feat(fossa): switch OSS PR scan to native gdc-fossa-cli action#29
Conversation
Replace Jenkins trigger with native fossa/pr-scan composite action using the gdc-fossa-cli container. Adds the fossa/pr-scan action to this repo following the same pattern as gooddata/github-actions. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
📝 WalkthroughWalkthroughThe PR replaces a Jenkins-triggered FOSSA OSS scan workflow with a native GitHub composite action. It adds ChangesFOSSA PR scan path
Estimated code review effort: 4 (Complex) | ~45 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches📝 Generate docstrings
Comment |
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/fossa-oss-pr-scan.yaml:
- Around line 20-24: The workflow is still invoking the remote fossa/pr-scan
action via the gooddata/github-actions-public reference, so it won’t validate
the local action files introduced in this PR. Update the fossa-oss-pr-scan
workflow to use the in-repo fossa/pr-scan action after checking out the PR
branch, and change the checkout step from the nonexistent actions/checkout@v7 to
the stable actions/checkout@v4. Use the existing workflow job and fossa/pr-scan
action reference to locate the change.
In `@fossa/pr-scan/scan.sh`:
- Around line 57-63: The config handling in scan.sh is stripping gdc_conf down
to basename, which loses the path discovered under src_dir and can collide
across duplicate filenames. Update the gdc_conf handling in the config-loading
block and the later fossa_scanning_tool invocation to preserve the path relative
to the repo root instead of basename, using the existing gdc_conf variable so
each matched gdc_fossa*.yaml maps to the correct module.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 733afefd-f6fe-43e9-b7cf-c037f81b14c5
📒 Files selected for processing (3)
.github/workflows/fossa-oss-pr-scan.yamlfossa/pr-scan/action.ymlfossa/pr-scan/scan.sh
…nt POMs Get a CodeArtifact token and generate ~/.m2/settings.xml on the runner before starting the scan. The settings.xml is then mounted into the gdc-fossa-cli container (existing logic in scan.sh) and CODEARTIFACT_AUTH_TOKEN is forwarded as a container env var so Maven can authenticate against the GoodData internal repositories at scan time. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
There was a problem hiding this comment.
🧹 Nitpick comments (1)
fossa/pr-scan/action.yml (1)
32-33: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick winPin
get-tokenaction to a tag/SHA instead of@master.Referencing
gooddata/github-actions-public/codeartifact/get-token@masterby a mutable branch means the executed code can change without review, unlike the version-pinnedactions/checkout@v7ands4u/maven-settings-action@v4.0.0used elsewhere in this file.🔒️ Suggested fix
- uses: gooddata/github-actions-public/codeartifact/get-token@master + uses: gooddata/github-actions-public/codeartifact/get-token@<pinned-tag-or-sha>🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@fossa/pr-scan/action.yml` around lines 32 - 33, The CodeArtifact token step in the workflow is using a mutable branch reference, so update the get-token action usage in the action.yml workflow to a pinned tag or commit SHA instead of `@master`. Keep the existing step name (“Get CodeArtifact token”) and replace the gooddata/github-actions-public/codeartifact/get-token reference with a version-locked identifier consistent with the other pinned actions in this file.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In `@fossa/pr-scan/action.yml`:
- Around line 32-33: The CodeArtifact token step in the workflow is using a
mutable branch reference, so update the get-token action usage in the action.yml
workflow to a pinned tag or commit SHA instead of `@master`. Keep the existing
step name (“Get CodeArtifact token”) and replace the
gooddata/github-actions-public/codeartifact/get-token reference with a
version-locked identifier consistent with the other pinned actions in this file.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 911501f2-8772-48b7-8879-3500cac1d199
📒 Files selected for processing (2)
fossa/pr-scan/action.ymlfossa/pr-scan/scan.sh
🚧 Files skipped from review as they are similar to previous changes (1)
- fossa/pr-scan/scan.sh
basename strips the directory component, so configs in subdirectories are passed to fossa_scanning_tool with the wrong path. Use path relative to src_dir instead. JIRA: INFRA-4675
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@fossa/pr-scan/scan.sh`:
- Line 59: The rel_conf prefix removal in scan.sh is using an unquoted src_dir
inside the parameter expansion, which can be treated as a glob pattern. Update
the rel_conf assignment in the scan.sh logic to quote src_dir separately within
the ${gdc_conf#...} expansion so prefix stripping is literal and robust when
src_dir contains glob metacharacters.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 0ade1868-bc92-47aa-bfab-7687fa573e4c
📒 Files selected for processing (1)
fossa/pr-scan/scan.sh
| local mount_args=() | ||
|
|
||
| if [ -n "${gdc_conf}" ] && [ -f "${gdc_conf}" ]; then | ||
| local rel_conf="${gdc_conf#${src_dir}/}" |
There was a problem hiding this comment.
🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win
Quote ${src_dir} inside the prefix expansion.
In ${gdc_conf#${src_dir}/}, the unquoted ${src_dir} is interpreted as a glob pattern during prefix removal. If src_dir ever contains pattern metacharacters (*, ?, [), the prefix strip will misbehave and yield an incorrect rel_conf. Quote it separately.
🔧 Proposed fix (SC2295)
- local rel_conf="${gdc_conf#${src_dir}/}"
+ local rel_conf="${gdc_conf#"${src_dir}"/}"📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| local rel_conf="${gdc_conf#${src_dir}/}" | |
| local rel_conf="${gdc_conf#"${src_dir}"/}" |
🧰 Tools
🪛 Shellcheck (0.11.0)
[info] 59-59: Expansions inside ${..} need to be quoted separately, otherwise they match as patterns.
(SC2295)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@fossa/pr-scan/scan.sh` at line 59, The rel_conf prefix removal in scan.sh is
using an unquoted src_dir inside the parameter expansion, which can be treated
as a glob pattern. Update the rel_conf assignment in the scan.sh logic to quote
src_dir separately within the ${gdc_conf#...} expansion so prefix stripping is
literal and robust when src_dir contains glob metacharacters.
Source: Linters/SAST tools
Summary
fossa-oss-pr-scan.yaml: Replace Jenkins trigger with the nativefossa/pr-scancomposite action usinggdc-fossa-cli(same tooling as the regular scan — OSS vs internal distinction is only in which repos the workflow is installed on)fossa/pr-scan/: Add the composite action andscan.shscript, mirrored fromgooddata/github-actionsTest plan
fossa-nativejob runs successfullyfossa-jenkinsjob appears in the Actions run🤖 Generated with Claude Code
Summary by CodeRabbit