From 9325bcfe33befa4266f416f8655ade3d272085ad Mon Sep 17 00:00:00 2001 From: Jan Kadlec Date: Mon, 11 May 2026 16:37:25 +0200 Subject: [PATCH 1/7] ci: scan each published package as its own FOSSA project Switch the FOSSA workflow from a single gooddata-python-sdk project (with all 8 packages' deps merged) to one FOSSA project per PyPI artifact: gooddata-sdk, gooddata-pandas, gooddata-dbt, gooddata-fdw, gooddata-flight-server, gooddata-flexconnect, gooddata-pipelines, and gooddata-api-client. This aligns FOSSA's data model with how the artifacts are actually shipped: each PyPI package has its own license inventory, attribution report, and policy gate, and the FOSSA "branch" axis is freed up for its intended purpose (tracking license drift across git branches over time). The legacy gooddata-python-sdk project keeps the historical fossa_gd_* branch snapshots; new scans no longer write to it. Local `fossa analyze` invocations still target the legacy project via the committed .fossa.yml so ad-hoc runs cannot accidentally pollute the per-package projects. Implementation is a matrix workflow: each shard rewrites .fossa.yml with its project id + paths.only, then runs fossa-action's analyze and test steps. fail-fast is disabled so one package's policy failure does not mask the others. The branch label defaults to github.ref_name (the dispatched git ref) with an optional manual override input. Prerequisites for the first dispatch to fully succeed: - The seven new FOSSA project ids must be auto-creatable (or pre- provisioned) by an admin if the org restricts project creation. - Confirm with whoever owns the FOSSA contract that moving from 1 to 8 projects has no licensing/billing impact under the current plan. JIRA: TRIVIAL risk: nonprod --- .fossa.yml | 23 ++++++++-------------- .github/workflows/fossa.yaml | 38 ++++++++++++++++++++++++++++++------ 2 files changed, 40 insertions(+), 21 deletions(-) diff --git a/.fossa.yml b/.fossa.yml index 16c31db02..40891e5f2 100644 --- a/.fossa.yml +++ b/.fossa.yml @@ -1,23 +1,16 @@ # (C) 2023 GoodData Corporation version: 3 +# The canonical FOSSA configuration lives in .github/workflows/fossa.yaml, +# which generates a per-package .fossa.yml on each scan and uploads to one +# FOSSA project per published artifact (gooddata-sdk, gooddata-pandas, ...). +# +# This anchor file exists so that running `fossa analyze` locally without +# arguments has a sane default. It points at the legacy roll-up project +# (gooddata-python-sdk) on purpose — local ad-hoc runs go to the legacy +# project so they cannot accidentally pollute the per-package projects. project: id: gooddata-python-sdk telemetry: scope: 'off' - -# Scope the scan to the published gooddata-* workspace packages + the -# generated gooddata-api-client. Each pyproject.toml is scanned independently -# (FOSSA's pdm strategy reports declared deps); the gooddata-api-client setup.py -# is read by setuptools. Internal helpers (tests-support, scripts) are excluded. -paths: - only: - - packages/gooddata-sdk - - packages/gooddata-pandas - - packages/gooddata-dbt - - packages/gooddata-fdw - - packages/gooddata-flight-server - - packages/gooddata-flexconnect - - packages/gooddata-pipelines - - gooddata-api-client diff --git a/.github/workflows/fossa.yaml b/.github/workflows/fossa.yaml index 9f1d85e9a..6f97392e5 100644 --- a/.github/workflows/fossa.yaml +++ b/.github/workflows/fossa.yaml @@ -5,32 +5,57 @@ on: workflow_dispatch: inputs: branch: - description: Branch label to attach to the FOSSA scan. + description: Override the FOSSA branch label (defaults to the dispatched git ref). required: false - default: master + default: "" concurrency: group: fossa-${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +# Each PyPI artifact is scanned as its own FOSSA project so license inventory, +# policy gates, and attribution reports match what is actually shipped. The +# FOSSA "branch" axis is left to its intended purpose (track license drift +# across git branches over time). jobs: fossa: - name: FOSSA scan + name: FOSSA ${{ matrix.package.project }} runs-on: group: infra1-runners-arc labels: runners-small permissions: contents: read + strategy: + fail-fast: false + matrix: + package: + - { path: packages/gooddata-sdk, project: gooddata-sdk } + - { path: packages/gooddata-pandas, project: gooddata-pandas } + - { path: packages/gooddata-dbt, project: gooddata-dbt } + - { path: packages/gooddata-fdw, project: gooddata-fdw } + - { path: packages/gooddata-flight-server, project: gooddata-flight-server } + - { path: packages/gooddata-flexconnect, project: