[bot] Merge master/8ca8648f into rel/dev#1640
Merged
Merged
Conversation
Switch the FOSSA workflow from a single gooddata-python-sdk project (with all 8 packages' deps merged) to one FOSSA project per PyPI artifact: gooddata-sdk, gooddata-pandas, gooddata-dbt, gooddata-fdw, gooddata-flight-server, gooddata-flexconnect, gooddata-pipelines, and gooddata-api-client. This aligns FOSSA's data model with how the artifacts are actually shipped: each PyPI package has its own license inventory, attribution report, and policy gate, and the FOSSA "branch" axis is freed up for its intended purpose (tracking license drift across git branches over time). The legacy gooddata-python-sdk project keeps the historical fossa_gd_* branch snapshots; new scans no longer write to it. Local `fossa analyze` invocations still target the legacy project via the committed .fossa.yml so ad-hoc runs cannot accidentally pollute the per-package projects. Implementation is a matrix workflow: each shard rewrites .fossa.yml with its project id + paths.only, then runs fossa-action's analyze and test steps. fail-fast is disabled so one package's policy failure does not mask the others. The branch label defaults to github.ref_name (the dispatched git ref) with an optional manual override input. Prerequisites for the first dispatch to fully succeed: - The seven new FOSSA project ids must be auto-creatable (or pre- provisioned) by an admin if the org restricts project creation. - Confirm with whoever owns the FOSSA contract that moving from 1 to 8 projects has no licensing/billing impact under the current plan. JIRA: TRIVIAL risk: nonprod
Each per-package FOSSA project is now attached to the gooddata-python-sdk release group at scan time. This matches the org-wide monorepo pattern (the FOSSA org already manages ~30 release groups across other monorepos) and gives a roll-up dashboard that aggregates license inventory across all eight published artifacts while preserving the per-package projects' independent attribution reports and policy gates. The release name is the workspace version read from the root pyproject.toml at scan time, so each gooddata-python-sdk release (1.65.0, 1.66.0, ...) gets its own snapshot in the release group's history. Prerequisite: the gooddata-python-sdk release group must exist in the FOSSA UI before the first dispatch (admin step via fossa release-group create or the dashboard). fossa-action's analyze upload attaches projects to an existing release group but does not create one. JIRA: TRIVIAL risk: nonprod
Trim the FOSSA scan matrix to a single package so we can validate the per-package release-group setup against one project before fanning out to all published packages. The full 8-package matrix remains in commit 9361b7c for restoration once the gooddata-python-sdk release group is confirmed working. jira: trivial risk: nonprod
FOSSA does not auto-create release-group releases during analyze, so the release referenced in .fossa.yml must already exist. The workspace-version release (1.65.0) was never created, causing "Release (id: 1.65.0) was not found" in the policy-gate step. Target the existing "1.0" release for this trial run until a per-version release-creation step is added. jira: trivial risk: nonprod
The fossa-action forwards the branch input to `fossa test`, but that subcommand has no --branch option (only `fossa analyze` does), so the policy-gate step failed with "Invalid option `--branch'". `fossa test` resolves the revision by VCS hash on its own, so the input is omitted. jira: trivial risk: nonprod
Re-add all published packages to the FOSSA scan matrix now that the per-package release-group setup is validated against gooddata-sdk (targeting the existing "1.0" release of the gooddata-python-sdk group). jira: trivial risk: nonprod
The root .fossa.yml only existed as a default for local `fossa analyze` runs, routing them to the legacy roll-up project. FOSSA is run exclusively in CI, where the workflow generates a per-package .fossa.yml at runtime and overwrites this file anyway, so the anchor served no purpose. Dropping it makes .github/workflows/fossa.yaml the single source of FOSSA config. jira: trivial risk: nonprod
ci: scan each published package as its own FOSSA project
yenkins-admin
requested review from
hkad98,
jaceksan,
lupko and
pcerny
as code owners
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🚀 Automated PR to perform merge from master into rel/dev with changes up to 8ca8648 (created by https://github.com/gooddata/gooddata-python-sdk/actions/runs/26882842042).