ci: scan each published package as its own FOSSA project

Switch the FOSSA workflow from a single gooddata-python-sdk project (with
all 8 packages' deps merged) to one FOSSA project per PyPI artifact:
gooddata-sdk, gooddata-pandas, gooddata-dbt, gooddata-fdw,
gooddata-flight-server, gooddata-flexconnect, gooddata-pipelines, and
gooddata-api-client.

This aligns FOSSA's data model with how the artifacts are actually
shipped: each PyPI package has its own license inventory, attribution
report, and policy gate, and the FOSSA "branch" axis is freed up for
its intended purpose (tracking license drift across git branches over
time).

The legacy gooddata-python-sdk project keeps the historical
fossa_gd_* branch snapshots; new scans no longer write to it.
Local `fossa analyze` invocations still target the legacy project
via the committed .fossa.yml so ad-hoc runs cannot accidentally
pollute the per-package projects.

Implementation is a matrix workflow: each shard rewrites .fossa.yml
with its project id + paths.only, then runs fossa-action's analyze
and test steps. fail-fast is disabled so one package's policy
failure does not mask the others. The branch label defaults to
github.ref_name (the dispatched git ref) with an optional manual
override input.

Prerequisites for the first dispatch to fully succeed:
- The seven new FOSSA project ids must be auto-creatable (or pre-
  provisioned) by an admin if the org restricts project creation.
- Confirm with whoever owns the FOSSA contract that moving from 1 to
  8 projects has no licensing/billing impact under the current plan.

JIRA: TRIVIAL
risk: nonprod

Author: hkad98

.fossa.yml

@@ -1,23 +1,16 @@
 # (C) 2023 GoodData Corporation
 version: 3
 
+# The canonical FOSSA configuration lives in .github/workflows/fossa.yaml,
+# which generates a per-package .fossa.yml on each scan and uploads to one
+# FOSSA project per published artifact (gooddata-sdk, gooddata-pandas, ...).
+#
+# This anchor file exists so that running `fossa analyze` locally without
+# arguments has a sane default. It points at the legacy roll-up project
+# (gooddata-python-sdk) on purpose — local ad-hoc runs go to the legacy
+# project so they cannot accidentally pollute the per-package projects.
 project:
   id: gooddata-python-sdk
 
 telemetry:
   scope: 'off'
-
-# Scope the scan to the published gooddata-* workspace packages + the
-# generated gooddata-api-client. Each pyproject.toml is scanned independently
-# (FOSSA's pdm strategy reports declared deps); the gooddata-api-client setup.py
-# is read by setuptools. Internal helpers (tests-support, scripts) are excluded.
-paths:
-  only:
-    - packages/gooddata-sdk
-    - packages/gooddata-pandas
-    - packages/gooddata-dbt
-    - packages/gooddata-fdw
-    - packages/gooddata-flight-server
-    - packages/gooddata-flexconnect
-    - packages/gooddata-pipelines
-    - gooddata-api-client

.github/workflows/fossa.yaml

@@ -5,32 +5,57 @@ on:
   workflow_dispatch:
     inputs:
       branch:
-        description: Branch label to attach to the FOSSA scan.
+        description: Override the FOSSA branch label (defaults to the dispatched git ref).
         required: false
-        default: master
+        default: ""
 
 concurrency:
   group: fossa-${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+# Each PyPI artifact is scanned as its own FOSSA project so license inventory,
+# policy gates, and attribution reports match what is actually shipped. The
+# FOSSA "branch" axis is left to its intended purpose (track license drift
+# across git branches over time).
 jobs:
   fossa:
-    name: FOSSA scan
+    name: FOSSA ${{ matrix.package.project }}
     runs-on:
       group: infra1-runners-arc
       labels: runners-small
     permissions:
       contents: read
+    strategy:
+      fail-fast: false
+      matrix:
+        package:
+          - { path: packages/gooddata-sdk,           project: gooddata-sdk }
+          - { path: packages/gooddata-pandas,        project: gooddata-pandas }
+          - { path: packages/gooddata-dbt,           project: gooddata-dbt }
+          - { path: packages/gooddata-fdw,           project: gooddata-fdw }
+          - { path: packages/gooddata-flight-server, project: gooddata-flight-server }
+          - { path: packages/gooddata-flexconnect,   project: gooddata-flexconnect }
+          - { path: packages/gooddata-pipelines,     project: gooddata-pipelines }
+          - { path: gooddata-api-client,             project: gooddata-api-client }
     steps:
       - name: Checkout the code
         uses: actions/checkout@v6
         with:
           fetch-depth: 0
 
-      - name: Check that .fossa.yml exists
+      - name: Scope .fossa.yml to ${{ matrix.package.project }}
         shell: bash
         run: |
-          [ -f ./.fossa.yml ] || { echo "Missing .fossa.yml in repo root; FOSSA needs it for project id." >&2; exit 1; }
+          cat > .fossa.yml <<EOF
+          version: 3
+          project:
+            id: ${{ matrix.package.project }}
+          telemetry:
+            scope: 'off'
+          paths:
+            only:
+              - ${{ matrix.package.path }}
+          EOF
 
       - name: Workaround for "no targets found" error
         shell: bash
@@ -41,10 +66,11 @@ jobs:
         uses: fossas/fossa-action@v1.9.0
         with:
           api-key: ${{ secrets.FOSSA_API_KEY }}
-          branch: ${{ inputs.branch }}
+          branch: ${{ inputs.branch != '' && inputs.branch || github.ref_name }}
 
       - name: Run FOSSA test (policy gate)
         uses: fossas/fossa-action@v1.9.0
         with:
           api-key: ${{ secrets.FOSSA_API_KEY }}
           run-tests: true
+          branch: ${{ inputs.branch != '' && inputs.branch || github.ref_name }}