ci: add license lint wf for cncf approved licenses

[acpana]

Fixes #2404

reviewer notes

• PR story:

Initially, i wanted to use license-lint but after an issue w allowlisted modules where the underlying license can change without detection, I decided to go with Max's original suggestion in the issue: https://github.com/kubernetes/kubernetes/blob/master/hack/verify-licenses.sh . This is a script that I am copying over w a number of minimal changes to make it work for us.

• test locally with act! https://github.com/nektos/act

# install act
$ <your distro needs>

$ act -j license-lint

NOTE for the skeptics: you can play w the config file to make the wf fail

• you can find the CNCF approved licenses here

[codecov-commenter]

Codecov Report

Base: 53.95% // Head: 53.90% // Decreases project coverage by -0.05% ⚠️

Coverage data is based on head (a14778e) compared to base (ec3d4d9).
Patch has no changes to coverable lines.

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #2461      +/-   ##
==========================================
- Coverage   53.95%   53.90%   -0.05%     
==========================================
  Files         116      116              
  Lines       10286    10286              
==========================================
- Hits         5550     5545       -5     
- Misses       4311     4315       +4     
- Partials      425      426       +1     

Flag	Coverage Δ
unittests	53.90% <ø> (-0.05%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
...onstrainttemplate/constrainttemplate_controller.go	55.74% <0.00%> (-2.88%)	⬇️
pkg/readiness/ready_tracker.go	70.33% <0.00%> (+0.50%)	⬆️
pkg/readiness/list.go	91.17% <0.00%> (+11.76%)	⬆️

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

☔ View full report at Codecov.
📢 Do you have feedback about the report comment? Let us know in this issue.

[acpana]

hey @sozercan & @maxsmythe thanks both for offering feedback on the initial approach.

After this comment that Max made I realized that the license-lint tool may not be the best approach:

What is the mechanism for detecting license changes in allowlisted modules?

At present, if a package under allow list changes from an approved license to an unapproved license, the tool wouldn't detect that. code ref

While I am not too sure how often this would happen, that scenario, combined with some other papercuts of the tool have convinced me to explore a different solution for what actually does the license linting.

[acpana]

Starting 4e73471 I am introducing a script from the k8s repo: verify-licenses and its dependencies. I also added a few commits to taylor it to the g8r repo. Some of the env vars and such will remain.

[acpana]

alright folks, I think this PR has all the feedback from our weekly chat @ritazh @sozercan @maxsmythe

[sozercan]

LGTM. since action didn't run on this PR, did you test this manually?

[acpana]

re testing, there's 3 avenues:

• locally by invoking the script: ./third_party/k8s.io/kubernetes/hack/verify-licenses.sh
• w act (see reviewer notes): act -j license-lint
• on this branch I added (or a similar branch you can create) https://github.com/acpana/gatekeeper/tree/acpana/license-lint-2-test-branch : runs: https://github.com/acpana/gatekeeper/actions/workflows/license-lint.yaml

[maxsmythe]

LGTM