Merge remote-tracking branch 'origin/main' into split-release-workflows

Author: pietern

.github/actions/setup-build-environment/action.yml

@@ -12,13 +12,8 @@ runs:
     - name: Checkout repository and submodules
       uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
-    - name: Setup JFrog CLI with OIDC
-      if: runner.os != 'macOS'
-      uses: jfrog/setup-jfrog-cli@279b1f629f43dd5bc658d8361ac4802a7ef8d2d5 # v4.9.1
-      env:
-        JF_URL: https://databricks.jfrog.io
-      with:
-        oidc-provider-name: github-actions
+    - name: Setup JFrog
+      uses: ./.github/actions/setup-jfrog
 
     - name: Create cache identifier
       run: echo "${{ inputs.cache-key }}" > cache.txt
@@ -32,14 +27,6 @@ runs:
           go.sum
           cache.txt
 
-    - name: Download Go modules via JFrog
-      if: runner.os != 'macOS'
-      shell: bash
-      run: |
-        jf goc --repo-resolve=db-golang
-        jf go mod download
-        jf go mod download -modfile=tools/go.mod
-
     - name: Setup Python
       uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
       with:

.github/actions/setup-jfrog/action.yml

@@ -0,0 +1,70 @@
+name: 'Setup JFrog'
+description: >-
+  Exchange a GitHub OIDC token for a JFrog access token and configure
+  Go and Python package managers to use the JFrog Artifactory proxy.
+  Requires the calling job to have "permissions: id-token: write".
+
+runs:
+  using: 'composite'
+  steps:
+    - name: Get JFrog OIDC token
+      shell: bash
+      run: |
+        set -euo pipefail
+
+        # Verify that the job has id-token: write permission.
+        if [ -z "${ACTIONS_ID_TOKEN_REQUEST_URL:-}" ] || [ -z "${ACTIONS_ID_TOKEN_REQUEST_TOKEN:-}" ]; then
+          echo "::error::OIDC token request URL/token not available. Does this job have 'permissions: id-token: write'?"
+          exit 1
+        fi
+
+        # Exchange GitHub OIDC token for JFrog access token.
+        ID_TOKEN=$(curl -sLS \
+          -H "User-Agent: actions/oidc-client" \
+          -H "Authorization: Bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
+          "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=jfrog-github" | jq -r .value)
+        echo "::add-mask::${ID_TOKEN}"
+
+        if [ -z "$ID_TOKEN" ] || [ "$ID_TOKEN" = "null" ]; then
+          echo "::error::Failed to obtain GitHub OIDC token."
+          exit 1
+        fi
+
+        ACCESS_TOKEN=$(curl -sLS -XPOST -H "Content-Type: application/json" \
+          "https://databricks.jfrog.io/access/api/v1/oidc/token" \
+          -d "{\"grant_type\": \"urn:ietf:params:oauth:grant-type:token-exchange\", \"subject_token_type\":\"urn:ietf:params:oauth:token-type:id_token\", \"subject_token\": \"${ID_TOKEN}\", \"provider_name\": \"github-actions\"}" | jq -r .access_token)
+        echo "::add-mask::${ACCESS_TOKEN}"
+
+        if [ -z "$ACCESS_TOKEN" ] || [ "$ACCESS_TOKEN" = "null" ]; then
+          echo "::error::Failed to exchange GitHub OIDC token for JFrog access token."
+          exit 1
+        fi
+
+        # Verify the token works.
+        HTTP_STATUS=$(curl -sL -o /dev/null -w "%{http_code}" \
+          -H "Authorization: Bearer ${ACCESS_TOKEN}" \
+          "https://databricks.jfrog.io/artifactory/api/system/version")
+        if [ "$HTTP_STATUS" != "200" ]; then
+          echo "::error::JFrog auth check failed (HTTP ${HTTP_STATUS})."
+          exit 1
+        fi
+
+        echo "JFROG_ACCESS_TOKEN=${ACCESS_TOKEN}" >> "$GITHUB_ENV"
+
+    - name: Configure Go to use JFrog proxy
+      shell: bash
+      run: |-
+        set -euo pipefail
+        CREDS="gha-service-account:${JFROG_ACCESS_TOKEN}"
+        echo "::add-mask::${CREDS}"
+        echo "GOPROXY=https://${CREDS}@databricks.jfrog.io/artifactory/api/go/db-golang,direct" >> "$GITHUB_ENV"
+        echo "GONOSUMDB=*" >> "$GITHUB_ENV"
+
+    - name: Configure Python (uv/pip) to use JFrog proxy
+      shell: bash
+      run: |-
+        set -euo pipefail
+        CREDS="gha-service-account:${JFROG_ACCESS_TOKEN}"
+        echo "::add-mask::${CREDS}"
+        echo "UV_INDEX_URL=https://${CREDS}@databricks.jfrog.io/artifactory/api/pypi/db-pypi/simple" >> "$GITHUB_ENV"
+        echo "PIP_INDEX_URL=https://${CREDS}@databricks.jfrog.io/artifactory/api/pypi/db-pypi/simple" >> "$GITHUB_ENV"

