Dockerfile.licenses

# This Dockerfile produces an image that has only the licenses of dependencies
# used in the updater.
#
# LICENSE, and other legal notices, are collected by bottlerocket-license-scan
# to be organized into a project-wide conventional directory structure rooted at
# /licenses in the resulting image.

# SDK_IMAGE is the Bottlerocket SDK container image that provides
# `bottlerocket-license-scan` in it.
ARG SDK_IMAGE

# GOLANG_IMAGE is the image to be used for collecting modules. This should be
# the same image used in the build. The idea is to have the same toolchain to
# avoid running into any differences between versions.
ARG GOLANG_IMAGE=golang:1.19.1

# Fetch dependencies into a vendor/ directory.
#
# The first several steps should match that of the build's Dockerfile to share
# the go module package cache.
FROM $GOLANG_IMAGE as src
USER builder
WORKDIR /wrkdir
ENV GOPROXY=direct
# Sets the target architecture for the binary
ARG GOARCH
COPY ./updater /wrkdir/
RUN go mod download
# Unpack go modules into a vendor/ directory to run scanner on.
RUN go mod vendor

# Run the license scanner and dump its processed & collected license data to be
# used in distributed container image.
FROM $SDK_IMAGE as license-scan
COPY --from=src /wrkdir/vendor /wrkdir/vendor
COPY clarify.toml /wrkdir/clarify.toml
USER root
RUN bottlerocket-license-scan \
    --spdx-data /usr/libexec/tools/spdx-data \
    --out-dir /out/licenses \
    --clarify /wrkdir/clarify.toml \
    go-vendor /wrkdir/vendor

# Final container image has LICENSE files and accompanying attributions
# collected and produced by the license scanner.
FROM scratch as licenses
COPY --from=license-scan /out/licenses /licenses