ci(github): add periodic license check and README

add CLOMonitor use cycloneDX to generate licenses Signed-off-by: Charly Molter <[email protected]>
kumahq · Jan 15, 2024 · f1dbb47 · f1dbb47
1 parent 6da33d7
commit f1dbb47
Show file tree

Hide file tree

Showing 3 changed files with 42 additions and 1 deletion.
diff --git a/.clomonitor.yaml b/.clomonitor.yaml
@@ -0,0 +1,13 @@
+# CLOMonitor metadata file
+# This file must be located at the root of the repository
+
+# Checks exemptions
+exemptions:
+  - check: artifacthub_badge # Check identifier (see https://github.com/cncf/clomonitor/blob/main/docs/checks.md#exemptions)
+    reason: "" # Justification of this exemption (mandatory, it will be displayed on the UI)
+
+# License scanning information
+licenseScanning:
+  # Our license scanning is generated daily from master and is published as an artifact along with a
+  # basic SBOM as a workflow artifact
+  url: https://github.com/kumahq/kuma/actions/workflows/bom.yaml 
diff --git a/.github/workflows/bom.yaml b/.github/workflows/bom.yaml
@@ -0,0 +1,23 @@
+name: "Build bom and licenses"
+on:
+  workflow_dispatch: {}
+  schedule:
+    - cron: 0 3 * * *
+permissions: read-all
+jobs:
+  sbom:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+        with:
+          go-version-file: go.mod
+      - used: CycloneDX/gh-gomod-generate-sbom@efc74245d6802c8cefd925620515442756c70d8f # v2.0.0
+          with:
+            version: v1
+            args: mod -licenses -json -output licenses.json
+      - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0
+        with:
+          name: licenses
+          path: |
+            licenses.json
diff --git a/README.md b/README.md
@@ -10,6 +10,7 @@
 [![OpenSSF Best Practices](https://www.bestpractices.dev/projects/5576/badge)](https://www.bestpractices.dev/projects/5576)
 [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/kumahq/kuma/badge)](https://securityscorecards.dev/viewer/?uri=github.com/kumahq/kuma)
 [![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://github.com/kumahq/kuma/blob/master/LICENSE)
+[![CLOMonitor](https://img.shields.io/endpoint?url=https://clomonitor.io/api/projects/cncf/kuma/badge)](https://clomonitor.io/projects/cncf/kuma)
 
 **Releases**
 
@@ -131,6 +132,11 @@ You can use Kuma for modern greenfield applications built on containers as well
 
 Kuma also provides an easy to use `kumactl` CLI client for every environment, and an official GUI that can be accessed by the browser.
 
+## Roadmap
+
+Kuma releases a minor version on a 10weeks release cycle.
+The roadmap is tracked using milestones: https://github.com/kumahq/kuma/milestones
+
 ## Development
 
 Kuma is under active development and production-ready.
@@ -145,4 +151,3 @@ If you are implementing Kuma in a mission-critical environment and require enter
 [kuma-logo]: https://kuma-public-assets.s3.amazonaws.com/kuma-logo-v2.png
 [kuma-gui]: https://kuma-public-assets.s3.amazonaws.com/kuma-gui-v3.jpg
 [kuma-benefits]: https://kuma-public-assets.s3.amazonaws.com/kuma-benefits-v2.png
-