Skip to content

ci: scan each published package as its own FOSSA project#1598

Open
hkad98 wants to merge 1 commit into
gooddata:masterfrom
hkad98:jkd/fossa-per-package
Open

ci: scan each published package as its own FOSSA project#1598
hkad98 wants to merge 1 commit into
gooddata:masterfrom
hkad98:jkd/fossa-per-package

Conversation

@hkad98
Copy link
Copy Markdown
Contributor

@hkad98 hkad98 commented May 11, 2026

Summary

Follow-up to #1596. Switches the FOSSA workflow from a single gooddata-python-sdk project (with all 8 packages' deps merged) to one FOSSA project per PyPI artifact: gooddata-sdk, gooddata-pandas, gooddata-dbt, gooddata-fdw, gooddata-flight-server, gooddata-flexconnect, gooddata-pipelines, gooddata-api-client.

This is the orthodox FOSSA model for a monorepo that publishes multiple artifacts:

  • Each PyPI package gets its own license inventory, attribution report, and policy gate — aligned with what users actually pip install.
  • The FOSSA branch axis is freed up for its intended purpose: tracking license drift across git branches (master, release/x.y) over time, rather than being repurposed as a component separator (the legacy fossa_gd_* pattern).
  • New workspace packages onboard by adding one matrix row to the workflow + auto-creating the FOSSA project on first scan.

The legacy gooddata-python-sdk FOSSA project keeps its historical fossa_gd_* branch snapshots (e.g. the Oct 2023 fossa_gd_api_client scan); new dispatches no longer write to it. Local fossa analyze calls still target the legacy project via the committed .fossa.yml, intentionally — ad-hoc local runs cannot accidentally pollute the per-package projects.

Implementation

  • workflow_dispatch trigger (unchanged).
  • strategy.matrix over 8 packages, fail-fast: false so one package's policy failure does not mask the others.
  • Each shard rewrites .fossa.yml with that package's project.id and paths.only, then runs fossa-action's analyze and test steps.
  • Branch label defaults to github.ref_name (the dispatched git ref) with an optional manual override input.

Prerequisites for the first green dispatch

  • The seven new FOSSA project ids (everything except gooddata-api-client, which exists already as a legacy artifact) must be auto-creatable on first scan, or pre-provisioned by a FOSSA admin if your org restricts project creation.
  • Confirm with whoever owns the FOSSA contract that moving from 1 to 8 projects has no licensing/billing impact under the current plan.

Test plan

JIRA: TRIVIAL
risk: nonprod

@hkad98
ci: scan each published package as its own FOSSA project
9361b7c 
Switch the FOSSA workflow from a single gooddata-python-sdk project (with
all 8 packages' deps merged) to one FOSSA project per PyPI artifact:
gooddata-sdk, gooddata-pandas, gooddata-dbt, gooddata-fdw,
gooddata-flight-server, gooddata-flexconnect, gooddata-pipelines, and
gooddata-api-client.

This aligns FOSSA's data model with how the artifacts are actually
shipped: each PyPI package has its own license inventory, attribution
report, and policy gate, and the FOSSA "branch" axis is freed up for
its intended purpose (tracking license drift across git branches over
time).

The legacy gooddata-python-sdk project keeps the historical
fossa_gd_* branch snapshots; new scans no longer write to it.
Local `fossa analyze` invocations still target the legacy project
via the committed .fossa.yml so ad-hoc runs cannot accidentally
pollute the per-package projects.

Implementation is a matrix workflow: each shard rewrites .fossa.yml
with its project id + paths.only, then runs fossa-action's analyze
and test steps. fail-fast is disabled so one package's policy
failure does not mask the others. The branch label defaults to
github.ref_name (the dispatched git ref) with an optional manual
override input.

Prerequisites for the first dispatch to fully succeed:
- The seven new FOSSA project ids must be auto-creatable (or pre-
  provisioned) by an admin if the org restricts project creation.
- Confirm with whoever owns the FOSSA contract that moving from 1 to
  8 projects has no licensing/billing impact under the current plan.

JIRA: TRIVIAL
risk: nonprod
@hkad98 hkad98 requested review from jaceksan, lupko and pcerny as code owners May 11, 2026 14:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lupko lupko Awaiting requested review from lupko lupko is a code owner

@pcerny pcerny Awaiting requested review from pcerny pcerny is a code owner

@jaceksan jaceksan Awaiting requested review from jaceksan jaceksan is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@hkad98