gha: fossa license scanning (#324)

* gha: fossa license scanning

Signed-off-by: Matteo Mortari <[email protected]>

* keep deprecated method for mount for TestContainers to avoid direct API dep.

Signed-off-by: Matteo Mortari <[email protected]>

* refactor GHA, test

Signed-off-by: Matteo Mortari <[email protected]>

* avoid license text in contributing leading to false positives

Signed-off-by: Matteo Mortari <[email protected]>

* move to use fossas/fossa-action

Signed-off-by: Matteo Mortari <[email protected]>

---------

Signed-off-by: Matteo Mortari <[email protected]>

.github/workflows/fossa-license-scanning.yml

@@ -0,0 +1,25 @@
+name: FOSSA License Scanning
+
+on:
+    push:
+      branches:
+        - main
+    pull_request:
+
+jobs:
+  fossa-scan:
+    if: github.repository_owner == 'kubeflow' # FOSSA is not intended to run on forks.
+    runs-on: ubuntu-latest
+    env:
+      # push-only token, intentional; see https://github.com/fossa-contrib/fossa-action?tab=readme-ov-file#push-only-api-token
+      # this also how other CNCF projects are doing e.g. https://github.com/cncf/foundation/issues/109
+      FOSSA_API_KEY: 80871bdd477c2c97f65e9822cae99d20 # This is a push-only token that is safe to be exposed.
+    steps:
+      - name: Checkout tree
+        uses: actions/checkout@v4
+
+      - name: Run FOSSA scan and upload build data
+        uses: fossas/[email protected]
+        with:
+          api-key: ${{ env.FOSSA_API_KEY }}
+          project: "github.com/kubeflow/model-registry"

CONTRIBUTING.md

@@ -28,11 +28,6 @@ The make command shipped with Mac OSX (at the time of writing) is a bit old:
 ```
 % make --version
 GNU Make 3.81
-Copyright (C) 2006  Free Software Foundation, Inc.
-This is free software; see the source for copying conditions.
-There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
-PARTICULAR PURPOSE.
-
 This program built for i386-apple-darwin11.3.0
 ```