From 6cee8a5b3333fcf59ec74178a5e15bbd3ae7e87b Mon Sep 17 00:00:00 2001
From: Stephen Barrett <sbarre01@users.noreply.github.com>
Date: Thu, 25 Jun 2026 11:25:44 +0100
Subject: [PATCH 1/5] Update fossid_integration_stateless_diffscan.yml (#49)

---
 .../fossid_integration_stateless_diffscan.yml | 42 ++++++++++++++++++-
 1 file changed, 40 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/fossid_integration_stateless_diffscan.yml b/.github/workflows/fossid_integration_stateless_diffscan.yml
index d79c61b..b3cdc8b 100644
--- a/.github/workflows/fossid_integration_stateless_diffscan.yml
+++ b/.github/workflows/fossid_integration_stateless_diffscan.yml
@@ -2,6 +2,22 @@ name: Fossid Pre-merge Stateless Diff Scan
 
 on:
   workflow_call:
+    inputs:
+      base_ref:                          # NEW: optional explicit base ref
+        description: 'Base ref for diff (e.g. develop). Empty = auto-detect.'
+        required: false
+        type: string
+        default: ''
+      compare_ref:                       # NEW: optional explicit compare ref
+        description: 'Compare ref/SHA for diff. Empty = auto-detect.'
+        required: false
+        type: string
+        default: ''
+      pr_number:                         # NEW: PR number (for fetching fork commits)
+        description: 'PR number (used to fetch fork head ref). Empty = not needed.'
+        required: false
+        type: string
+        default: ''
     secrets:
       FOSSID_CONTAINER_USERNAME:
         required: true
@@ -24,6 +40,20 @@ jobs:
     steps:
       - name: Checkout Code
         uses: actions/checkout@v5
+        with:
+          fetch-depth: 0                             # Full clone to ensure base ref is available
+
+      # NEW STEP: container runs as different user than checkout — mark safe
+      - name: Mark workspace safe
+        if: inputs.pr_number != ''
+        run: git config --global --add safe.directory "$GITHUB_WORKSPACE"
+
+      # NEW STEP: fetch the fork PR's head commits (not in origin by default)
+      - name: Fetch PR head ref
+        if: inputs.pr_number != ''
+        env:
+          PR_NUMBER: ${{ inputs.pr_number }}
+        run: git fetch origin pull/$PR_NUMBER/head
 
       - name: Checkout ignore projects file
         uses: actions/checkout@v5
@@ -33,16 +63,24 @@ jobs:
             ignore_projects_fossid
           ref: develop
           path: tools
-
+        
       - name: Run fossid-toolbox
         env:
           FOSSID_HOST_USERNAME: ${{ secrets.FOSSID_HOST_USERNAME }}
           FOSSID_HOST_TOKEN: ${{ secrets.FOSSID_HOST_TOKEN }}
+          BASE_REF: ${{ inputs.base_ref }}
+          COMPARE_REF: ${{ inputs.compare_ref }}
         run: |
+          # NEW: build explicit ref args when provided, otherwise let fossid auto-detect
+          REF_ARGS=""
+          if [ -n "$BASE_REF" ] && [ -n "$COMPARE_REF" ]; then
+            REF_ARGS="--base-ref origin/$BASE_REF --compare-ref $COMPARE_REF"
+          fi
           fossid \
             diffscan \
             --fossid-host $FOSSID_HOST_USERNAME \
             --fossid-token $FOSSID_HOST_TOKEN \
             --format github \
             --fail \
-            --ignore-projects tools/ignore_projects_fossid
+            --ignore-projects tools/ignore_projects_fossid \
+            $REF_ARGS

From 696fa1c8e92295bf08d766bd67aa18220b687da0 Mon Sep 17 00:00:00 2001
From: Stephen Barrett <sbarre01@users.noreply.github.com>
Date: Thu, 25 Jun 2026 11:30:31 +0100
Subject: [PATCH 2/5] Update
 fossid_integration_stateless_diffscan_target_repo.yml (#50)