gooddata-flexconnect } + - { path: packages/gooddata-pipelines, project: gooddata-pipelines } + - { path: gooddata-api-client, project: gooddata-api-client } steps: - name: Checkout the code uses: actions/checkout@v6 with: fetch-depth: 0 - - name: Check that .fossa.yml exists + - name: Scope .fossa.yml to ${{ matrix.package.project }} shell: bash run: | - [ -f ./.fossa.yml ] || { echo "Missing .fossa.yml in repo root; FOSSA needs it for project id." >&2; exit 1; } + cat > .fossa.yml < Date: Tue, 12 May 2026 08:22:23 +0200 Subject: [PATCH 2/7] ci: aggregate per-package FOSSA projects under a release group Each per-package FOSSA project is now attached to the gooddata-python-sdk release group at scan time. This matches the org-wide monorepo pattern (the FOSSA org already manages ~30 release groups across other monorepos) and gives a roll-up dashboard that aggregates license inventory across all eight published artifacts while preserving the per-package projects' independent attribution reports and policy gates. The release name is the workspace version read from the root pyproject.toml at scan time, so each gooddata-python-sdk release (1.65.0, 1.66.0, ...) gets its own snapshot in the release group's history. Prerequisite: the gooddata-python-sdk release group must exist in the FOSSA UI before the first dispatch (admin step via fossa release-group create or the dashboard). fossa-action's analyze upload attaches projects to an existing release group but does not create one. JIRA: TRIVIAL risk: nonprod --- .github/workflows/fossa.yaml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/.github/workflows/fossa.yaml b/.github/workflows/fossa.yaml index 6f97392e5..32c8ad191 100644 --- a/.github/workflows/fossa.yaml +++ b/.github/workflows/fossa.yaml @@ -46,10 +46,21 @@ jobs: - name: Scope .fossa.yml to ${{ matrix.package.project }} shell: bash run: | + # Read the workspace version from the root pyproject.toml so the + # FOSSA release in the gooddata-python-sdk release group tracks + # the SDK version we ship. + VERSION=$(awk -F'"' '/^version = /{print $2; exit}' pyproject.toml) + if [ -z "$VERSION" ]; then + echo "Could not parse workspace version from pyproject.toml" >&2 + exit 1 + fi cat > .fossa.yml < Date: Wed, 3 Jun 2026 11:49:04 +0200 Subject: [PATCH 3/7] ci: temporarily scope FOSSA matrix to gooddata-sdk only Trim the FOSSA scan matrix to a single package so we can validate the per-package release-group setup against one project before fanning out to all published packages. The full 8-package matrix remains in commit 9361b7cf for restoration once the gooddata-python-sdk release group is confirmed working. jira: trivial risk: nonprod --- .github/workflows/fossa.yaml | 7 ------- 1 file changed, 7 deletions(-) diff --git a/.github/workflows/fossa.yaml b/.github/workflows/fossa.yaml index 32c8ad191..98e5990ad 100644 --- a/.github/workflows/fossa.yaml +++ b/.github/workflows/fossa.yaml @@ -30,13 +30,6 @@ jobs: matrix: package: - { path: packages/gooddata-sdk, project: gooddata-sdk } - - { path: packages/gooddata-pandas, project: gooddata-pandas } - - { path: packages/gooddata-dbt, project: gooddata-dbt } - - { path: packages/gooddata-fdw, project: gooddata-fdw } - - { path: packages/gooddata-flight-server, project: gooddata-flight-server } - - { path: packages/gooddata-flexconnect, project: gooddata-flexconnect } - - { path: packages/gooddata-pipelines, project: gooddata-pipelines } - - { path: gooddata-api-client, project: gooddata-api-client } steps: - name: Checkout the code uses: actions/checkout@v6 From c082286528bf64b644e0a21e71952a3770c58306 Mon Sep 17 00:00:00 2001 From: Jan Kadlec Date: Wed, 3 Jun 2026 11:56:40 +0200 Subject: [PATCH 4/7] ci: point FOSSA release group at existing "1.0" release FOSSA does not auto-create release-group releases during analyze, so the release referenced in .fossa.yml must already exist. The workspace-version release (1.65.0) was never created, causing "Release (id: 1.65.0) was not found" in the policy-gate step. Target the existing "1.0" release for this trial run until a per-version release-creation step is added. jira: trivial risk: nonprod --- .github/workflows/fossa.yaml | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) diff --git a/.github/workflows/fossa.yaml b/.github/workflows/fossa.yaml index 98e5990ad..1e36aa685 100644 --- a/.github/workflows/fossa.yaml +++ b/.github/workflows/fossa.yaml @@ -39,21 +39,18 @@ jobs: - name: Scope .fossa.yml to ${{ matrix.package.project }} shell: bash run: | - # Read the workspace version from the root pyproject.toml