From 2c7ff34031848628084739d6c12c4a59fa428568 Mon Sep 17 00:00:00 2001 From: Mihai Mitrea Date: Mon, 20 Apr 2026 12:32:23 +0000 Subject: [PATCH] Split trigger-tests job and route workflow dispatch through emu-access runner The databricks org tightened its IP allow list between 2026-04-17 and 2026-04-20, so the deco runner group can no longer call /repos/databricks-eng/.../installation. create-github-app-token now 403s and no dispatch is sent; every PR-triggered Integration Tests run has failed at that step since. Merges only go through because merge_group auto-approves without running tests. Split trigger-tests into two jobs, mirroring databricks/databricks-sdk-go#1616 whose Integration Tests run passed end-to-end on 2026-04-10: - create-check stays on the deco runner group and creates the check run on this repo (same steps as before, now exposing check_run_id as a job output). - trigger-tests moves to databricks-release-runner-group-emu-access / linux-ubuntu-latest-emu-access, whose egress IPs are on the databricks-eng allow list, and performs only the cross-org dispatch to databricks-eng/eng-dev-ecosystem. The dispatch step now reads needs.create-check.outputs.check_run_id instead of the old step-output form. check-token and auto-approve are untouched. No new secrets; all required ones already flow through the test-trigger-is environment. Pinned action SHAs unchanged. This is the upstream half of the fix. The downstream mark-as-* failure on databricks-eng/eng-dev-ecosystem was fixed in databricks-eng/eng-dev-ecosystem#1250 (merged 2026-04-20). Supersedes #1616. NO_CHANGELOG=true Signed-off-by: Mihai Mitrea --- .github/workflows/integration-tests.yml | 22 +++++++++++++++++++--- 1 file changed, 19 insertions(+), 3 deletions(-) diff --git a/.github/workflows/integration-tests.yml b/.github/workflows/integration-tests.yml index 9012c39df..4a01334ed 100644 --- a/.github/workflows/integration-tests.yml +++ b/.github/workflows/integration-tests.yml @@ -31,8 +31,8 @@ jobs: echo "has_token=true" >> $GITHUB_OUTPUT fi - trigger-tests: - name: Trigger Tests + create-check: + name: Create Check Run runs-on: group: databricks-deco-testing-runner-group @@ -41,6 +41,8 @@ jobs: needs: check-token if: github.event_name == 'pull_request' && needs.check-token.outputs.has_token == 'true' environment: "test-trigger-is" + outputs: + check_run_id: ${{ steps.create-check.outputs.check_run_id }} steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -69,6 +71,20 @@ jobs: check_run_id=$(echo "$response" | jq -r .id) echo "check_run_id=$check_run_id" >> $GITHUB_OUTPUT + trigger-tests: + name: Trigger Tests + + runs-on: + group: databricks-release-runner-group-emu-access + labels: linux-ubuntu-latest-emu-access + + needs: [check-token, create-check] + if: github.event_name == 'pull_request' && needs.check-token.outputs.has_token == 'true' + environment: "test-trigger-is" + + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - name: Generate GitHub App Token for Workflow Trigger id: generate-token uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3.0.0 @@ -86,7 +102,7 @@ jobs: --ref main \ -f pull_request_number=${{ github.event.pull_request.number }} \ -f commit_sha=${{ github.event.pull_request.head.sha }} \ - -f check_run_id=${{ steps.create-check.outputs.check_run_id }} + -f check_run_id=${{ needs.create-check.outputs.check_run_id }} # The hash for the merge queue may not be the same as the hash for the PR.