add dependency licenses to release artifacts

Author: schrej

.github/workflows/container-image.yaml

@@ -11,6 +11,15 @@ jobs:
     runs-on: "ubuntu-latest"
     steps:
       - uses: actions/checkout@v3
+
+      - name: Install Go
+        uses: actions/setup-go@v3
+        with:
+          go-version: '^1.18'
+      
+      - name: Create Licenses Report
+        run: |
+          make licenses-report
       
       - name: Login to GitHub Container Registry
         uses: docker/[email protected]

.github/workflows/draft_release.yaml

@@ -30,7 +30,7 @@ jobs:
         uses: softprops/action-gh-release@v1
         with:
           draft: true
-          files: out/*
+          files: out/*.*
           # body_path: _releasenotes/${{ env.RELEASE_TAG }}.md
 
   release_image:
@@ -39,6 +39,15 @@ jobs:
     steps:
       - name: Check out the repo
         uses: actions/checkout@v3
+
+      - name: Install Go
+        uses: actions/setup-go@v3
+        with:
+          go-version: '^1.18'
+      
+      - name: Create Licenses Report
+        run: |
+          make licenses-report
       
       - name: Login to GitHub Container Registry
         uses: docker/[email protected]

Dockerfile

@@ -28,4 +28,7 @@ WORKDIR /
 COPY --from=builder /workspace/manager .
 USER 65532
 
+# Add directory containing the licenses of all dependencies
+COPY out/licenses /licenses
+
 ENTRYPOINT ["/manager"]

Makefile

@@ -72,7 +72,7 @@ run: manifests generate fmt vet ## Run a controller from your host.
 	go run ./main.go
 
 .PHONY: docker-build
-docker-build: test ## Build docker image with the manager.
+docker-build: test licenses-report ## Build docker image with the manager.
 	docker build -t ${IMG} .
 
 .PHONY: docker-push
@@ -97,6 +97,7 @@ release: clean-release
 	$(MAKE) set-manifest-pull-policy PULL_POLICY=IfNotPresent
 	$(MAKE) release-manifests
 	$(MAKE) release-metadata
+	$(MAKE) licenses-report
 	$(MAKE) clean-release-git
 
 .PHONY: clean-release
@@ -115,6 +116,12 @@ release-manifests: kustomize $(RELEASE_DIR)
 release-metadata:
 	cp metadata.yaml $(RELEASE_DIR)/metadata.yaml
 
+licenses-report: go-licenses
+	rm -rf $(RELEASE_DIR)/licenses
+	$(GO_LICENSES) save --save_path $(RELEASE_DIR)/licenses ./...
+	$(GO_LICENSES) report --template hack/licenses.md.tpl ./... > $(RELEASE_DIR)/licenses/licenses.md
+	(cd out/licenses && tar -czf ../licenses.tar.gz *)
+
 ##@ Release Utils
 
 .PHONY: set-manifest-pull-policy
@@ -164,3 +171,8 @@ ENVTEST = $(HACK_BIN)/setup-envtest
 .PHONY: envtest
 envtest: ## Download envtest-setup locally if necessary.
 	env GOBIN=$(HACK_BIN) go install sigs.k8s.io/controller-runtime/tools/setup-envtest@latest
+
+GO_LICENSES = $(HACK_BIN)/go-licenses
+.PHONY: go-licenses
+go-licenses:
+	env GOBIN=$(HACK_BIN) go install github.com/google/go-licenses@latest

README.md

@@ -37,3 +37,7 @@ Licensed under the **Apache License, Version 2.0** (the "License"); you may not
 You may obtain a copy of the License at https://www.apache.org/licenses/LICENSE-2.0.
 
 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the [LICENSE](./LICENSE) for the specific language governing permissions and limitations under the License.
+
+### Dependency Licenses
+
+You can find the licenses of used Go dependencies as a `licenses.tar.gz` archive as part of our [releases](https://github.com/telekom/cluster-api-ipam-provider-in-cluster/releases) and in the `/license` directory contained in our container images available at [ghcr.io/telekom/cluster-api-ipam-provider-in-cluster](https://ghcr.io/telekom/cluster-api-ipam-provider-in-cluster).

hack/licenses.md.tpl

@@ -0,0 +1,5 @@
+# Dependency Licenses
+
+{{ range . }}
+  - {{.Name}}@{{.Version}} ([{{.LicenseName}}]({{.LicenseURL}}))
+{{- end }}