Skip to content

Commit 66d9305

Browse files
committed
Security hardening: migrate CI to hardened runners + JFrog proxy
- Migrate all Linux jobs to databricks-protected-runner-group / linux-ubuntu-latest - Migrate unit-tests Windows job to databricks-protected-runner-group-large / windows-server-latest-large - Migrate push.yml and unit-tests.yml off macos-latest to Linux hardened runners - Add OIDC permissions (id-token: write, contents: read) to all migrated jobs - Add JFrog OIDC proxy scripts for npm/yarn (db-npm) and pip (db-pypi) - Temporarily disable publish-to-vscode and publish-to-openvsx jobs pending secure release repo migration Part of security hardening initiative (GA April 9, 2026). Ref: docs/security-hardening-unblock-plan.md Phase 1 Co-authored-by: Isaac
1 parent 9e768db commit 66d9305

13 files changed

Lines changed: 147 additions & 23 deletions

.github/scripts/configure-npm.sh

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,21 @@
1+
#!/usr/bin/env bash
2+
# Point npm and Yarn at the internal JFrog npm registry.
3+
# Reads JFROG_ACCESS_TOKEN from the environment (set by jfrog-oidc-token.sh).
4+
set -euo pipefail
5+
6+
JFROG_NPM_REGISTRY="https://databricks.jfrog.io/artifactory/api/npm/db-npm/"
7+
8+
# Configure npm CLI
9+
cat > ~/.npmrc << EOF
10+
registry=${JFROG_NPM_REGISTRY}
11+
//databricks.jfrog.io/artifactory/api/npm/db-npm/:_authToken=${JFROG_ACCESS_TOKEN}
12+
always-auth=true
13+
EOF
14+
15+
# Configure Yarn Berry (v2+) — does not read ~/.npmrc for registry
16+
{
17+
echo "YARN_NPM_REGISTRY_SERVER=${JFROG_NPM_REGISTRY}"
18+
echo "YARN_NPM_AUTH_TOKEN=${JFROG_ACCESS_TOKEN}"
19+
} >> "$GITHUB_ENV"
20+
21+
echo "npm/yarn configured to use JFrog registry (db-npm)"

.github/scripts/configure-pip.sh

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
1+
#!/usr/bin/env bash
2+
# Point pip at the internal JFrog PyPI registry.
3+
# Reads JFROG_ACCESS_TOKEN from the environment (set by jfrog-oidc-token.sh).
4+
set -euo pipefail
5+
6+
echo "PIP_INDEX_URL=https://gha-service-account:${JFROG_ACCESS_TOKEN}@databricks.jfrog.io/artifactory/api/pypi/db-pypi/simple" >> "$GITHUB_ENV"
7+
8+
echo "pip configured to use JFrog registry (db-pypi)"
Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,27 @@
1+
#!/usr/bin/env bash
2+
set -euo pipefail
3+
4+
# Exchange a GitHub Actions OIDC token for a JFrog access token and
5+
# write JFROG_ACCESS_TOKEN to $GITHUB_ENV so subsequent steps can use it.
6+
7+
# Get GitHub OIDC ID token
8+
ID_TOKEN=$(curl -sLS \
9+
-H "User-Agent: actions/oidc-client" \
10+
-H "Authorization: Bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
11+
"${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=jfrog-github" | jq .value | tr -d '"')
12+
echo "::add-mask::${ID_TOKEN}"
13+
14+
# Exchange for JFrog access token
15+
ACCESS_TOKEN=$(curl -sLS -XPOST -H "Content-Type: application/json" \
16+
"https://databricks.jfrog.io/access/api/v1/oidc/token" \
17+
-d "{\"grant_type\": \"urn:ietf:params:oauth:grant-type:token-exchange\", \"subject_token_type\":\"urn:ietf:params:oauth:token-type:id_token\", \"subject_token\": \"${ID_TOKEN}\", \"provider_name\": \"github-actions\"}" | jq .access_token | tr -d '"')
18+
echo "::add-mask::${ACCESS_TOKEN}"
19+
20+
if [ -z "$ACCESS_TOKEN" ] || [ "$ACCESS_TOKEN" = "null" ]; then
21+
echo "FAIL: Could not extract JFrog access token"
22+
exit 1
23+
fi
24+
25+
echo "JFROG_ACCESS_TOKEN=${ACCESS_TOKEN}" >> "$GITHUB_ENV"
26+
27+
echo "JFrog OIDC token obtained successfully"

.github/workflows/create-build-artifacts.yml

Lines changed: 12 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -6,8 +6,12 @@ on:
66
jobs:
77
create-build-artifacts:
88
runs-on:
9-
group: databricks-deco-testing-runner-group
10-
labels: ubuntu-latest-deco
9+
group: databricks-protected-runner-group
10+
labels: linux-ubuntu-latest
11+
12+
permissions:
13+
id-token: write
14+
contents: read
1115

