From b67f41ee41f88f2bca6ef81607a580cdd29dac4c Mon Sep 17 00:00:00 2001 From: Jan Kadlec Date: Mon, 11 May 2026 15:15:14 +0200 Subject: [PATCH] ci: add FOSSA license scan workflow MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Adds a self-contained workflow_dispatch GitHub Actions workflow that runs FOSSA analyze + test against the repo, replacing the manual Jenkins-based scan. Token comes from the FOSSA_API_KEY org secret; the repo still needs to be added to that secret's repos allowlist in terraform-github (separate PR by infra) before the first dispatch will authenticate. The job runs on the infra1-runners-arc / runners-small ARC group used by the rest of the repo's workflows (pre-merge, staging-tests, etc.) — the runners are accessible from this public repo even though the reusable fossa workflow at gooddata/github-actions isn't, hence this self-contained copy. Permissions are read-only. Actions are pinned by version tag (actions/checkout@v6, fossas/fossa-action@v1.9.0) to match the repo convention. The .fossa.yml is scoped via paths.only to the seven published gooddata-* workspace packages plus the generated gooddata-api-client. Phase 0 local verification with fossa-cli 3.17.5 confirmed all declared deps across these targets are picked up (pdm strategy for each pyproject.toml, setuptools for gooddata-api-client). tests-support and scripts/ are intentionally excluded as internal helpers. The branch input defaults to master so dispatches without an explicit override attach the scan to the master branch in the FOSSA dashboard. JIRA: TRIVIAL risk: nonprod --- .fossa.yml | 23 ++++++++++------- .github/workflows/fossa.yaml | 50 ++++++++++++++++++++++++++++++++++++ 2 files changed, 64 insertions(+), 9 deletions(-) create mode 100644 .github/workflows/fossa.yaml diff --git a/.fossa.yml b/.fossa.yml index 6a959204a..16c31db02 100644 --- a/.fossa.yml +++ b/.fossa.yml @@ -7,12 +7,17 @@ project: telemetry: scope: 'off' -# We need to specify it per-each package. See fossa_* branches. -# targets: -# only: -# - type: pipenv -# path: path-here -# -# paths: -# only: -# - path-here +# Scope the scan to the published gooddata-* workspace packages + the +# generated gooddata-api-client. Each pyproject.toml is scanned independently +# (FOSSA's pdm strategy reports declared deps); the gooddata-api-client setup.py +# is read by setuptools. Internal helpers (tests-support, scripts) are excluded. +paths: + only: + - packages/gooddata-sdk + - packages/gooddata-pandas + - packages/gooddata-dbt + - packages/gooddata-fdw + - packages/gooddata-flight-server + - packages/gooddata-flexconnect + - packages/gooddata-pipelines + - gooddata-api-client diff --git a/.github/workflows/fossa.yaml b/.github/workflows/fossa.yaml new file mode 100644 index 000000000..9f1d85e9a --- /dev/null +++ b/.github/workflows/fossa.yaml @@ -0,0 +1,50 @@ +# (C) 2026 GoodData Corporation +name: FOSSA scan + +on: + workflow_dispatch: + inputs: + branch: + description: Branch label to attach to the FOSSA scan. + required: false + default: master + +concurrency: + group: fossa-${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +jobs: + fossa: + name: FOSSA scan + runs-on: + group: infra1-runners-arc + labels: runners-small + permissions: + contents: read + steps: + - name: Checkout the code + uses: actions/checkout@v6 + with: + fetch-depth: 0 + + - name: Check that .fossa.yml exists + shell: bash + run: | + [ -f ./.fossa.yml ] || { echo "Missing .fossa.yml in repo root; FOSSA needs it for project id." >&2; exit 1; } + + - name: Workaround for "no targets found" error + shell: bash + run: | + [ -f ./requirements.txt ] || touch ./requirements.txt + + - name: Run FOSSA analyze + uses: fossas/fossa-action@v1.9.0 + with: + api-key: ${{ secrets.FOSSA_API_KEY }} + branch: ${{ inputs.branch }} + + - name: Run FOSSA test (policy gate) + uses: fossas/fossa-action@v1.9.0 + with: + api-key: ${{ secrets.FOSSA_API_KEY }} + run-tests: true