.github/dependabot.yml

@@ -4,13 +4,17 @@ updates:
     directory: "/"
     schedule:
       interval: "weekly"
+    cooldown:
+      default-days: 14
     ignore:
       # Ignore Databricks Go SDK because its upgrade requires code generation
       - dependency-name: github.com/databricks/databricks-sdk-go
   - package-ecosystem: "gomod"
     directory: "/tools"
     schedule:
       interval: "weekly"
+    cooldown:
+      default-days: 14
   # https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#directories
   - package-ecosystem: "github-actions"
     directories:

.github/workflows/push.yml

@@ -95,10 +95,11 @@ jobs:
               group: databricks-protected-runner-group-large
               labels: linux-ubuntu-latest-large
 
-          - name: windows
-            runner:
-              group: databricks-protected-runner-group-large
-              labels: windows-server-latest-large
+          # Windows runners are offline; commented out temporarily.
+          # - name: windows
+          #   runner:
+          #     group: databricks-protected-runner-group-large
+          #     labels: windows-server-latest-large
 
           - name: macos
             runner:
@@ -226,10 +227,11 @@ jobs:
               group: databricks-protected-runner-group-large
               labels: linux-ubuntu-latest-large
 
-          - name: windows
-            runner:
-              group: databricks-protected-runner-group-large
-              labels: windows-server-latest-large
+          # Windows runners are offline; commented out temporarily.
+          # - name: windows
+          #   runner:
+          #     group: databricks-protected-runner-group-large
+          #     labels: windows-server-latest-large
 
           - name: macos
             runner:
@@ -271,10 +273,11 @@ jobs:
               group: databricks-protected-runner-group-large
               labels: linux-ubuntu-latest-large
 
-          - name: windows
-            runner:
-              group: databricks-protected-runner-group-large
-              labels: windows-server-latest-large
+          # Windows runners are offline; commented out temporarily.
+          # - name: windows
+          #   runner:
+          #     group: databricks-protected-runner-group-large
+          #     labels: windows-server-latest-large
 
           - name: macos
             runner:

NEXT_CHANGELOG.md

@@ -14,6 +14,7 @@
 * engine/direct: Fix unwanted recreation of secret scopes when scope_backend_type is not set ([#4834](https://github.com/databricks/cli/pull/4834))
 * engine/direct: Fix bind and unbind for non-Terraform resources ([#4850](https://github.com/databricks/cli/pull/4850))
 * engine/direct: Fix deploying removed principals ([#4824](https://github.com/databricks/cli/pull/4824))
+* engine/direct: Fix secret scope permissions migration from Terraform to Direct engine ([#4866](https://github.com/databricks/cli/pull/4866))
 
 ### Dependency updates
 

acceptance/bundle/invariant/configs/secret_scope_with_permissions.yml.tmpl

@@ -0,0 +1,13 @@
+bundle:
+  name: test-bundle-$UNIQUE_NAME
+
+resources:
+  secret_scopes:
+    foo:
+      name: test-scope-$UNIQUE_NAME
+      backend_type: DATABRICKS
+      permissions:
+        - level: READ
+          group_name: users
+        - level: WRITE
+          group_name: admins

acceptance/bundle/invariant/continue_293/out.test.toml

@@ -2,10 +2,6 @@
 EnvMatrixExclude.no_catalog = ["INPUT_CONFIG=catalog.yml.tmpl"]
 EnvMatrixExclude.no_external_location = ["INPUT_CONFIG=external_location.yml.tmpl"]
 
-# Unexpected action='create' for resources.secret_scopes.foo.permissions
-EnvMatrixExclude.no_secret_scope = ["INPUT_CONFIG=secret_scope.yml.tmpl"]
-EnvMatrixExclude.no_secret_scope2 = ["INPUT_CONFIG=secret_scope_default_backend_type.yml.tmpl"]
-
 # Cross-resource permission references (e.g. ${resources.jobs.job_b.permissions[0].level})
 # don't work in terraform mode: the terraform interpolator converts the path to
 # ${databricks_job.job_b.permissions[0].level}, but Terraform's databricks_job resource