ci: add FOSSA license scan workflow#1596
Merged
Merged
Conversation
Adds a self-contained workflow_dispatch GitHub Actions workflow that runs FOSSA analyze + test against the repo, replacing the manual Jenkins-based scan. Token comes from the FOSSA_API_KEY org secret; the repo still needs to be added to that secret's repos allowlist in terraform-github (separate PR by infra) before the first dispatch will authenticate. The job runs on the infra1-runners-arc / runners-small ARC group used by the rest of the repo's workflows (pre-merge, staging-tests, etc.) — the runners are accessible from this public repo even though the reusable fossa workflow at gooddata/github-actions isn't, hence this self-contained copy. Permissions are read-only. Actions are pinned by version tag (actions/checkout@v6, fossas/fossa-action@v1.9.0) to match the repo convention. The .fossa.yml is scoped via paths.only to the seven published gooddata-* workspace packages plus the generated gooddata-api-client. Phase 0 local verification with fossa-cli 3.17.5 confirmed all declared deps across these targets are picked up (pdm strategy for each pyproject.toml, setuptools for gooddata-api-client). tests-support and scripts/ are intentionally excluded as internal helpers. The branch input defaults to master so dispatches without an explicit override attach the scan to the master branch in the FOSSA dashboard. JIRA: TRIVIAL risk: nonprod
no23reason
approved these changes
May 11, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds a self-contained
workflow_dispatchGitHub Actions workflow that runs FOSSA analyze + test against the repo, replacing the manual Jenkins-based scan in.fossa/. Token comes from theFOSSA_API_KEYorg secret; both third-party actions (fossas/fossa-action@v1.9.0,actions/checkout@v6.0.2) are pinned by full commit SHA per public-repo best practice. Runs onubuntu-latestwith read-only permissions — no internal-runner or Vault dependency..fossa.ymlis scoped viapaths.onlyto the seven publishedgooddata-*workspace packages plus the generatedgooddata-api-client. Phase 0 local verification with fossa-cli 3.17.5 confirmed all declared deps are picked up across these targets (FOSSA pdm strategy reads eachpyproject.toml; setuptools readsgooddata-api-client/setup.py).tests-supportandscripts/are intentionally excluded as internal helpers.Prerequisite (out-of-PR, infra):
gooddata-python-sdkmust be added to thereposallowlist of the org-levelFOSSA_API_KEYsecret ingooddata/terraform-github. Until that lands, the FOSSA step on a manual dispatch will fail at authentication — that's expected.Scope note: the whitelist limits the scan to declared deps only — no transitive resolution. Broadening to a root
uv.lock-based scan would surface the full transitive graph but also pull in dev/test/lint tooling; can be tightened or broadened in a follow-up based on what the FOSSA dashboard view looks like after the first scan.The legacy
.fossa/Jenkins flow andgdc_fossa.yamlare left untouched in this PR; their cleanup is a separate concern once the GHA-based scan is verified green.Test plan
JIRA: TRIVIAL
risk: nonprod