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
---
 ...gration_stateless_diffscan_target_repo.yml | 62 +++++++++++++++++--
 1 file changed, 56 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/fossid_integration_stateless_diffscan_target_repo.yml b/.github/workflows/fossid_integration_stateless_diffscan_target_repo.yml
index 5038b43..cc84af3 100644
--- a/.github/workflows/fossid_integration_stateless_diffscan_target_repo.yml
+++ b/.github/workflows/fossid_integration_stateless_diffscan_target_repo.yml
@@ -1,13 +1,63 @@
 name: Fossid Stateless Diff Scan
 
-on: 
+on:
   pull_request:
-    branches:
-      - develop
+    types: [opened, synchronize, reopened]
+  workflow_dispatch:                          # NEW: manual trigger
+    inputs:
+      pr_number:
+        description: 'PR number to scan (including fork PRs)'
+        required: true
+        type: string
+
+permissions:
+  contents: read
+  pull-requests: read
+
 jobs:
-  call-fossid-workflow:
-    uses: rdkcentral/build_tools_workflows/.github/workflows/fossid_integration_stateless_diffscan.yml@develop
-    secrets: 
+  # Automatic scan for internal PRs (same repo, not a fork)
+  call-fossid-pr:
+    if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository
+    uses: rdkcentral/build_tools_workflows/.github/workflows/fossid_integration_stateless_diffscan.yml@1.0.0
+    secrets:
+      FOSSID_CONTAINER_USERNAME: ${{ secrets.FOSSID_CONTAINER_USERNAME }}
+      FOSSID_CONTAINER_PASSWORD: ${{ secrets.FOSSID_CONTAINER_PASSWORD }}
+      FOSSID_HOST_USERNAME: ${{ secrets.FOSSID_HOST_USERNAME }}
+      FOSSID_HOST_TOKEN: ${{ secrets.FOSSID_HOST_TOKEN }}
+
+  # Manual scan for any PR (including fork PRs) — step 1: resolve refs
+  resolve-pr-refs:
+    name: Resolve PR Refs
+    if: github.event_name == 'workflow_dispatch'
+    runs-on: ubuntu-latest
+    outputs:
+      base_ref: ${{ steps.pr.outputs.base_ref }}
+      head_sha: ${{ steps.pr.outputs.head_sha }}
+    steps:
+      - name: Get PR details
+        id: pr
+        uses: actions/github-script@v8
+        with:
+          script: |
+            const prNumber = parseInt(context.payload.inputs.pr_number, 10);
+            const { data: pr } = await github.rest.pulls.get({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              pull_number: prNumber
+            });
+            core.setOutput('base_ref', pr.base.ref);
+            core.setOutput('head_sha', pr.head.sha);
+
+  # Manual scan for any PR (including fork PRs) — step 2: run fossid with explicit refs
+  call-fossid-dispatch:
+    if: github.event_name == 'workflow_dispatch'
+    needs: [resolve-pr-refs]
+    uses: rdkcentral/build_tools_workflows/.github/workflows/fossid_integration_stateless_diffscan.yml@1.0.0
+    with:
+      base_ref: ${{ needs.resolve-pr-refs.outputs.base_ref }}
+      compare_ref: ${{ needs.resolve-pr-refs.outputs.head_sha }}
+      pr_number: ${{ github.event.inputs.pr_number }}
+    secrets:
         FOSSID_CONTAINER_USERNAME: ${{ secrets.FOSSID_CONTAINER_USERNAME }}
         FOSSID_CONTAINER_PASSWORD: ${{ secrets.FOSSID_CONTAINER_PASSWORD }}
         FOSSID_HOST_USERNAME: ${{ secrets.FOSSID_HOST_USERNAME }}

From 37f04ff7fdb3f7eb654520e9e86c618dfca35214 Mon Sep 17 00:00:00 2001
From: Stephen Barrett <stephen_barrett@comcast.com>
Date: Thu, 25 Jun 2026 11:43:30 +0100
Subject: [PATCH 3/5] Make Fossid workspace safe unconditionally

