feat(fossa): switch OSS PR scan to native gdc-fossa-cli action

[petr-klemsinsky]

Summary

• fossa-oss-pr-scan.yaml: Replace Jenkins trigger with the native fossa/pr-scan composite action using gdc-fossa-cli (same tooling as the regular scan — OSS vs internal distinction is only in which repos the workflow is installed on)
• fossa/pr-scan/: Add the composite action and scan.sh script, mirrored from gooddata/github-actions

Test plan

• Trigger a PR in an OSS repo and confirm the fossa-native job runs successfully
• Confirm no fossa-jenkins job appears in the Actions run

🤖 Generated with Claude Code

[coderabbitai]

📝 Walkthrough

Walkthrough

The PR replaces a Jenkins-triggered FOSSA OSS scan workflow with a native GitHub composite action. It adds fossa/pr-scan and scan.sh, which check out the PR head, prepare auth files, run containerized scans for matching configs, and report failures.

Changes

FOSSA PR scan path

Layer / File(s)	Summary
Workflow entry point swap .github/workflows/fossa-oss-pr-scan.yaml	The workflow name, concurrency group, job name, and scan step change from the Jenkins-triggered setup to the direct FOSSA PR scan action.
Composite action contract and wiring fossa/pr-scan/action.yml	The composite action declares its metadata, public inputs, checkout step, and environment-variable wiring for scan.sh.
Auth file bootstrap fossa/pr-scan/scan.sh	The scan script validates required env vars, prepares workspace directories, and writes npm and git auth files.
Container scan loop and result check fossa/pr-scan/scan.sh	The scan script reads config overrides, pulls the scan image, runs fossa_scanning_tool for each matching config or once by default, and exits non-zero when analyze_failed.txt is present.

Sequence Diagram(s)

sequenceDiagram
  participant GHWorkflow as GitHub Actions workflow
  participant FossaAction as fossa/pr-scan action
  participant ScanScript as scan.sh
  participant DockerCLI as docker
  participant FossaTool as fossa_scanning_tool
  GHWorkflow->>FossaAction: runs PR scan step
  FossaAction->>ScanScript: executes Bash with env vars
  ScanScript->>DockerCLI: pulls selected scan image
  ScanScript->>DockerCLI: starts container with mounts and scan args
  DockerCLI->>FossaTool: runs the FOSSA scan
  FossaTool-->>ScanScript: writes analyze_failed.txt or completes

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Poem

🐇 I hopped from Jenkins, quick and spry,
To native scans beneath the sky.
With tokens set and containers near,
The FOSSA trail is rabbit-clear.
Thump! The scan runs on, hooray!

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly summarizes the main change: replacing the OSS PR scan Jenkins flow with the native gdc-fossa-cli action.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/fossa-oss-pr-scan.yaml:
- Around line 20-24: The workflow is still invoking the remote fossa/pr-scan
action via the gooddata/github-actions-public reference, so it won’t validate
the local action files introduced in this PR. Update the fossa-oss-pr-scan
workflow to use the in-repo fossa/pr-scan action after checking out the PR
branch, and change the checkout step from the nonexistent actions/checkout@v7 to
the stable actions/checkout@v4. Use the existing workflow job and fossa/pr-scan
action reference to locate the change.

In `@fossa/pr-scan/scan.sh`:
- Around line 57-63: The config handling in scan.sh is stripping gdc_conf down
to basename, which loses the path discovered under src_dir and can collide
across duplicate filenames. Update the gdc_conf handling in the config-loading
block and the later fossa_scanning_tool invocation to preserve the path relative
to the repo root instead of basename, using the existing gdc_conf variable so
each matched gdc_fossa*.yaml maps to the correct module.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 733afefd-f6fe-43e9-b7cf-c037f81b14c5

📥 Commits

Reviewing files that changed from the base of the PR and between 8fc9020 and 7a0f479.

📒 Files selected for processing (3)

• .github/workflows/fossa-oss-pr-scan.yaml
• fossa/pr-scan/action.yml
• fossa/pr-scan/scan.sh

[coderabbitai]

🎯 Functional Correctness | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check if the fossa/pr-scan directory exists
fd -t d "fossa" --max-depth 2
# Check the full workflow file for existing checkout steps
cat -n .github/workflows/fossa-oss-pr-scan.yaml

Repository: gooddata/github-actions-public

Length of output: 1010

---

Use the local in-repo action instead of @master and correct the checkout version.

uses: {owner}/{repo}/{path}@{ref} fetches the action from the remote reference, bypassing the new fossa/pr-scan files added in this PR. Since this PR introduces the local action, the workflow must check out the PR branch and run the local action to validate the changes. Additionally, actions/checkout@v7 does not exist; use the stable actions/checkout@v4.

