.k8s.io/ingress-nginx/controller;Apache-2.0;https://github.com/kubernetes/ingress-nginx/blob/main/LICENSE
+registry.k8s.io/ingress-nginx/kube-webhook-certgen;Apache-2.0;https://github.com/kubernetes/ingress-nginx/blob/main/LICENSE
+registry.k8s.io/ingress-nginx/opentelemetry-1.25.3;Apache-2.0;https://github.com/kubernetes/ingress-nginx/blob/main/LICENSE
+registry.k8s.io/kube-state-metrics/kube-state-metrics;Apache-2.0;https://github.com/kubernetes/kube-state-metrics/blob/main/LICENSE
+registry.k8s.io/provider-os/cinder-csi-plugin;Apache-2.0;https://github.com/kubernetes/cloud-provider-openstack/blob/master/LICENSE
+registry.k8s.io/provider-os/openstack-cloud-controller-manager;Apache-2.0;https://github.com/kubernetes/cloud-provider-openstack/blob/master/LICENSE
+registry.k8s.io/sig-storage/nfs-provisioner;Apache-2.0;https://github.com/kubernetes-sigs/nfs-subdir-external-provisioner/blob/master/LICENSE
diff --git a/.github/workflows/check-licenses.yaml b/.github/workflows/check-licenses.yaml
index 50d40cbd8a..65d4cd07ab 100644
--- a/.github/workflows/check-licenses.yaml
+++ b/.github/workflows/check-licenses.yaml
@@ -1,4 +1,4 @@
-name: Lint Helm Charts
+name: Check used licenses
 
 on:
   pull_request:
@@ -23,3 +23,17 @@ jobs:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
       - run: pip install yq
       - run: ./.github/scripts/scan-for-licenses.sh ${{ needs.getChangedChart.outputs.chart }}
+  check-licenses-list:
+    name: check licenses from list
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
+      - run: pip install yq
+      - run: |
+          mapfile -t IMAGES < <(for chart in charts/*; do if [[ -f "$chart/Chart.yaml" ]]; then  cat $chart/Chart.yaml | yq -r '.annotations["artifacthub.io/images"] // ""'; fi; done | cut -d ":" -f2 | uniq | sort | sed '/^$/d')
+          mapfile -t RESULT < <(for IMAGE in ${IMAGES[@]}; do grep -q $IMAGE ./.github/scripts/licenseList || (echo $IMAGE;); done;)
+          if [[ ! -z "$RESULT" ]]; then
+            echo "The following images are not accepted, please review:"
+            printf "%s\n" "${RESULT[@]}"
+            exit 1
+          fi