diff --git a/.fossa.yml b/.fossa.yml deleted file mode 100644 index 16c31db02..000000000 --- a/.fossa.yml +++ /dev/null @@ -1,23 +0,0 @@ -# (C) 2023 GoodData Corporation -version: 3 - -project: - id: gooddata-python-sdk - -telemetry: - scope: 'off' - -# Scope the scan to the published gooddata-* workspace packages + the -# generated gooddata-api-client. Each pyproject.toml is scanned independently -# (FOSSA's pdm strategy reports declared deps); the gooddata-api-client setup.py -# is read by setuptools. Internal helpers (tests-support, scripts) are excluded. -paths: - only: - - packages/gooddata-sdk - - packages/gooddata-pandas - - packages/gooddata-dbt - - packages/gooddata-fdw - - packages/gooddata-flight-server - - packages/gooddata-flexconnect - - packages/gooddata-pipelines - - gooddata-api-client diff --git a/.github/workflows/fossa.yaml b/.github/workflows/fossa.yaml index 9f1d85e9a..a47215d10 100644 --- a/.github/workflows/fossa.yaml +++ b/.github/workflows/fossa.yaml @@ -5,32 +5,65 @@ on: workflow_dispatch: inputs: branch: - description: Branch label to attach to the FOSSA scan. + description: Override the FOSSA branch label (defaults to the dispatched git ref). required: false - default: master + default: "" concurrency: group: fossa-${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +# Each PyPI artifact is scanned as its own FOSSA project so license inventory, +# policy gates, and attribution reports match what is actually shipped. The +# FOSSA "branch" axis is left to its intended purpose (track license drift +# across git branches over time). jobs: fossa: - name: FOSSA scan + name: FOSSA ${{ matrix.package.project }} runs-on: group: infra1-runners-arc labels: runners-small permissions: contents: read + strategy: + fail-fast: false + matrix: + package: + - { path: packages/gooddata-sdk, project: gooddata-sdk } + - { path: packages/gooddata-pandas, project: gooddata-pandas } + - { path: packages/gooddata-dbt, project: gooddata-dbt } + - { path: packages/gooddata-fdw, project: gooddata-fdw } + - { path: packages/gooddata-flight-server, project: gooddata-flight-server } + - { path: packages/gooddata-flexconnect, project: gooddata-flexconnect } + - { path: packages/gooddata-pipelines, project: gooddata-pipelines } + - { path: gooddata-api-client, project: gooddata-api-client } steps: - name: Checkout the code uses: actions/checkout@v6 with: fetch-depth: 0 - - name: Check that .fossa.yml exists + - name: Scope .fossa.yml to ${{ matrix.package.project }} shell: bash run: | - [ -f ./.fossa.yml ] || { echo "Missing .fossa.yml in repo root; FOSSA needs it for project id." >&2; exit 1; } + # Target the existing "1.0" release of the gooddata-python-sdk + # release group. FOSSA does not auto-create releases during analyze, + # so the release must already exist; "1.0" is the one currently in + # app.fossa.com. (TODO: create a per-version release before switching + # the release label back to the workspace version.) + cat > .fossa.yml <