Include vendored source in release-built images

[imjasonh]

This adds logic to the nightly release Task that targz's up everything
in vendor/ and includes it in ko-built container images. Some of our
dependencies' licenses require their source to be included in
distributed artifacts (like container images).

Once we've determined this works fine for nightly releases, I'll copy
this to publish.yaml so it's also done for official releases.

Submitter Checklist

These are the criteria that every PR should meet, please check them off as you
review them:

• [n/a] Includes tests (if functionality changed/added)
• [n] Includes docs (if user facing)
• [y] Commit messages follow commit message best practices

See the contribution guide for more details.

Double check this list of stuff that's easy to miss:

• If you are adding a new binary/image to the cmd dir, please update
  the release Task and TaskRun to build and release this image

Reviewer Notes

If API changes
are included, additive changes
must be approved by at least two OWNERS
and backwards incompatible changes
must be approved by more than 50% of the OWNERS,
and they must first be added
in a backwards compatible way.

Release Notes

Include vendored source in each released container image, to comply with some depdencies' licenses.

[afrittoli]

This looks straight forward enough to me.
/lgtm

[tekton-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: afrittoli, ImJasonH

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [ImJasonH,afrittoli]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[imjasonh]

Also worth pointing out: each released image grows by 11MB, but it's in a layer that's shared among all ko-built images in the repo, so it's only 11MB more once if you fetch each image in the set.

The result to end users is that it takes 11MB-worth of time (<1 second) more to install the controller components, and might take 11MB-worth of time to start the first Pod on each new node.

[chmouel]

@imjasonh would you know which dependencies has a license that needs to have source shipped with the binary ? (and not just available on a public URL)

[imjasonh]

@imjasonh would you know which dependencies has a license that needs to have source shipped with the binary ? (and not just available on a public URL)

I believe the main one was our dependency on hashicorp/golang-lru, which, being licensed under the Mozilla Public License, requires the source be made available when distributing.

[chmouel]

I see thanks, it seems from this discussion here :

https://opensource.stackexchange.com/a/4783

only a link needs to the source code needs to be referenced?

since IANAL I wonder if I need to engage our legal department to clarify it properly 🤔