---
 .github/workflows/fossid_integration_stateless_diffscan.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.github/workflows/fossid_integration_stateless_diffscan.yml b/.github/workflows/fossid_integration_stateless_diffscan.yml
index b3cdc8b..8c1f2b1 100644
--- a/.github/workflows/fossid_integration_stateless_diffscan.yml
+++ b/.github/workflows/fossid_integration_stateless_diffscan.yml
@@ -45,7 +45,6 @@ jobs:
 
       # NEW STEP: container runs as different user than checkout — mark safe
       - name: Mark workspace safe
-        if: inputs.pr_number != ''
         run: git config --global --add safe.directory "$GITHUB_WORKSPACE"
 
       # NEW STEP: fetch the fork PR's head commits (not in origin by default)

From f21162dd6665cf597ea47dfeb04ca4127a492e7b Mon Sep 17 00:00:00 2001
From: Stephen Barrett <stephen_barrett@comcast.com>
Date: Thu, 25 Jun 2026 11:51:32 +0100
Subject: [PATCH 4/5] Point Fossid caller at feature branch

---
 .../fossid_integration_stateless_diffscan_target_repo.yml     | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/fossid_integration_stateless_diffscan_target_repo.yml b/.github/workflows/fossid_integration_stateless_diffscan_target_repo.yml
index cc84af3..19bcee9 100644
--- a/.github/workflows/fossid_integration_stateless_diffscan_target_repo.yml
+++ b/.github/workflows/fossid_integration_stateless_diffscan_target_repo.yml
@@ -18,7 +18,7 @@ jobs:
   # Automatic scan for internal PRs (same repo, not a fork)
   call-fossid-pr:
     if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository
-    uses: rdkcentral/build_tools_workflows/.github/workflows/fossid_integration_stateless_diffscan.yml@1.0.0
+    uses: rdkcentral/build_tools_workflows/.github/workflows/fossid_integration_stateless_diffscan.yml@feature/fossid-wflow-dispatch
     secrets:
       FOSSID_CONTAINER_USERNAME: ${{ secrets.FOSSID_CONTAINER_USERNAME }}
       FOSSID_CONTAINER_PASSWORD: ${{ secrets.FOSSID_CONTAINER_PASSWORD }}
@@ -52,7 +52,7 @@ jobs:
   call-fossid-dispatch:
     if: github.event_name == 'workflow_dispatch'
     needs: [resolve-pr-refs]
-    uses: rdkcentral/build_tools_workflows/.github/workflows/fossid_integration_stateless_diffscan.yml@1.0.0
+    uses: rdkcentral/build_tools_workflows/.github/workflows/fossid_integration_stateless_diffscan.yml@feature/fossid-wflow-dispatch
     with:
       base_ref: ${{ needs.resolve-pr-refs.outputs.base_ref }}
       compare_ref: ${{ needs.resolve-pr-refs.outputs.head_sha }}

From 7abcbc2223496a9f4f359e5c9fb7ae972060d90c Mon Sep 17 00:00:00 2001
From: Stephen Barrett <stephen_barrett@comcast.com>
Date: Thu, 25 Jun 2026 14:12:51 +0100
Subject: [PATCH 5/5] Add test marker to exercise Fossid workflows

---
 .github/test-pr-trigger-fossid.txt | 2 ++
 1 file changed, 2 insertions(+)
 create mode 100644 .github/test-pr-trigger-fossid.txt

diff --git a/.github/test-pr-trigger-fossid.txt b/.github/test-pr-trigger-fossid.txt
new file mode 100644
index 0000000..7837c4e
--- /dev/null
+++ b/.github/test-pr-trigger-fossid.txt
@@ -0,0 +1,2 @@
+FOSSID workflow test PR marker
+Created: 2026-06-25T13:12:51Z