chore(license): replace cargo-bundle-licenses with dd-rust-license-tool (#1837)

## What does this PR do?

Replaces `cargo-bundle-licenses` with `dd-rust-license-tool` for third-party license tracking. This is the official Datadog tool for this purpose, already used by `datadog-lambda-extension` and other Datadog Rust projects.

## Motivation

The current `LICENSE-3rdparty.yml` file is 53,656 lines (4.8 MB) because `cargo-bundle-licenses` embeds full license texts for every dependency. This causes:

- **Frequent merge conflicts** on the first line (`root_name`) and throughout the file whenever dependencies change
- **Complex CI pipeline** requiring `sed` path normalization and manual `diff` to validate
- **Large diffs** that obscure actual code changes in PRs

`dd-rust-license-tool` generates a CSV with one line per dependency (component, origin, license SPDX ID, copyright), producing a 556-line (60 KB) file.

| | Before | After |
|---|---|---|
| Tool | `cargo-bundle-licenses` | `dd-rust-license-tool` |
| Format | YAML (full license texts) | CSV (SPDX IDs only) |
| File size | 4.8 MB (53,656 lines) | 60 KB (556 lines) |
| CI check | `cargo bundle-licenses` + `sed` + `diff` | `dd-rust-license-tool check` |
| Path normalization | Required (`sed` to handle registry path differences) | Not needed |
| Merge conflict risk | High | Low |

## Changes

- `LICENSE-3rdparty.yml` removed
- `LICENSE-3rdparty.csv` added (generated by `dd-rust-license-tool write`)
- `license-tool.toml` added with overrides for 4 crates missing metadata (`crunchy`, `value-bag-sval2`, `value-bag-serde1`, `stringmetrics`)
- `.github/workflows/lint.yml` simplified: replaced the `cargo-bundle-licenses` + sed + diff pipeline with `dd-rust-license-tool check`
- `scripts/update_license_3rdparty.sh` updated to use `dd-rust-license-tool write`

## How to test the change?

```
cargo install dd-rust-license-tool
dd-rust-license-tool check
```

To regenerate after dependency changes:
```
dd-rust-license-tool write
# or
./scripts/update_license_3rdparty.sh
```

Co-authored-by: jordan.gonzalez <jordan.gonzalez@datadoghq.com>

Author: duncanista

.github/CODEOWNERS

@@ -58,6 +58,7 @@ libdd-trace-protobuf                 @DataDog/serverless @DataDog/libdatadog-apm
 libdd-trace-stats                    @DataDog/apm-common-components-core
 libdd-trace-utils                    @DataDog/serverless @DataDog/libdatadog-apm
 LICENSE*                             @DataDog/libdatadog
+license-tool.toml                    @DataDog/libdatadog
 local-linux.Dockerfile               @DataDog/libdatadog
 NOTICE                               @DataDog/libdatadog
 README.md                            @DataDog/libdatadog

.github/workflows/lint.yml

@@ -75,70 +75,22 @@ jobs:
         # Exclude symbolizer-ffi from the checks (mostly imported code)
         run: '! find . \( -name "*.rs" -o -name "*.c" -o -name "*.sh" \)  -not -path "./symbolizer-ffi/*" -not -path "./datadog-ipc/plugins/*" -not -path "./datadog-ipc/tarpc/*" -print0 | xargs -0 licensecheck -c ".*" | grep -v "Apache License 2.0"'
 
-  # todo: fix upstream warnings; from the readme:
-  # The most common cause of missing licenses seems to be workspaces that
-  # don't include forward their license files. Go to the repo for the
-  # workspace and copy the relevant files from there.
-  # A package license may receive a confidence warning stating that
-  # cargo-bundle-licenses is "unsure" or "semi" confident. This means that
-  # when the found license was compared to a template license it was found to
-  # have diverged in more than a few words. You should verify that the licence
-  #  text is in fact correct in these cases.
   license-3rdparty:
     runs-on: ubuntu-latest
-    name: "Valid LICENSE-3rdparty.yml"
+    name: "Valid LICENSE-3rdparty.csv"
     steps:
       - name: Checkout sources
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # 4.2.2
-      - run: stat LICENSE-3rdparty.yml
-      - name: Cache
+      - name: Cache dd-rust-license-tool
         uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # 4.2.2
         with:
           path: |
-            ~/.cargo/registry/
-            ~/.cargo/git/db/
-            ~/.cargo/bin/
+            ~/.cargo/bin/dd-rust-license-tool
             ~/.cargo/.crates.toml
-          # cache key contains current version of cargo-bundle-licenses
-          # when upstream version is updated we can bump the cache key version,
-          # to cache the latest version of the tool
-          key: "v1-4.0.0"
-      # cargo-bundle-licenses v2.0 doesn't understand path differences due to
-      # sparse vs git index, so force git.
-      - run: mkdir -p .cargo && printf "[registries.crates-io]\nprotocol = \"git\"\n" > .cargo/config.toml
-      - run: cargo install --version "4.0.0" cargo-bundle-licenses
-      - name: "Generate new LICENSE-3rdparty.yml and check against the previous"
-        env:
-          CARGO_HOME: "/tmp/dd-cargo"
-        run: |
-          # Run cargo bundle-licenses without directly checking against a previous snapshot
-          cargo bundle-licenses \
-            --format yaml \
-            --output /tmp/CI.yaml
-
-          # Normalize the paths in both files to ignore registry differences
-          sed -E 's/(registry\/src\/)[^\/]+/\1normalized_path/g' /tmp/CI.yaml > /tmp/CI_normalized.yaml
-          sed -E 's/(registry\/src\/)[^\/]+/\1normalized_path/g' LICENSE-3rdparty.yml > /tmp/LICENSE-3rdparty_normalized.yml
-
-          # Now perform the diff on the normalized files
-          if ! diff /tmp/CI_normalized.yaml /tmp/LICENSE-3rdparty_normalized.yml; then
-            echo "Differences detected (see above). You probably need to manually update the license files. To do so:"
-            echo "cargo install cargo-bundle-licenses"
-            echo "./scripts/update_license_3rdparty.sh"
-            echo "...and push a commit with the result. Also, bonus points if someone automates this, wink wink nudge nudge."
-            exit 1
-          fi
-
-          echo "No differences found."
-
-
-      - name: export the generated license file on failure
-        if: failure()
-        uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # 4.6.1
-        with:
-          name: LICENSE-3rdparty.yml
-          path: /tmp/CI.yaml
-          overwrite: true
+            ~/.cargo/.crates2.json
+          key: dd-rust-license-tool-1.0.6
+      - run: cargo install dd-rust-license-tool --version "1.0.6" --locked
+      - run: dd-rust-license-tool check
 
   codeowners-validator:
     runs-on: ubuntu-latest