From 26d9519718dcc15c0a337a7a0891a3a7d1e13187 Mon Sep 17 00:00:00 2001
From: Alvar Penning <alvar.penning@icinga.com>
Date: Wed, 6 Dec 2023 16:49:45 +0100
Subject: [PATCH] GitHub Actions: Check Go Dependency Licenses

By utilizing the neat go-licenses[0] tool, scanning the cached Go
dependencies against an allow list of licenses, which is currently
leaned from Icinga DB, works quite like a charm.

This, however, only includes Go code and produces warnings for
(transitive) included Go Assembly code[1]. If we are planning to include
other non-Go artefacts in the future, those also might need to be
identified - REUSE[2] might help there.

[0] https://github.com/google/go-licenses
[1] https://github.com/google/go-licenses/issues/120
[2] https://reuse.software/

(cherry picked from commit 10d5b1b09f6ab81734a24c5a32bd63a1138750c0)
---
 .github/workflows/compliance.yml | 34 ++++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)
 create mode 100644 .github/workflows/compliance.yml

diff --git a/.github/workflows/compliance.yml b/.github/workflows/compliance.yml
new file mode 100644
index 00000000..ffd5198b
--- /dev/null
+++ b/.github/workflows/compliance.yml
@@ -0,0 +1,34 @@
+name: Compliance
+
+on:
+  push:
+    branches: [ main ]
+  pull_request: {}
+
+permissions:
+  # https://docs.github.com/en/rest/overview/permissions-required-for-github-apps?apiVersion=2022-11-28#repository-permissions-for-contents
+  contents: read
+
+jobs:
+  compliance:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+    - uses: actions/setup-go@v5
+      with:
+        go-version: stable
+
+    - name: Download modules to local cache
+      run: go mod download
+
+    - name: Install go-licenses
+      run: go install github.com/google/go-licenses@latest
+
+    - name: Check licenses against allow list
+      run: |
+        # Pass allowed licenses as SPDX Identifiers: https://spdx.org/licenses/
+        # The current list is based on Icinga DB, plus GPL-2.0 as both Icinga DB
+        # and this very icinga-notifications are licensed under GPL-2.0.
+        # https://github.com/Icinga/icingadb/blob/v1.1.1/.github/workflows/compliance/check-licenses.sh
+        go-licenses check github.com/icinga/icinga-notifications/... \
+          --allowed_licenses BSD-2-Clause,BSD-3-Clause,GPL-2.0,MIT,MPL-2.0