Skip to content

feat(fossa): switch OSS PR scan to native gdc-fossa-cli action#29

Merged
petr-klemsinsky merged 3 commits into
masterfrom
fossa-finalize
Jul 3, 2026
Merged

feat(fossa): switch OSS PR scan to native gdc-fossa-cli action#29
petr-klemsinsky merged 3 commits into
masterfrom
fossa-finalize

Conversation

@petr-klemsinsky

@petr-klemsinsky petr-klemsinsky commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

Summary

  • fossa-oss-pr-scan.yaml: Replace Jenkins trigger with the native fossa/pr-scan composite action using gdc-fossa-cli (same tooling as the regular scan — OSS vs internal distinction is only in which repos the workflow is installed on)
  • fossa/pr-scan/: Add the composite action and scan.sh script, mirrored from gooddata/github-actions

Test plan

  • Trigger a PR in an OSS repo and confirm the fossa-native job runs successfully
  • Confirm no fossa-jenkins job appears in the Actions run

🤖 Generated with Claude Code

Summary by CodeRabbit

  • New Features
    • Added a streamlined FOSSA PR scan directly in GitHub Actions.
    • Introduced a dedicated composite scan action that runs containerized analyze/test scans with optional branch selection and repository-specific configuration files.
  • Bug Fixes
    • Improved scan reliability by automatically preparing required authentication for npm, GitHub access, and Maven (when available).
    • Enhanced scan result handling by failing the job when analysis failures are detected and providing clearer completion output.

Replace Jenkins trigger with native fossa/pr-scan composite action using
the gdc-fossa-cli container. Adds the fossa/pr-scan action to this repo
following the same pattern as gooddata/github-actions.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented Jun 26, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

The PR replaces a Jenkins-triggered FOSSA OSS scan workflow with a native GitHub composite action. It adds fossa/pr-scan and scan.sh, which check out the PR head, prepare auth files, run containerized scans for matching configs, and report failures.

Changes

FOSSA PR scan path

Layer / File(s) Summary
Workflow entry point swap
.github/workflows/fossa-oss-pr-scan.yaml
The workflow name, concurrency group, job name, and scan step change from the Jenkins-triggered setup to the direct FOSSA PR scan action.
Composite action contract and wiring
fossa/pr-scan/action.yml
The composite action declares its inputs, checks out the PR head SHA, fetches CodeArtifact and Maven settings, and passes scan environment variables to scan.sh.
Script bootstrap and auth files
fossa/pr-scan/scan.sh
The scan script validates required variables, prepares working directories, writes npm auth content, and builds an optional gitconfig for GitHub token rewriting.
Container scan loop and result check
fossa/pr-scan/scan.sh
The scan script selects scan-image and Java overrides from gdc_fossa*.yaml, pulls the image, runs fossa_scanning_tool for each config or once by default, and checks analyze_failed.txt at the end.

Estimated code review effort: 4 (Complex) | ~45 minutes

Poem

🐇 I hopped from Jenkins, quick and spry,
To native scans beneath the sky.
With tokens set and containers near,
The FOSSA trail is rabbit-clear.
Thump! The scan runs on, hooray!

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly matches the main change: replacing the OSS PR scan Jenkins trigger with the native gdc-fossa-cli action.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/fossa-oss-pr-scan.yaml:
- Around line 20-24: The workflow is still invoking the remote fossa/pr-scan
action via the gooddata/github-actions-public reference, so it won’t validate
the local action files introduced in this PR. Update the fossa-oss-pr-scan
workflow to use the in-repo fossa/pr-scan action after checking out the PR
branch, and change the checkout step from the nonexistent actions/checkout@v7 to
the stable actions/checkout@v4. Use the existing workflow job and fossa/pr-scan
action reference to locate the change.

In `@fossa/pr-scan/scan.sh`:
- Around line 57-63: The config handling in scan.sh is stripping gdc_conf down
to basename, which loses the path discovered under src_dir and can collide
across duplicate filenames. Update the gdc_conf handling in the config-loading
block and the later fossa_scanning_tool invocation to preserve the path relative
to the repo root instead of basename, using the existing gdc_conf variable so
each matched gdc_fossa*.yaml maps to the correct module.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 733afefd-f6fe-43e9-b7cf-c037f81b14c5

📥 Commits

Reviewing files that changed from the base of the PR and between 8fc9020 and 7a0f479.

