ci: scan each published package as its own FOSSA project

.fossa.yml

@@ -1,23 +1,16 @@
 # (C) 2023 GoodData Corporation
 version: 3
 
+# The canonical FOSSA configuration lives in .github/workflows/fossa.yaml,
+# which generates a per-package .fossa.yml on each scan and uploads to one
+# FOSSA project per published artifact (gooddata-sdk, gooddata-pandas, ...).
+#
+# This anchor file exists so that running `fossa analyze` locally without
+# arguments has a sane default. It points at the legacy roll-up project
+# (gooddata-python-sdk) on purpose — local ad-hoc runs go to the legacy
+# project so they cannot accidentally pollute the per-package projects.
 project:
   id: gooddata-python-sdk
 
 telemetry:
   scope: 'off'
-
-# Scope the scan to the published gooddata-* workspace packages + the
-# generated gooddata-api-client. Each pyproject.toml is scanned independently
-# (FOSSA's pdm strategy reports declared deps); the gooddata-api-client setup.py
-# is read by setuptools. Internal helpers (tests-support, scripts) are excluded.
-paths:
-  only:
-    - packages/gooddata-sdk
-    - packages/gooddata-pandas
-    - packages/gooddata-dbt
-    - packages/gooddata-fdw
-    - packages/gooddata-flight-server
-    - packages/gooddata-flexconnect
-    - packages/gooddata-pipelines
-    - gooddata-api-client

.github/workflows/fossa.yaml

@@ -5,32 +5,68 @@ on:
   workflow_dispatch:
     inputs:
       branch:
-        description: Branch label to attach to the FOSSA scan.
+        description: Override the FOSSA branch label (defaults to the dispatched git ref).
         required: false
-        default: master
+        default: ""
 
 concurrency:
   group: fossa-${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+# Each PyPI artifact is scanned as its own FOSSA project so license inventory,
+# policy gates, and attribution reports match what is actually shipped. The
+# FOSSA "branch" axis is left to its intended purpose (track license drift
+# across git branches over time).
 jobs:
   fossa:
-    name: FOSSA scan
+    name: FOSSA ${{ matrix.package.project }}
     runs-on:
       group: infra1-runners-arc
       labels: runners-small
     permissions:
       contents: read
+    strategy:
+      fail-fast: false
+      matrix:
+        package:
+          - { path: packages/gooddata-sdk,           project: gooddata-sdk }
+          - { path: packages/gooddata-pandas,        project: gooddata-pandas }
+          - { path: packages/gooddata-dbt,           project: gooddata-dbt }
+          - { path: packages/gooddata-fdw,           project: gooddata-fdw }
+          - { path: packages/gooddata-flight-server, project: gooddata-flight-server }
+          - { path: packages/gooddata-flexconnect,   project: gooddata-flexconnect }
+          - { path: packages/gooddata-pipelines,     project: gooddata-pipelines }
+          - { path: gooddata-api-client,             project: gooddata-api-client }
     steps:
       - name: Checkout the code
         uses: actions/checkout@v6
         with:
           fetch-depth: 0
 
-      - name: Check that .fossa.yml exists
+      - name: Scope .fossa.yml to ${{ matrix.package.project }}
         shell: bash
         run: |
-          [ -f ./.fossa.yml ] || { echo "Missing .fossa.yml in repo root; FOSSA needs it for project id." >&2; exit 1; }
+          # Read the workspace version from the root pyproject.toml so the
+          # FOSSA release in the gooddata-python-sdk release group tracks
+          # the SDK version we ship.
+          VERSION=$(awk -F'"' '/^version = /{print $2; exit}' pyproject.toml)
+          if [ -z "$VERSION" ]; then
+            echo "Could not parse workspace version from pyproject.toml" >&2
+            exit 1
+          fi
+          cat > .fossa.yml <<EOF
+          version: 3
+          project:
+            id: ${{ matrix.package.project }}
+            releaseGroup:
+              name: gooddata-python-sdk
+              release: "${VERSION}"
+          telemetry:
+            scope: 'off'
+          paths:
+            only:
+              - ${{ matrix.package.path }}
+          EOF
 
       - name: Workaround for "no targets found" error
         shell: bash
@@ -41,10 +77,11 @@ jobs:
         uses: fossas/fossa-action@v1.9.0
         with:
           api-key: ${{ secrets.FOSSA_API_KEY }}
-          branch: ${{ inputs.branch }}
+          branch: ${{ inputs.branch != '' && inputs.branch || github.ref_name }}
 
       - name: Run FOSSA test (policy gate)
         uses: fossas/fossa-action@v1.9.0
         with:
           api-key: ${{ secrets.FOSSA_API_KEY }}
           run-tests: true
+          branch: ${{ inputs.branch != '' && inputs.branch || github.ref_name }}