simplify handling of licenses

SgtCoDFish · SgtCoDFish · commit e8545c3df065 · 2025-06-16T18:35:29.000+01:00
Currently, changes to dependencies usually trigger a corresponding need
to run "make generate-go-licenses" to update the LICENSES file.

The ultimate aim of this file is to track that the licenses we use are
compliant with the policies we operate under (i.e. those of the CNCF).
As such, the most important thing is tracking when licenses change.

It isn't helpful for us to have to do busywork just to update the
version number of a dependency in the LICENSES file; that mostly serves
to break dependabot PRs and doesn't provide us with useful
functionality.

Instead, if we log out the module name and the license, we get the
ability to track and audit licenses, providing a useful signal when a
license changes or a new dependency is added that a maintainer should
take a careful look at what changed to ensure compliance.

Signed-off-by: Ashley Davis &lt;ashley.davis@cyberark.com&gt;
diff --git a/modules/licenses/01_mod.mk b/modules/licenses/01_mod.mk
@@ -30,11 +30,11 @@ generate-go-licenses: #
 shared_generate_targets += generate-go-licenses
 
 define licenses_target
-$1/LICENSES: $1/go.mod $(licenses_go_work) | $(NEEDS_GO-LICENSES)
+$1/LICENSES: $1/go.mod $(licenses_go_work) $(dir $(lastword $(MAKEFILE_LIST)))/licenses.tmpl | $(NEEDS_GO-LICENSES)
 	cd $$(dir $$@) && \
 		GOWORK=$(abspath $(licenses_go_work)) \
 		GOOS=linux GOARCH=amd64 \
-		$(GO-LICENSES) report --ignore "$$(license_ignore)" ./... > LICENSES
+		$(GO-LICENSES) report --ignore "$$(license_ignore)" --template $(dir $(lastword $(MAKEFILE_LIST)))/licenses.tmpl ./... > LICENSES
 
 generate-go-licenses: $1/LICENSES
 # The /LICENSE targets make sure these files exist.
diff --git a/modules/licenses/licenses.tmpl b/modules/licenses/licenses.tmpl
@@ -0,0 +1,24 @@
+This LICENSES file is generated by the `licenses` module in makefile-modules.
+
+The licenses below the "---" are determined by the go-licenses tool.
+
+The aim of this file is to collect the licenses of all dependencies, and provide
+a single source of truth for licenses used by this project.
+
+If CI reports that this file is out of date, you should be careful to check that the
+new licenses are acceptable for this project before running `make generate-go-licenses`
+to update this file.
+
+Acceptable licenses are those allowlisted by the CNCF[0].
+
+You MUST NOT add any new dependencies whose licenses are not allowlisted by the CNCF,
+or which do not have an explicit license exception[1].
+
+[0]: https://github.com/cncf/foundation/blob/db4179134ebe7fa00b140a050c19147db808b6fa/policies-guidance/allowed-third-party-license-policy.md#cncf-allowlist-license-policy
+[1]: https://github.com/cncf/foundation/blob/db4179134ebe7fa00b140a050c19147db808b6fa/license-exceptions/README.md
+
+---
+
+{{ range . -}}
+{{ .Name }},{{ .LicenseName }}
+{{ end -}}
