Check the license header for Notation and its dependencies

[FeynmanZhou]

What is the areas you would like to add the new feature to?

Notation CLI

Is your feature request related to a problem?

This is a requirement about scanning and checking whether code changes contain correct license headers and their dependencies in each PRchecking

What solution do you propose?

We want to check license headers and dependencies' licenses for Notation. This is important to align with the CNCF open-source compliance policy.

SkyWalking-Eyes might be a good tool to implement the license header check and can be integrated into the GitHub Actions workflow.

It will scan and check whether code changes contain correct license headers and their dependencies in each PR (CI). There is an example in ORAS: https://github.com/oras-project/oras/actions/runs/4912774337/jobs/8772170747

What alternatives have you considered?

N/A

Any additional context?

Two things we need to complete for this issue:

• Generate a template to generate the summary of dependencies' licenses
• Add this license check to GitHub Actions

[kokamkarsahil]

I have noticed it has been given write permission to run it, will it be fine to give it?

https://github.com/oras-project/oras/blob/3ff15bbcb516fe5f3a766fb37ac0d92efe15c98e/.github/workflows/license-checker.yml#L26-L28

There is also an official action by GitHub which can perform licence check: https://github.com/actions/dependency-review-action#configuration-options along with other features.
But there seems to be an open issue which can cause problems actions/dependency-review-action#459

Thank you!

The link the to Skywalking Action is broken https://github.com/marketplace/actions/license-eye correct link-> https://github.com/marketplace/actions/license-eye-header

[zr-msft]

@FeynmanZhou have you considered creating a NOTICE file to include the dependency licenses?

cc @toddysm

[FeynmanZhou]

@FeynmanZhou have you considered creating a NOTICE file to include the dependency licenses?

cc @toddysm

@zr-msft Not yet. Only Apache software has a requirement for creating a NOTICE file https://www.apache.org/legal/src-headers.html#notice. CNCF seems don't have such a requirement to include a NOTICE file for the project.