From 39a569808c2c0f748c0bb1b4e49add5e92505da4 Mon Sep 17 00:00:00 2001
From: Matteo Mortari <matteo.mortari@gmail.com>
Date: Mon, 16 Sep 2024 20:06:25 +0200
Subject: [PATCH] gha: fossa license scanning (#324)

* gha: fossa license scanning

Signed-off-by: Matteo Mortari <matteo.mortari@gmail.com>

* keep deprecated method for mount for TestContainers to avoid direct API dep.

Signed-off-by: Matteo Mortari <matteo.mortari@gmail.com>

* refactor GHA, test

Signed-off-by: Matteo Mortari <matteo.mortari@gmail.com>

* avoid license text in contributing leading to false positives

Signed-off-by: Matteo Mortari <matteo.mortari@gmail.com>

* move to use fossas/fossa-action

Signed-off-by: Matteo Mortari <matteo.mortari@gmail.com>

---------

Signed-off-by: Matteo Mortari <matteo.mortari@gmail.com>
---
 .github/workflows/fossa-license-scanning.yml | 25 ++++++++++++++++++++
 CONTRIBUTING.md                              |  5 ----
 2 files changed, 25 insertions(+), 5 deletions(-)
 create mode 100644 .github/workflows/fossa-license-scanning.yml

diff --git a/.github/workflows/fossa-license-scanning.yml b/.github/workflows/fossa-license-scanning.yml
new file mode 100644
index 000000000..e291514cb
--- /dev/null
+++ b/.github/workflows/fossa-license-scanning.yml
@@ -0,0 +1,25 @@
+name: FOSSA License Scanning
+
+on:
+    push:
+      branches:
+        - main
+    pull_request:
+
+jobs:
+  fossa-scan:
+    if: github.repository_owner == 'kubeflow' # FOSSA is not intended to run on forks.
+    runs-on: ubuntu-latest
+    env:
+      # push-only token, intentional; see https://github.com/fossa-contrib/fossa-action?tab=readme-ov-file#push-only-api-token
+      # this also how other CNCF projects are doing e.g. https://github.com/cncf/foundation/issues/109
+      FOSSA_API_KEY: 80871bdd477c2c97f65e9822cae99d20 # This is a push-only token that is safe to be exposed.
+    steps:
+      - name: Checkout tree
+        uses: actions/checkout@v4
+
+      - name: Run FOSSA scan and upload build data
+        uses: fossas/fossa-action@v1.4.0
+        with:
+          api-key: ${{ env.FOSSA_API_KEY }}
+          project: "github.com/kubeflow/model-registry"
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 4f4ac85e3..02ef869c5 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -28,11 +28,6 @@ The make command shipped with Mac OSX (at the time of writing) is a bit old:
 ```
 % make --version
 GNU Make 3.81
-Copyright (C) 2006  Free Software Foundation, Inc.
-This is free software; see the source for copying conditions.
-There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
-PARTICULAR PURPOSE.
-
 This program built for i386-apple-darwin11.3.0
 ```