chore(fossa): improve fossa release action

[kalmarz]

This PR

• Implements a watching/retry mechanism in the composite action that polls the status of the release and waits for the publication.
• In case of a failure implements a Slack notification mechanism ensuring that the impacted parties get notified

[kalmarz]

The workflow changes are untested. I created a separate release group, that could fit this purpose:

fossa release-group create \
    -t zoltan-test-identity-attribution-txt \
    -r 8.8.0 \
    --project-locator custom+50756/camunda/identity \
    --project-branch v8.8 \
    --project-revision a768220029d9ef08058e67df14ee7ac30094fd43 \
    --license-policy "Camunda8 Distribution" \
    --security-policy "Default Camunda" \
    --quality-policy "Default Camunda" \
    --team "Identity Team"

View the created release group at: https://app.fossa.com/projects/group/5631

❯ curl --request GET \
           --url "https://app.fossa.com/api/project_group/5631/releases?count=10&page=1" \
           --header "accept: application/json" \
           --header "authorization: Bearer $FOSSA_API_KEY" | jq '.'

{
  "releases": [
    {
      "id": 31121,
      "title": "8.8.0",
      "projectGroupId": 5631,
      "publishedOnPortal": null,
      "publishedAt": null,
      "reportPath": null,
      "publishedLicenses": null,
      "dependency_count": 120,
      "license_count": 6,
      "unresolved_quality_issue_count": 0,
      "unresolved_security_issue_count": 10,
      "unresolved_licensing_issue_count": 0,
      "createdAt": "2026-01-14T09:44:45.146Z",
      "updatedAt": "2026-01-14T09:44:52.650Z"
    }
  ],
  "total": 1
}

curl \
    --request POST \
    --header "accept: application/json" \
    --header "Authorization: Bearer $FOSSA_API_KEY" \
    --url "https://app.fossa.com/api/project_group/5631/release/31121/attribution/TXT"\
"?includeDeepDependencies=true"\
"&includeDirectDependencies=true"\
"&includeLicenseList=true"\
"&includeLicenseScan=true"\
"&includeProjectLicense=true"\
"&includeCopyrightList=true"\
"&includeFileMatches=true"\
"&includeOpenVulnerabilities=true"\
"&includeClosedVulnerabilities=true"\
"&includeDependencySummary=true"\
"&includeLicenseHeaders=true"\
"&isPublishing=true"

❯ curl --request GET \
           --url "https://app.fossa.com/api/project_group/5631/releases?count=10&page=1" \
           --header "accept: application/json" \
           --header "authorization: Bearer $FOSSA_API_KEY" | jq '.'

{
  "releases": [
    {
      "id": 31121,
      "title": "8.8.0",
      "projectGroupId": 5631,
      "publishedOnPortal": "pending",
      "publishedAt": null,
      "reportPath": null,
      "publishedLicenses": null,
      "dependency_count": 120,
      "license_count": 6,
      "unresolved_quality_issue_count": 0,
      "unresolved_security_issue_count": 10,
      "unresolved_licensing_issue_count": 0,
      "createdAt": "2026-01-14T09:44:45.146Z",
      "updatedAt": "2026-01-14T10:24:11.379Z"
    }
  ],
  "total": 1
}

❯ curl --request GET \
           --url "https://app.fossa.com/api/project_group/5631/releases?count=10&page=1" \
           --header "accept: application/json" \
           --header "authorization: Bearer $FOSSA_API_KEY" | jq '.'

{
  "releases": [
    {
      "id": 31121,
      "title": "8.8.0",
      "projectGroupId": 5631,
      "publishedOnPortal": "attribution_txt",
      "publishedAt": "2026-01-14T10:24:19.255Z",
      "reportPath": "FOSSA_BOMS/50756/RELEASE_GROUP_5631_31121_2026-01-14_102415619Z.txt",
      "publishedLicenses": [
        "Apache-2.0",
        "OFL-1.1",
        "MIT",
        "BSD-3-Clause",
        "0BSD",
        "ISC"
      ],
      "dependency_count": 120,
      "license_count": 6,
      "unresolved_quality_issue_count": 0,
      "unresolved_security_issue_count": 10,
      "unresolved_licensing_issue_count": 0,
      "createdAt": "2026-01-14T09:44:45.146Z",
      "updatedAt": "2026-01-14T10:24:19.256Z"
    }
  ],
  "total": 1
}