Suggested change

     steps:
+      - uses: actions/checkout@v4
       - uses: gooddata/github-actions-public/fossa/pr-scan@master
+        with:
+          fossa-api-key: ${{ secrets.FOSSA_API_KEY }}
+          npm-auth-token: ${{ secrets.NPM_TOKEN }}
+          github-token: ${{ secrets.TOKEN_GITHUB_YENKINS }}

Replace the remote uses with the local path:

-      uses: gooddata/github-actions-public/fossa/pr-scan@master
+      uses: ./fossa/pr-scan

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- uses: gooddata/github-actions-public/fossa/pr-scan@master
	with:
	server: ${{ secrets.JENKINS_ADDRESS }}
	folder: compliance
	job-name: "${{ github.event.repository.name }}-fossa-scanning-oss-zuul"
	vault-url: ${{ secrets.VAULT_ADDRESS }}
	params: |-
	{
	"GH_BRANCH":"${{ github.base_ref }}",
	"GH_REF":"${{ github.ref }}",
	"GH_COMMIT":"${{ github.event.pull_request.head.sha }}",
	"GH_URL":"git@github.com:",
	"GH_CHANGE":"${{ github.event.pull_request.number }}",
	"GH_PROJECT":"${{ github.repository }}",
	"GH_PR_NUMBER":"${{ github.event.pull_request.number }}",
	"BUILD_BY_GITHUB":"true",
	"GH_PIPELINE":"gate"
	}
	fossa-api-key: ${{ secrets.FOSSA_API_KEY }}
	npm-auth-token: ${{ secrets.NPM_TOKEN }}
	github-token: ${{ secrets.TOKEN_GITHUB_YENKINS }}
	- uses: actions/checkout@v4
	- uses: ./fossa/pr-scan
	with:
	fossa-api-key: ${{ secrets.FOSSA_API_KEY }}
	npm-auth-token: ${{ secrets.NPM_TOKEN }}
	github-token: ${{ secrets.TOKEN_GITHUB_YENKINS }}

🧰 Tools

🪛 zizmor (1.26.1)

[error] 20-20: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/fossa-oss-pr-scan.yaml around lines 20 - 24, The workflow
is still invoking the remote fossa/pr-scan action via the
gooddata/github-actions-public reference, so it won’t validate the local action
files introduced in this PR. Update the fossa-oss-pr-scan workflow to use the
in-repo fossa/pr-scan action after checking out the PR branch, and change the
checkout step from the nonexistent actions/checkout@v7 to the stable
actions/checkout@v4. Use the existing workflow job and fossa/pr-scan action
reference to locate the change.

Source: Linters/SAST tools

[coderabbitai]

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Preserve the config path relative to the repo root.

The loop deliberately finds gdc_fossa*.yaml anywhere under src_dir, but conf_arg drops each match to basename(...). Any config in a subdirectory—or two configs sharing the same filename—will be passed to fossa_scanning_tool with the wrong path or collide on the same name, so the wrong module gets scanned.

Suggested change

 run_scan() {
   local scan_img="$1" gdc_conf="$2"
   local java_version="" conf_arg=()
   local mount_args=()
 
   if [ -n "${gdc_conf}" ] && [ -f "${gdc_conf}" ]; then
+    local rel_conf="${gdc_conf#${src_dir}/}"
     local img_override
     img_override="$(yq -r '.scan_image | select(. != null)' "${gdc_conf}")"
     [ -n "${img_override}" ] && scan_img="${img_override}"
     java_version="$(yq -r '.java_version | select(. != null)' "${gdc_conf}")"
-    conf_arg=(--gdc-conf "$(basename "${gdc_conf}")")
+    conf_arg=(--gdc-conf "${rel_conf}")
   fi

Also applies to: 88-95

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@fossa/pr-scan/scan.sh` around lines 57 - 63, The config handling in scan.sh
is stripping gdc_conf down to basename, which loses the path discovered under
src_dir and can collide across duplicate filenames. Update the gdc_conf handling
in the config-loading block and the later fossa_scanning_tool invocation to
preserve the path relative to the repo root instead of basename, using the
existing gdc_conf variable so each matched gdc_fossa*.yaml maps to the correct
module.