Merge remote-tracking branch 'origin/main' into gopal.lal/ES-1804970-enforce-embedded-schema-correctness

# Conflicts:
#	connection.go
#	internal/config/config.go

Author: gopalldb

.github/CODEOWNERS

@@ -0,0 +1,2 @@
+# Require review from eng-oss-sql-driver for CI/CD workflow changes
+.github/ @databricks/eng-oss-sql-driver

.github/actions/setup-jfrog/action.yml

@@ -0,0 +1,35 @@
+name: Setup JFrog OIDC
+description: Obtain a JFrog access token via GitHub OIDC and configure Go to use JFrog as a module proxy
+
+runs:
+  using: composite
+  steps:
+    - name: Get JFrog OIDC token
+      shell: bash
+      run: |
+        set -euo pipefail
+        ID_TOKEN=$(curl -sLS \
+          -H "User-Agent: actions/oidc-client" \
+          -H "Authorization: Bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
+          "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=jfrog-github" | jq .value | tr -d '"')
+        echo "::add-mask::${ID_TOKEN}"
+        ACCESS_TOKEN=$(curl -sLS -XPOST -H "Content-Type: application/json" \
+          "https://databricks.jfrog.io/access/api/v1/oidc/token" \
+          -d "{\"grant_type\": \"urn:ietf:params:oauth:grant-type:token-exchange\", \"subject_token_type\":\"urn:ietf:params:oauth:token-type:id_token\", \"subject_token\": \"${ID_TOKEN}\", \"provider_name\": \"github-actions\"}" | jq .access_token | tr -d '"')
+        echo "::add-mask::${ACCESS_TOKEN}"
+        if [ -z "$ACCESS_TOKEN" ] || [ "$ACCESS_TOKEN" = "null" ]; then
+          echo "FAIL: Could not extract JFrog access token"
+          exit 1
+        fi
+        echo "JFROG_ACCESS_TOKEN=${ACCESS_TOKEN}" >> "$GITHUB_ENV"
+        echo "JFrog OIDC token obtained successfully"
+
+    - name: Configure Go
+      shell: bash
+      run: |
+        set -euo pipefail
+        echo "GOPROXY=https://databricks.jfrog.io/artifactory/api/go/db-golang,direct" >> "$GITHUB_ENV"
+        echo "GONOSUMDB=*" >> "$GITHUB_ENV"
+        printf "machine databricks.jfrog.io\nlogin gha-service-account\npassword %s\n" "${JFROG_ACCESS_TOKEN}" > ~/.netrc
+        chmod 600 ~/.netrc
+        echo "Go configured to use JFrog registry"

.github/workflows/dco-check.yml

@@ -12,51 +12,24 @@ jobs:
   dco-check:
     runs-on:
       group: databricks-protected-runner-group
-      labels: [linux-ubuntu-latest]
+      labels: linux-ubuntu-latest
     name: Check DCO Sign-off
     steps:
       - name: Checkout
-        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
-          ref: ${{ github.event.pull_request.head.ref }}
-          repository: ${{ github.event.pull_request.head.repo.full_name }}
-
-      - name: Add upstream remote (for forks)
-        run: |
-          if [ "${{ github.event.pull_request.head.repo.full_name }}" != "${{ github.repository }}" ]; then
-            echo "This is a fork, adding upstream remote"
-            git remote add upstream https://github.com/${{ github.repository }}.git
-            git fetch upstream ${{ github.event.pull_request.base.ref }}
-          else
-            echo "This is not a fork, using origin"
-          fi
 
       - name: Check DCO Sign-off
+        env:
+          BASE_SHA: ${{ github.event.pull_request.base.sha }}
+          HEAD_SHA: ${{ github.event.pull_request.head.sha }}
         run: |
           #!/bin/bash
           set -e
 
-          BASE_SHA="${{ github.event.pull_request.base.sha }}"
-          HEAD_SHA="${{ github.event.pull_request.head.sha }}"
-
           echo "Checking commits from $BASE_SHA to $HEAD_SHA"
 
