Reject pull requests that change imported licenses

[cbandy]

We import dependencies that use a handful of open-source licenses. We want to be intentional about any change to these licenses, so this automation flags pull requests that do so.

Go modules are immutable, so checking during pull requests and pushes should suffice.

Checklist:

• Have you added an explanation of what your changes do and why you'd like them to be included?
• Have you updated or added documentation for the change, as applicable?
• Have you tested your changes on all related environments with successful results, as applicable?
  • Have you added automated tests?

Type of Changes:

• Testing enhancement
• Other

Other Information:

Issue: PGO-1556

[github-advanced-security]

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

[cbandy]

Here's what it looks like when a license is not in the configured list: https://github.com/CrunchyData/postgres-operator/actions/runs/10914660621/job/30293145553?pr=3996

[benjaminjb]

So right now we're telling Trivy to ignore these licenses; if another license shows up that's not in this list, we'll get an alert because the job is configured with --exit-code=1: any license at any level -- Forbidden, Restricted, Unencumbered, et al. -- will alert if it is not ignored, right?

[cbandy]

Right. Every license that Trivy recognizes has a severity, and this job alerts on all severities.

We'll also be alerted if Trivy can't detect the license. Those get a severity of UNKNOWN.