diff --git a/.fossa.yml b/.fossa.yml index 16c31db02..40891e5f2 100644 --- a/.fossa.yml +++ b/.fossa.yml @@ -1,23 +1,16 @@ # (C) 2023 GoodData Corporation version: 3 +# The canonical FOSSA configuration lives in .github/workflows/fossa.yaml, +# which generates a per-package .fossa.yml on each scan and uploads to one +# FOSSA project per published artifact (gooddata-sdk, gooddata-pandas, ...). +# +# This anchor file exists so that running `fossa analyze` locally without +# arguments has a sane default. It points at the legacy roll-up project +# (gooddata-python-sdk) on purpose — local ad-hoc runs go to the legacy +# project so they cannot accidentally pollute the per-package projects. project: id: gooddata-python-sdk telemetry: scope: 'off' - -# Scope the scan to the published gooddata-* workspace packages + the -# generated gooddata-api-client. Each pyproject.toml is scanned independently -# (FOSSA's pdm strategy reports declared deps); the gooddata-api-client setup.py -# is read by setuptools. Internal helpers (tests-support, scripts) are excluded. -paths: - only: - - packages/gooddata-sdk - - packages/gooddata-pandas - - packages/gooddata-dbt - - packages/gooddata-fdw - - packages/gooddata-flight-server - - packages/gooddata-flexconnect - - packages/gooddata-pipelines - - gooddata-api-client diff --git a/.github/workflows/fossa.yaml b/.github/workflows/fossa.yaml index 9f1d85e9a..32c8ad191 100644 --- a/.github/workflows/fossa.yaml +++ b/.github/workflows/fossa.yaml @@ -5,32 +5,68 @@ on: workflow_dispatch: inputs: branch: - description: Branch label to attach to the FOSSA scan. + description: Override the FOSSA branch label (defaults to the dispatched git ref). required: false - default: master + default: "" concurrency: group: fossa-${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +# Each PyPI artifact is scanned as its own FOSSA project so license inventory, +# policy gates, and attribution reports match what is actually shipped. The +# FOSSA "branch" axis is left to its intended purpose (track license drift +# across git branches over time). jobs: fossa: - name: FOSSA scan + name: FOSSA ${{ matrix.package.project }} runs-on: group: infra1-runners-arc labels: runners-small permissions: contents: read + strategy: + fail-fast: false + matrix: + package: + - { path: packages/gooddata-sdk, project: gooddata-sdk } + - { path: packages/gooddata-pandas, project: gooddata-pandas } + - { path: packages/gooddata-dbt, project: gooddata-dbt } + - { path: packages/gooddata-fdw, project: gooddata-fdw } + - { path: packages/gooddata-flight-server, project: gooddata-flight-server } + - { path: packages/gooddata-flexconnect, project: gooddata-flexconnect } + - { path: packages/gooddata-pipelines, project: gooddata-pipelines } + - { path: gooddata-api-client, project: gooddata-api-client } steps: - name: Checkout the code uses: actions/checkout@v6 with: fetch-depth: 0 - - name: Check that .fossa.yml exists + - name: Scope .fossa.yml to ${{ matrix.package.project }} shell: bash run: | - [ -f ./.fossa.yml ] || { echo "Missing .fossa.yml in repo root; FOSSA needs it for project id." >&2; exit 1; } + # Read the workspace version from the root pyproject.toml so the + # FOSSA release in the gooddata-python-sdk release group tracks + # the SDK version we ship. + VERSION=$(awk -F'"' '/^version = /{print $2; exit}' pyproject.toml) + if [ -z "$VERSION" ]; then + echo "Could not parse workspace version from pyproject.toml" >&2 + exit 1 + fi + cat > .fossa.yml <