Add 3rd party license checks to CI

This change adds 3rd party license checks to CI to ensure only
pre-approved licenses are used by the Amazon ECR credential helper
project.

Signed-off-by: Austin Vazquez <[email protected]>

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1 @@
+blank_issues_enabled: true

.github/ISSUE_TEMPLATE/third_party_license_usage_request.yml

@@ -0,0 +1,30 @@
+name: 3rd Party License Request
+description: File a request for usage of a 3rd party license in the Amazon ECR credential helpers project.
+title: "[3rd Party License Request]: "
+labels: "license-request"
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for taking the time to fill out this request!
+
+  - type: textarea
+    id: license-request
+    attributes:
+      label: License request
+      value: |
+        License: <link to license>
+
+  - type: textarea
+    id: use-case
+    attributes:
+      label: Use case
+      description: |
+        Briefly describe the use case the dependency would resolve.
+    validations:
+      required: true
+
+  - type: textarea
+    id: other-solutions
+    attributes:
+      label: Other solutions considered

.github/workflows/build.yaml

@@ -26,6 +26,16 @@ jobs:
           git secrets --register-aws
           git secrets --scan-history
 
+  licensing:
+    runs-on: 'ubuntu-22.04'
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
+      - name: Install go-licenses
+        run: make get-deps
+      - name: Check licensing
+        run: make check-licenses
+
   cross-compile:
     runs-on: 'ubuntu-22.04'
     steps:

Makefile

@@ -117,11 +117,19 @@ gogenerate:
 .PHONY: get-deps
 get-deps:
 	go install golang.org/x/tools/cmd/goimports@698251aaa532d49ac69d2c416b0241afb2f65ea5
+	go install github.com/google/go-licenses@5348b744d0983d85713295ea08a20cca1654a45e
 
 .PHONY: licenses
 licenses:
 	./scripts/build_third_party_licenses.sh
 
+.PHONY: check
+check: check-licenses
+
+.PHONY: check-licenses
+check-licenses:
+	./scripts/check_third_party_licenses.sh
+
 .PHONY: clean
 clean:
 	- rm -rf ./bin

scripts/check_third_party_licenses.sh

@@ -0,0 +1,36 @@
+#!/usr/bin/env bash
+
+# Copyright 2024 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"). You
+# may not use this file except in compliance with the License. A copy of
+# the License is located at
+#
+# 	http://aws.amazon.com/apache2.0/
+#
+# or in the "license" file accompanying this file. This file is
+# distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF
+# ANY KIND, either express or implied. See the License for the specific
+# language governing permissions and limitations under the License.
+
+set -euo pipefail
+
+# Normalize to working directory being root (up one level from ./scripts)
+root=$( cd "$( dirname "${BASH_SOURCE[0]}" )/.." && pwd )
+
+pushd "${root}/ecr-login"
+
+# Fail third party dependency usage if not covered by the curated set of pre-approved licenses.
+#
+# List was generated from guidance set forth by Amazon open source usage policies.
+#
+# Additional usage of third party dependencies not covered by the following licenses
+# will need maintainer approval in alignment with Amazon open source usage policies.
+#
+# Requests can be made via https://github.com/awslabs/amazon-ecr-credential-helper/issues/new/choose
+go-licenses check \
+    --include_tests \
+    --ignore github.com/awslabs/amazon-ecr-credential-helper \
+    --allowed_licenses=Apache-2.0,BSD-3-Clause,MIT,ISC, ./...
+
+popd