From f1dbb47fe9013fc7beff89e716641aad234d2d72 Mon Sep 17 00:00:00 2001
From: Charly Molter <charly.molter@konghq.com>
Date: Fri, 12 Jan 2024 17:29:53 +0100
Subject: [PATCH] ci(github): add periodic license check and README

add CLOMonitor
use cycloneDX to generate licenses

Signed-off-by: Charly Molter <charly.molter@konghq.com>
---
 .clomonitor.yaml           | 13 +++++++++++++
 .github/workflows/bom.yaml | 23 +++++++++++++++++++++++
 README.md                  |  7 ++++++-
 3 files changed, 42 insertions(+), 1 deletion(-)
 create mode 100644 .clomonitor.yaml
 create mode 100644 .github/workflows/bom.yaml

diff --git a/.clomonitor.yaml b/.clomonitor.yaml
new file mode 100644
index 000000000000..4ad095d72917
--- /dev/null
+++ b/.clomonitor.yaml
@@ -0,0 +1,13 @@
+# CLOMonitor metadata file
+# This file must be located at the root of the repository
+
+# Checks exemptions
+exemptions:
+  - check: artifacthub_badge # Check identifier (see https://github.com/cncf/clomonitor/blob/main/docs/checks.md#exemptions)
+    reason: "" # Justification of this exemption (mandatory, it will be displayed on the UI)
+
+# License scanning information
+licenseScanning:
+  # Our license scanning is generated daily from master and is published as an artifact along with a
+  # basic SBOM as a workflow artifact
+  url: https://github.com/kumahq/kuma/actions/workflows/bom.yaml 
diff --git a/.github/workflows/bom.yaml b/.github/workflows/bom.yaml
new file mode 100644
index 000000000000..302ffeef746c
--- /dev/null
+++ b/.github/workflows/bom.yaml
@@ -0,0 +1,23 @@
+name: "Build bom and licenses"
+on:
+  workflow_dispatch: {}
+  schedule:
+    - cron: 0 3 * * *
+permissions: read-all
+jobs:
+  sbom:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+        with:
+          go-version-file: go.mod
+      - used: CycloneDX/gh-gomod-generate-sbom@efc74245d6802c8cefd925620515442756c70d8f # v2.0.0
+          with:
+            version: v1
+            args: mod -licenses -json -output licenses.json
+      - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0
+        with:
+          name: licenses
+          path: |
+            licenses.json
diff --git a/README.md b/README.md
index e53dc0c83f5b..f8b5e6c4d563 100644
--- a/README.md
+++ b/README.md
@@ -10,6 +10,7 @@
 [![OpenSSF Best Practices](https://www.bestpractices.dev/projects/5576/badge)](https://www.bestpractices.dev/projects/5576)
 [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/kumahq/kuma/badge)](https://securityscorecards.dev/viewer/?uri=github.com/kumahq/kuma)
 [![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://github.com/kumahq/kuma/blob/master/LICENSE)
+[![CLOMonitor](https://img.shields.io/endpoint?url=https://clomonitor.io/api/projects/cncf/kuma/badge)](https://clomonitor.io/projects/cncf/kuma)
 
 **Releases**
 
@@ -131,6 +132,11 @@ You can use Kuma for modern greenfield applications built on containers as well
 
 Kuma also provides an easy to use `kumactl` CLI client for every environment, and an official GUI that can be accessed by the browser.
 
+## Roadmap
+
+Kuma releases a minor version on a 10weeks release cycle.
+The roadmap is tracked using milestones: https://github.com/kumahq/kuma/milestones
+
 ## Development
 
 Kuma is under active development and production-ready.
@@ -145,4 +151,3 @@ If you are implementing Kuma in a mission-critical environment and require enter
 [kuma-logo]: https://kuma-public-assets.s3.amazonaws.com/kuma-logo-v2.png
 [kuma-gui]: https://kuma-public-assets.s3.amazonaws.com/kuma-gui-v3.jpg
 [kuma-benefits]: https://kuma-public-assets.s3.amazonaws.com/kuma-benefits-v2.png
-