-          if ! git cat-file -e "$BASE_SHA" 2>/dev/null; then
-            echo "Error: Base commit $BASE_SHA not found"
-            echo "Trying to fetch from upstream..."
-            if [ "${{ github.event.pull_request.head.repo.full_name }}" != "${{ github.repository }}" ]; then
-              git fetch upstream ${{ github.event.pull_request.base.ref }}
-            else
-              git fetch origin ${{ github.event.pull_request.base.ref }}
-            fi
-          fi
-
-          if ! git cat-file -e "$HEAD_SHA" 2>/dev/null; then
-            echo "Error: Head commit $HEAD_SHA not found"
-            exit 1
-          fi
-
           COMMITS=$(git rev-list --no-merges "$BASE_SHA..$HEAD_SHA")
 
           if [ -z "$COMMITS" ]; then

.github/workflows/go.yml

@@ -8,20 +8,24 @@ on:
 
 permissions:
   contents: read
+  id-token: write
 
 jobs:
   lint:
     name: Lint
     runs-on:
       group: databricks-protected-runner-group
-      labels: [linux-ubuntu-latest]
+      labels: linux-ubuntu-latest
 
     steps:
       - name: Check out code into the Go module directory
-        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Setup JFrog
+        uses: ./.github/actions/setup-jfrog
 
       - name: Set up Go Toolchain
-        uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
         with:
           go-version: '1.20.x'
           cache: false
@@ -35,23 +39,25 @@ jobs:
     strategy:
       matrix:
         go-version: [1.20.x]
-        os: [ubuntu-latest]
     runs-on:
       group: databricks-protected-runner-group
-      labels: [linux-ubuntu-latest]
+      labels: linux-ubuntu-latest
 
     steps:
       - name: Check out code into the Go module directory
-        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Setup JFrog
+        uses: ./.github/actions/setup-jfrog
 
       - name: Set up Go Toolchain
-        uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
         with:
           go-version: ${{ matrix.go-version }}
           cache: false
 
       - name: Cache Go artifacts
-        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
         with:
           path: |
             ~/go/pkg/mod

.golangci.yml

@@ -63,6 +63,8 @@ linters-settings:
     exclude-generated: true
     severity: "low"
     confidence: "low"
+  nolintlint:
+    allow-unused: true
 
