ci: add FOSSA license scan workflow

hkad98 · hkad98 · commit e3524c5376ff · 2026-05-11T14:21:42.000+02:00
Adds a self-contained workflow_dispatch GitHub Actions workflow that runs
FOSSA analyze + test against the repo, replacing the manual Jenkins-based
scan. Token comes from the FOSSA_API_KEY org secret; the repo still needs
to be added to that secret's repos allowlist in terraform-github (separate
PR by infra) before the first dispatch will authenticate.

Both fossas/fossa-action@v1.9.0 and actions/checkout@v6.0.2 are pinned by
full commit SHA per public-repo best practice. The job has read-only
permissions and uses ubuntu-latest (no internal runner / Vault dependency,
unlike the gooddata/github-actions reference workflow).

The .fossa.yml is scoped via paths.only to the seven published
gooddata-* workspace packages and the generated gooddata-api-client.
Phase 0 local verification with fossa-cli 3.17.5 confirmed all declared
deps across these targets are picked up (pdm strategy for each
pyproject.toml, setuptools for gooddata-api-client). tests-support
and scripts/ are intentionally excluded as internal helpers.

Note: this whitelist limits scanning to declared deps only — no
transitive resolution. Switching to a root uv.lock scan would broaden
coverage but also pull in dev/test/lint tooling; tighten or broaden in
a follow-up if the FOSSA dashboard view warrants it.

JIRA: TRIVIAL
risk: nonprod
diff --git a/.fossa.yml b/.fossa.yml
@@ -7,12 +7,17 @@ project:
 telemetry:
   scope: 'off'
 
-# We need to specify it per-each package. See fossa_* branches.
-# targets:
-#   only:
-#     - type: pipenv
-#       path: path-here
-#
-# paths:
-#   only:
-#     - path-here
+# Scope the scan to the published gooddata-* workspace packages + the
+# generated gooddata-api-client. Each pyproject.toml is scanned independently
+# (FOSSA's pdm strategy reports declared deps); the gooddata-api-client setup.py
+# is read by setuptools. Internal helpers (tests-support, scripts) are excluded.
+paths:
+  only:
+    - packages/gooddata-sdk
+    - packages/gooddata-pandas
+    - packages/gooddata-dbt
+    - packages/gooddata-fdw
+    - packages/gooddata-flight-server
+    - packages/gooddata-flexconnect
+    - packages/gooddata-pipelines
+    - gooddata-api-client
diff --git a/.github/workflows/fossa.yaml b/.github/workflows/fossa.yaml
@@ -0,0 +1,48 @@
+# (C) 2026 GoodData Corporation
+name: FOSSA scan
+
+on:
+  workflow_dispatch:
+    inputs:
+      branch:
+        description: Branch label to attach to the FOSSA scan (defaults to the dispatched ref).
+        required: false
+        default: ""
+
+concurrency:
+  group: fossa-${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  fossa:
+    name: FOSSA scan
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout the code
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        with:
+          fetch-depth: 0
+
+      - name: Check that .fossa.yml exists
+        shell: bash
+        run: |
+          [ -f ./.fossa.yml ] || { echo "Missing .fossa.yml in repo root; FOSSA needs it for project id." >&2; exit 1; }
+
+      - name: Workaround for "no targets found" error
+        shell: bash
+        run: |
+          [ -f ./requirements.txt ] || touch ./requirements.txt
+
+      - name: Run FOSSA analyze
+        uses: fossas/fossa-action@ff70fe9fe17cbd2040648f1c45e8ec4e4884dcf3  # v1.9.0
+        with:
+          api-key: ${{ secrets.FOSSA_API_KEY }}
+          branch: ${{ inputs.branch != '' && inputs.branch || github.ref_name }}
+
+      - name: Run FOSSA test (policy gate)
+        uses: fossas/fossa-action@ff70fe9fe17cbd2040648f1c45e8ec4e4884dcf3  # v1.9.0
+        with:
+          api-key: ${{ secrets.FOSSA_API_KEY }}
+          run-tests: true