1216
defaults:
1317
run:
@@ -16,6 +20,12 @@ jobs:
1620
steps:
1721
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
1822

23+
- name: Obtain JFrog OIDC token
24+
run: bash .github/scripts/jfrog-oidc-token.sh
25+
26+
- name: Configure JFrog npm registry
27+
run: bash .github/scripts/configure-npm.sh
28+
1929
- name: Use Node.js 22
2030
uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
2131
with:

.github/workflows/create-release.yml

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -17,8 +17,12 @@ jobs:
1717
needs: ["create-build-artifacts"]
1818

1919
runs-on:
20-
group: databricks-deco-testing-runner-group
21-
labels: ubuntu-latest-deco
20+
group: databricks-protected-runner-group
21+
labels: linux-ubuntu-latest
22+
23+
permissions:
24+
id-token: write
25+
contents: read
2226

2327
steps:
2428
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1

.github/workflows/integration-tests.yml

Lines changed: 15 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -11,8 +11,12 @@ jobs:
1111
name: Check secrets access
1212

1313
runs-on:
14-
group: databricks-deco-testing-runner-group
15-
labels: ubuntu-latest-deco
14+
group: databricks-protected-runner-group
15+
labels: linux-ubuntu-latest
16+
17+
permissions:
18+
id-token: write
19+
contents: read
1620

1721
environment: "test-trigger-is"
1822
outputs:
@@ -33,8 +37,12 @@ jobs:
3337
name: Trigger Tests
3438

3539
runs-on:
36-
group: databricks-deco-testing-runner-group
37-
labels: ubuntu-latest-deco
40+
group: databricks-protected-runner-group
41+
labels: linux-ubuntu-latest
42+
43+
permissions:
44+
id-token: write
45+
contents: read
3846

3947
needs: check-token
4048
if: github.event_name == 'pull_request' && needs.check-token.outputs.has_token == 'true'
@@ -92,10 +100,11 @@ jobs:
92100
if: github.event_name == 'merge_group'
93101

94102
runs-on:
95-
group: databricks-deco-testing-runner-group
96-
labels: ubuntu-latest-deco
103+
group: databricks-protected-runner-group
104+
labels: linux-ubuntu-latest
97105

98106
permissions:
107+
id-token: write
99108
checks: write
100109
contents: read
101110

.github/workflows/nightly-release.yml

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -14,8 +14,12 @@ jobs:
1414
needs: "create-build-artifacts"
1515

1616
runs-on:
17-
group: databricks-deco-testing-runner-group
18-
labels: ubuntu-latest-deco
17+
group: databricks-protected-runner-group
18+
labels: linux-ubuntu-latest
19+
20+
permissions:
21+
id-token: write
22+
contents: read
1923

2024
steps:
2125
- uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0

.github/workflows/publish-to-openvsx.yml

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -13,9 +13,10 @@ on:
1313

1414
jobs:
1515
publish-to-openvsx:
16+
if: false # Temporarily disabled — pending secure release repo migration
1617
runs-on:
17-
group: databricks-deco-testing-runner-group
18-
labels: ubuntu-latest-deco
18+
group: databricks-protected-runner-group
19+
labels: linux-ubuntu-latest
1920

2021
environment: Production
2122

.github/workflows/publish-to-vscode.yml

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -13,9 +13,10 @@ on:
1313

1414
jobs:
1515
publish-to-vscode:
16+
if: false # Temporarily disabled — pending secure release repo migration
1617
runs-on:
17-
group: databricks-deco-testing-runner-group
18-
labels: ubuntu-latest-deco
18+
group: databricks-protected-runner-group
19+
labels: linux-ubuntu-latest
1920

2021
environment: Production
2122

.github/workflows/push.yml

Lines changed: 14 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -9,10 +9,23 @@ on:
99
jobs:
1010
package:
1111
name: Package Arm64 VSIX
12-
runs-on: "macos-latest"
12+
runs-on:
13+
group: databricks-protected-runner-group
14+
labels: linux-ubuntu-latest
15+
16+
permissions:
17+
id-token: write
18+
contents: read
19+
1320
steps:
1421
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
1522

23+
- name: Obtain JFrog OIDC token
24+
run: bash .github/scripts/jfrog-oidc-token.sh
25+
26+
- name: Configure JFrog npm registry
27+
run: bash .github/scripts/configure-npm.sh
28+
1629
- name: Use Node.js 22.x
1730
uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
1831
with:

0 commit comments

Comments
 (0)