 run:
   timeout: 5m

README.md

@@ -56,6 +56,34 @@ To disable Cloud Fetch (e.g., when handling smaller datasets or to avoid additio
 token:[your token]@[Workspace hostname]:[Port number][Endpoint HTTP Path]?useCloudFetch=false
 ```
 
+### Telemetry Configuration (Optional)
+
+The driver includes optional telemetry to help improve performance and reliability. Telemetry is **disabled by default** and requires explicit opt-in.
+
+**Opt-in to telemetry** (respects server-side feature flags):
+```
+token:[your token]@[Workspace hostname]:[Port number][Endpoint HTTP Path]?enableTelemetry=true
+```
+
+**Opt-out of telemetry** (explicitly disable):
+```
+token:[your token]@[Workspace hostname]:[Port number][Endpoint HTTP Path]?enableTelemetry=false
+```
+
+**What data is collected:**
+- ✅ Query latency and performance metrics
+- ✅ Error codes (not error messages)
+- ✅ Feature usage (CloudFetch, LZ4, etc.)
+- ✅ Driver version and environment info
+
+**What is NOT collected:**
+- ❌ SQL query text
+- ❌ Query results or data values
+- ❌ Table/column names
+- ❌ User identities or credentials
+
+Telemetry has < 1% performance overhead and uses circuit breaker protection to ensure it never impacts your queries. For more details, see `telemetry/DESIGN.md` and `telemetry/TROUBLESHOOTING.md`.
+
 ### Connecting with a new Connector
 
 You can also connect with a new connector object. For example:

SECURITY.md

@@ -0,0 +1,20 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+If you discover a security vulnerability in this project, please report it responsibly.
+
+**Do not open a public GitHub issue for security vulnerabilities.**
+
+Instead, please report security issues by emailing [security@databricks.com](mailto:security@databricks.com).
+
+Please include:
+- A description of the vulnerability
+- Steps to reproduce the issue
+- Any potential impact
+
+We will acknowledge receipt within 3 business days and aim to provide a resolution timeline within 10 business days.
+
+## Supported Versions
+
+Security updates are applied to the latest release only.

auth/oauth/u2m/authenticator.go

@@ -40,16 +40,17 @@ func NewAuthenticator(hostName string, timeout time.Duration) (auth.Authenticato
 	cloud := oauth.InferCloudFromHost(hostName)
 
 	var clientID, redirectURL string
-	if cloud == oauth.AWS {
+	switch cloud {
+	case oauth.AWS:
 		clientID = awsClientId
 		redirectURL = awsRedirectURL
-	} else if cloud == oauth.Azure {
+	case oauth.Azure:
 		clientID = azureClientId
 		redirectURL = azureRedirectURL
-	} else if cloud == oauth.GCP {
+	case oauth.GCP:
 		clientID = gcpClientId
 		redirectURL = gcpRedirectURL
-	} else {
+	default:
 		return nil, errors.New("unhandled cloud type: " + cloud.String())
 	}
 
@@ -147,14 +148,14 @@ func (tsp *tokenSourceProvider) GetTokenSource() (oauth2.TokenSource, error) {
 	if err != nil {
 		return nil, err
 	}
-	defer listener.Close()
+	defer listener.Close() //nolint:errcheck
 
 	srv := &http.Server{
 		ReadHeaderTimeout: 3 * time.Second,
 		WriteTimeout:      30 * time.Second,
 	}
 
-	defer srv.Close()
+	defer srv.Close() //nolint:errcheck
 
 	// Start local server to wait for callback
 	go func() {
@@ -209,7 +210,7 @@ func (tsp *tokenSourceProvider) ServeHTTP(w http.ResponseWriter, r *http.Request
 	if resp.err != "" {
 		log.Error().Msg(resp.err)
 		w.WriteHeader(http.StatusBadRequest)
-		_, err := w.Write([]byte(errorHTML("Identity Provider returned an error: " + resp.err)))
+		_, err := w.Write([]byte(errorHTML("Identity Provider returned an error: " + resp.err))) //nolint:gosec // XSS not a concern for local OAuth callback
 		if err != nil {
 			log.Error().Err(err).Msg("unable to write error response")
 		}

auth/tokenprovider/exchange.go

@@ -138,7 +138,7 @@ func (p *FederationProvider) tryTokenExchange(ctx context.Context, subjectToken
 	}
 
 	// Create request
-	req, err := http.NewRequestWithContext(ctx, "POST", exchangeURL, strings.NewReader(data.Encode()))
+	req, err := http.NewRequestWithContext(ctx, "POST", exchangeURL, strings.NewReader(data.Encode())) //nolint:gosec // URL is from trusted config
 	if err != nil {
 		return nil, fmt.Errorf("failed to create request: %w", err)
 	}
@@ -147,11 +147,11 @@ func (p *FederationProvider) tryTokenExchange(ctx context.Context, subjectToken
 	req.Header.Set("Accept", "*/*")
 
 	// Make request
-	resp, err := p.httpClient.Do(req)
+	resp, err := p.httpClient.Do(req) //nolint:gosec // G704: URL is from trusted configuration
 	if err != nil {
 		return nil, fmt.Errorf("request failed: %w", err)
 	}
-	defer resp.Body.Close()
+	defer resp.Body.Close() //nolint:errcheck
 
 	body, err := io.ReadAll(resp.Body)
 	if err != nil {

auth/tokenprovider/federation_test.go

@@ -108,7 +108,8 @@ func TestFederationProvider_TokenExchangeSuccess(t *testing.T) {
 		assert.Equal(t, "application/x-www-form-urlencoded", r.Header.Get("Content-Type"))
 		assert.Equal(t, "*/*", r.Header.Get("Accept"))
 
-		// Parse form data
+		// Parse form data - limit body size to prevent G120
+		r.Body = http.MaxBytesReader(w, r.Body, 1<<20)
 		err := r.ParseForm()
 		require.NoError(t, err)
 
@@ -155,13 +156,14 @@ func TestFederationProvider_TokenExchangeWithClientID(t *testing.T) {
 
 	// Create mock server that checks for client_id
 	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		r.Body = http.MaxBytesReader(w, r.Body, 1<<20)
 		err := r.ParseForm()
 		require.NoError(t, err)
 
 		// Verify client_id is present
 		assert.Equal(t, clientID, r.FormValue("client_id"))
 
-		response := map[string]interface{}{
+		response := map[string]interface{}{ //nolint:gosec // G101: test token, not a real credential
 			"access_token": "sp-wide-federation-token",
 			"token_type":   "Bearer",
 			"expires_in":   3600,