📒 Files selected for processing (3)
  • .github/workflows/fossa-oss-pr-scan.yaml
  • fossa/pr-scan/action.yml
  • fossa/pr-scan/scan.sh

Comment thread .github/workflows/fossa-oss-pr-scan.yaml
Comment thread fossa/pr-scan/scan.sh
…nt POMs

Get a CodeArtifact token and generate ~/.m2/settings.xml on the runner
before starting the scan. The settings.xml is then mounted into the
gdc-fossa-cli container (existing logic in scan.sh) and CODEARTIFACT_AUTH_TOKEN
is forwarded as a container env var so Maven can authenticate against the
GoodData internal repositories at scan time.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
fossa/pr-scan/action.yml (1)

32-33: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Pin get-token action to a tag/SHA instead of @master.

Referencing gooddata/github-actions-public/codeartifact/get-token@master by a mutable branch means the executed code can change without review, unlike the version-pinned actions/checkout@v7 and s4u/maven-settings-action@v4.0.0 used elsewhere in this file.

🔒️ Suggested fix
-      uses: gooddata/github-actions-public/codeartifact/get-token@master
+      uses: gooddata/github-actions-public/codeartifact/get-token@<pinned-tag-or-sha>
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@fossa/pr-scan/action.yml` around lines 32 - 33, The CodeArtifact token step
in the workflow is using a mutable branch reference, so update the get-token
action usage in the action.yml workflow to a pinned tag or commit SHA instead of
`@master`. Keep the existing step name (“Get CodeArtifact token”) and replace the
gooddata/github-actions-public/codeartifact/get-token reference with a
version-locked identifier consistent with the other pinned actions in this file.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@fossa/pr-scan/action.yml`:
- Around line 32-33: The CodeArtifact token step in the workflow is using a
mutable branch reference, so update the get-token action usage in the action.yml
workflow to a pinned tag or commit SHA instead of `@master`. Keep the existing
step name (“Get CodeArtifact token”) and replace the
gooddata/github-actions-public/codeartifact/get-token reference with a
version-locked identifier consistent with the other pinned actions in this file.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 911501f2-8772-48b7-8879-3500cac1d199

📥 Commits

Reviewing files that changed from the base of the PR and between 7a0f479 and affdefc.

📒 Files selected for processing (2)
  • fossa/pr-scan/action.yml
  • fossa/pr-scan/scan.sh
🚧 Files skipped from review as they are similar to previous changes (1)
  • fossa/pr-scan/scan.sh

basename strips the directory component, so configs in subdirectories
are passed to fossa_scanning_tool with the wrong path. Use path relative
to src_dir instead.

JIRA: INFRA-4675

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@fossa/pr-scan/scan.sh`:
- Line 59: The rel_conf prefix removal in scan.sh is using an unquoted src_dir
inside the parameter expansion, which can be treated as a glob pattern. Update
the rel_conf assignment in the scan.sh logic to quote src_dir separately within
the ${gdc_conf#...} expansion so prefix stripping is literal and robust when
src_dir contains glob metacharacters.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 0ade1868-bc92-47aa-bfab-7687fa573e4c

📥 Commits

Reviewing files that changed from the base of the PR and between affdefc and 8334740.

📒 Files selected for processing (1)
  • fossa/pr-scan/scan.sh

Comment thread fossa/pr-scan/scan.sh
local mount_args=()

if [ -n "${gdc_conf}" ] && [ -f "${gdc_conf}" ]; then
local rel_conf="${gdc_conf#${src_dir}/}"

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

Quote ${src_dir} inside the prefix expansion.

In ${gdc_conf#${src_dir}/}, the unquoted ${src_dir} is interpreted as a glob pattern during prefix removal. If src_dir ever contains pattern metacharacters (*, ?, [), the prefix strip will misbehave and yield an incorrect rel_conf. Quote it separately.

🔧 Proposed fix (SC2295)
-    local rel_conf="${gdc_conf#${src_dir}/}"
+    local rel_conf="${gdc_conf#"${src_dir}"/}"
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
local rel_conf="${gdc_conf#${src_dir}/}"
local rel_conf="${gdc_conf#"${src_dir}"/}"
🧰 Tools
🪛 Shellcheck (0.11.0)

[info] 59-59: Expansions inside ${..} need to be quoted separately, otherwise they match as patterns.

(SC2295)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@fossa/pr-scan/scan.sh` at line 59, The rel_conf prefix removal in scan.sh is
using an unquoted src_dir inside the parameter expansion, which can be treated
as a glob pattern. Update the rel_conf assignment in the scan.sh logic to quote
src_dir separately within the ${gdc_conf#...} expansion so prefix stripping is
literal and robust when src_dir contains glob metacharacters.

Source: Linters/SAST tools

@petr-klemsinsky petr-klemsinsky merged commit 901daea into master Jul 3, 2026
2 of 3 checks passed
@petr-klemsinsky petr-klemsinsky deleted the fossa-finalize branch July 3, 2026 09:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants