ci: add FOSSA license scan workflow

Adds a self-contained workflow_dispatch GitHub Actions workflow that runs
FOSSA analyze + test against the repo, replacing the manual Jenkins-based
scan. Token comes from the FOSSA_API_KEY org secret; the repo still needs
to be added to that secret's repos allowlist in terraform-github (separate
PR by infra) before the first dispatch will authenticate.

The job runs on the infra1-runners-arc / runners-small ARC group used by
the rest of the repo's workflows (pre-merge, staging-tests, etc.) — the
runners are accessible from this public repo even though the reusable
fossa workflow at gooddata/github-actions isn't, hence this self-contained
copy. Permissions are read-only. Actions are pinned by version tag
(actions/checkout@v6, fossas/fossa-action@v1.9.0) to match the repo
convention.

The .fossa.yml is scoped via paths.only to the seven published gooddata-*
workspace packages plus the generated gooddata-api-client. Phase 0 local
verification with fossa-cli 3.17.5 confirmed all declared deps across
these targets are picked up (pdm strategy for each pyproject.toml,
setuptools for gooddata-api-client). tests-support and scripts/ are
intentionally excluded as internal helpers.

The branch input defaults to master so dispatches without an explicit
override attach the scan to the master branch in the FOSSA dashboard.

JIRA: TRIVIAL
risk: nonprod

Author: hkad98

.fossa.yml

@@ -7,12 +7,17 @@ project:
 telemetry:
   scope: 'off'
 
-# We need to specify it per-each package. See fossa_* branches.
-# targets:
-#   only:
-#     - type: pipenv
-#       path: path-here
-#
-# paths:
-#   only:
-#     - path-here
+# Scope the scan to the published gooddata-* workspace packages + the
+# generated gooddata-api-client. Each pyproject.toml is scanned independently
+# (FOSSA's pdm strategy reports declared deps); the gooddata-api-client setup.py
+# is read by setuptools. Internal helpers (tests-support, scripts) are excluded.
+paths:
+  only:
+    - packages/gooddata-sdk
+    - packages/gooddata-pandas
+    - packages/gooddata-dbt
+    - packages/gooddata-fdw
+    - packages/gooddata-flight-server
+    - packages/gooddata-flexconnect
+    - packages/gooddata-pipelines
+    - gooddata-api-client

.github/workflows/fossa.yaml

@@ -0,0 +1,50 @@
+# (C) 2026 GoodData Corporation
+name: FOSSA scan
+
+on:
+  workflow_dispatch:
+    inputs:
+      branch:
+        description: Branch label to attach to the FOSSA scan.
+        required: false
+        default: master
+
+concurrency:
+  group: fossa-${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  fossa:
+    name: FOSSA scan
+    runs-on:
+      group: infra1-runners-arc
+      labels: runners-small
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout the code
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+
+      - name: Check that .fossa.yml exists
+        shell: bash
+        run: |
+          [ -f ./.fossa.yml ] || { echo "Missing .fossa.yml in repo root; FOSSA needs it for project id." >&2; exit 1; }
+
+      - name: Workaround for "no targets found" error
+        shell: bash
+        run: |
+          [ -f ./requirements.txt ] || touch ./requirements.txt
+
+      - name: Run FOSSA analyze
+        uses: fossas/fossa-action@v1.9.0
+        with:
+          api-key: ${{ secrets.FOSSA_API_KEY }}
+          branch: ${{ inputs.branch }}
+
+      - name: Run FOSSA test (policy gate)
+        uses: fossas/fossa-action@v1.9.0
+        with:
+          api-key: ${{ secrets.FOSSA_API_KEY }}
+          run-tests: true