so the - # FOSSA release in the gooddata-python-sdk release group tracks - # the SDK version we ship. - VERSION=$(awk -F'"' '/^version = /{print $2; exit}' pyproject.toml) - if [ -z "$VERSION" ]; then - echo "Could not parse workspace version from pyproject.toml" >&2 - exit 1 - fi + # Target the existing "1.0" release of the gooddata-python-sdk + # release group. FOSSA does not auto-create releases during analyze, + # so the release must already exist; "1.0" is the one currently in + # app.fossa.com. (TODO: create a per-version release before switching + # the release label back to the workspace version.) cat > .fossa.yml < Date: Wed, 3 Jun 2026 12:01:05 +0200 Subject: [PATCH 5/7] ci: drop --branch from FOSSA test step The fossa-action forwards the branch input to `fossa test`, but that subcommand has no --branch option (only `fossa analyze` does), so the policy-gate step failed with "Invalid option `--branch'". `fossa test` resolves the revision by VCS hash on its own, so the input is omitted. jira: trivial risk: nonprod --- .github/workflows/fossa.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/fossa.yaml b/.github/workflows/fossa.yaml index 1e36aa685..ea640570f 100644 --- a/.github/workflows/fossa.yaml +++ b/.github/workflows/fossa.yaml @@ -69,9 +69,11 @@ jobs: api-key: ${{ secrets.FOSSA_API_KEY }} branch: ${{ inputs.branch != '' && inputs.branch || github.ref_name }} + # `fossa test` resolves the revision by VCS hash and does not accept a + # --branch flag (only `fossa analyze` does), so the branch input is + # intentionally omitted here to avoid an "Invalid option `--branch'" error. - name: Run FOSSA test (policy gate) uses: fossas/fossa-action@v1.9.0 with: api-key: ${{ secrets.FOSSA_API_KEY }} run-tests: true - branch: ${{ inputs.branch != '' && inputs.branch || github.ref_name }} From 9b6671af4b7778bf6823f14ff3b9370a308766f1 Mon Sep 17 00:00:00 2001 From: Jan Kadlec Date: Wed, 3 Jun 2026 13:27:52 +0200 Subject: [PATCH 6/7] ci: restore full FOSSA package matrix Re-add all published packages to the FOSSA scan matrix now that the per-package release-group setup is validated against gooddata-sdk (targeting the existing "1.0" release of the gooddata-python-sdk group). jira: trivial risk: nonprod --- .github/workflows/fossa.yaml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.github/workflows/fossa.yaml b/.github/workflows/fossa.yaml index ea640570f..a47215d10 100644 --- a/.github/workflows/fossa.yaml +++ b/.github/workflows/fossa.yaml @@ -30,6 +30,13 @@ jobs: matrix: package: - { path: packages/gooddata-sdk, project: gooddata-sdk } + - { path: packages/gooddata-pandas, project: gooddata-pandas } + - { path: packages/gooddata-dbt, project: gooddata-dbt } + - { path: packages/gooddata-fdw, project: gooddata-fdw } + - { path: packages/gooddata-flight-server, project: gooddata-flight-server } + - { path: packages/gooddata-flexconnect, project: gooddata-flexconnect } + - { path: packages/gooddata-pipelines, project: gooddata-pipelines } + - { path: gooddata-api-client, project: gooddata-api-client } steps: - name: Checkout the code uses: actions/checkout@v6 From 96c3c0fc662c3876c0ecbdc842d033b8ab569076 Mon Sep 17 00:00:00 2001 From: Jan Kadlec Date: Wed, 3 Jun 2026 13:43:47 +0200 Subject: [PATCH 7/7] ci: remove committed .fossa.yml anchor file The root .fossa.yml only existed as a default for local `fossa analyze` runs, routing them to the legacy roll-up project. FOSSA is run exclusively in CI, where the workflow generates a per-package .fossa.yml at runtime and overwrites this file anyway, so the anchor served no purpose. Dropping it makes .github/workflows/fossa.yaml the single source of FOSSA config. jira: trivial risk: nonprod --- .fossa.yml | 16 ---------------- 1 file changed, 16 deletions(-) delete mode 100644 .fossa.yml diff --git a/.fossa.yml b/.fossa.yml deleted file mode 100644 index 40891e5f2..000000000 --- a/.fossa.yml +++ /dev/null @@ -1,16 +0,0 @@ -# (C) 2023 GoodData Corporation -version: 3 - -# The canonical FOSSA configuration lives in .github/workflows/fossa.yaml, -# which generates a per-package .fossa.yml on each scan and uploads to one -# FOSSA project per published artifact (gooddata-sdk, gooddata-pandas, ...). -# -# This anchor file exists so that running `fossa analyze` locally without -# arguments has a sane default. It points at the legacy roll-up project -# (gooddata-python-sdk) on purpose — local ad-hoc runs go to the legacy -# project so they cannot accidentally pollute the per-package projects. -project: - id: gooddata-python-sdk - -telemetry: - scope: 'off'