From 9361b7cf25c20cb8284d51f0cb20fc5c306e7f18 Mon Sep 17 00:00:00 2001 From: Jan Kadlec Date: Mon, 11 May 2026 16:37:25 +0200 Subject: [PATCH 1/2] ci: scan each published package as its own FOSSA project Switch the FOSSA workflow from a single gooddata-python-sdk project (with all 8 packages' deps merged) to one FOSSA project per PyPI artifact: gooddata-sdk, gooddata-pandas, gooddata-dbt, gooddata-fdw, gooddata-flight-server, gooddata-flexconnect, gooddata-pipelines, and gooddata-api-client. This aligns FOSSA's data model with how the artifacts are actually shipped: each PyPI package has its own license inventory, attribution report, and policy gate, and the FOSSA "branch" axis is freed up for its intended purpose (tracking license drift across git branches over time). The legacy gooddata-python-sdk project keeps the historical fossa_gd_* branch snapshots; new scans no longer write to it. Local `fossa analyze` invocations still target the legacy project via the committed .fossa.yml so ad-hoc runs cannot accidentally pollute the per-package projects. Implementation is a matrix workflow: each shard rewrites .fossa.yml with its project id + paths.only, then runs fossa-action's analyze and test steps. fail-fast is disabled so one package's policy failure does not mask the others. The branch label defaults to github.ref_name (the dispatched git ref) with an optional manual override input. Prerequisites for the first dispatch to fully succeed: - The seven new FOSSA project ids must be auto-creatable (or pre- provisioned) by an admin if the org restricts project creation. - Confirm with whoever owns the FOSSA contract that moving from 1 to 8 projects has no licensing/billing impact under the current plan. JIRA: TRIVIAL risk: nonprod --- .fossa.yml | 23 ++++++++-------------- .github/workflows/fossa.yaml | 38 ++++++++++++++++++++++++++++++------ 2 files changed, 40 insertions(+), 21 deletions(-) diff --git a/.fossa.yml b/.fossa.yml index 16c31db02..40891e5f2 100644 --- a/.fossa.yml +++ b/.fossa.yml @@ -1,23 +1,16 @@ # (C) 2023 GoodData Corporation version: 3 +# The canonical FOSSA configuration lives in .github/workflows/fossa.yaml, +# which generates a per-package .fossa.yml on each scan and uploads to one +# FOSSA project per published artifact (gooddata-sdk, gooddata-pandas, ...). +# +# This anchor file exists so that running `fossa analyze` locally without +# arguments has a sane default. It points at the legacy roll-up project +# (gooddata-python-sdk) on purpose — local ad-hoc runs go to the legacy +# project so they cannot accidentally pollute the per-package projects. project: id: gooddata-python-sdk telemetry: scope: 'off' - -# Scope the scan to the published gooddata-* workspace packages + the -# generated gooddata-api-client. Each pyproject.toml is scanned independently -# (FOSSA's pdm strategy reports declared deps); the gooddata-api-client setup.py -# is read by setuptools. Internal helpers (tests-support, scripts) are excluded. -paths: - only: - - packages/gooddata-sdk - - packages/gooddata-pandas - - packages/gooddata-dbt - - packages/gooddata-fdw - - packages/gooddata-flight-server - - packages/gooddata-flexconnect - - packages/gooddata-pipelines - - gooddata-api-client diff --git a/.github/workflows/fossa.yaml b/.github/workflows/fossa.yaml index 9f1d85e9a..6f97392e5 100644 --- a/.github/workflows/fossa.yaml +++ b/.github/workflows/fossa.yaml @@ -5,32 +5,57 @@ on: workflow_dispatch: inputs: branch: - description: Branch label to attach to the FOSSA scan. + description: Override the FOSSA branch label (defaults to the dispatched git ref). required: false - default: master + default: "" concurrency: group: fossa-${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +# Each PyPI artifact is scanned as its own FOSSA project so license inventory, +# policy gates, and attribution reports match what is actually shipped. The +# FOSSA "branch" axis is left to its intended purpose (track license drift +# across git branches over time). jobs: fossa: - name: FOSSA scan + name: FOSSA ${{ matrix.package.project }} runs-on: group: infra1-runners-arc labels: runners-small permissions: contents: read + strategy: + fail-fast: false + matrix: + package: + - { path: packages/gooddata-sdk, project: gooddata-sdk } + - { path: packages/gooddata-pandas, project: gooddata-pandas } + - { path: packages/gooddata-dbt, project: gooddata-dbt } + - { path: packages/gooddata-fdw, project: gooddata-fdw } + - { path: packages/gooddata-flight-server, project: gooddata-flight-server } + - { path: packages/gooddata-flexconnect, project: gooddata-flexconnect } + - { path: packages/gooddata-pipelines, project: gooddata-pipelines } + - { path: gooddata-api-client, project: gooddata-api-client } steps: - name: Checkout the code uses: actions/checkout@v6 with: fetch-depth: 0 - - name: Check that .fossa.yml exists + - name: Scope .fossa.yml to ${{ matrix.package.project }} shell: bash run: | - [ -f ./.fossa.yml ] || { echo "Missing .fossa.yml in repo root; FOSSA needs it for project id." >&2; exit 1; } + cat > .fossa.yml < Date: Tue, 12 May 2026 08:22:23 +0200 Subject: [PATCH 2/2] ci: aggregate per-package FOSSA projects under a release group Each per-package FOSSA project is now attached to the gooddata-python-sdk release group at scan time. This matches the org-wide monorepo pattern (the FOSSA org already manages ~30 release groups across other monorepos) and gives a roll-up dashboard that aggregates license inventory across all eight published artifacts while preserving the per-package projects' independent attribution reports and policy gates. The release name is the workspace version read from the root pyproject.toml at scan time, so each gooddata-python-sdk release (1.65.0, 1.66.0, ...) gets its own snapshot in the release group's history. Prerequisite: the gooddata-python-sdk release group must exist in the FOSSA UI before the first dispatch (admin step via fossa release-group create or the dashboard). fossa-action's analyze upload attaches projects to an existing release group but does not create one. JIRA: TRIVIAL risk: nonprod --- .github/workflows/fossa.yaml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/.github/workflows/fossa.yaml b/.github/workflows/fossa.yaml index 6f97392e5..32c8ad191 100644 --- a/.github/workflows/fossa.yaml +++ b/.github/workflows/fossa.yaml @@ -46,10 +46,21 @@ jobs: - name: Scope .fossa.yml to ${{ matrix.package.project }} shell: bash run: | + # Read the workspace version from the root pyproject.toml so the + # FOSSA release in the gooddata-python-sdk release group tracks + # the SDK version we ship. + VERSION=$(awk -F'"' '/^version = /{print $2; exit}' pyproject.toml) + if [ -z "$VERSION" ]; then + echo "Could not parse workspace version from pyproject.toml" >&2 + exit 1 + fi cat > .fossa.yml <