diff --git a/.github/workflows/compliance.yml b/.github/workflows/compliance.yml new file mode 100644 index 00000000..ffd5198b --- /dev/null +++ b/.github/workflows/compliance.yml @@ -0,0 +1,34 @@ +name: Compliance + +on: + push: + branches: [ main ] + pull_request: {} + +permissions: + # https://docs.github.com/en/rest/overview/permissions-required-for-github-apps?apiVersion=2022-11-28#repository-permissions-for-contents + contents: read + +jobs: + compliance: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: actions/setup-go@v5 + with: + go-version: stable + + - name: Download modules to local cache + run: go mod download + + - name: Install go-licenses + run: go install github.com/google/go-licenses@latest + + - name: Check licenses against allow list + run: | + # Pass allowed licenses as SPDX Identifiers: https://spdx.org/licenses/ + # The current list is based on Icinga DB, plus GPL-2.0 as both Icinga DB + # and this very icinga-notifications are licensed under GPL-2.0. + # https://github.com/Icinga/icingadb/blob/v1.1.1/.github/workflows/compliance/check-licenses.sh + go-licenses check github.com/icinga/icinga-notifications/... \ + --allowed_licenses BSD-2-Clause,BSD-3-Clause,GPL-2.0,MIT,MPL-2.0