Merge branch 'main' into sd-db/chore/dependabot-security-only

Author: sd-db

.github/actions/setup-python-deps/action.yml

@@ -0,0 +1,38 @@
+name: "Setup Python Dependencies"
+description: |
+  Restores pre-cached Python dependencies and enables offline mode.
+  Outputs cache-hit so callers can fall back to setup-jfrog-pypi on miss.
+
+outputs:
+  cache-hit:
+    description: "Whether the dependency cache was restored and offline mode enabled"
+    value: ${{ steps.uv-cache.outputs.cache-matched-key != '' }}
+
+runs:
+  using: "composite"
+  steps:
+    - name: Restore uv and pip cache
+      id: uv-cache
+      uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
+      with:
+        path: |
+          ~/.cache/uv
+          ~/.cache/pip
+        key: python-deps-${{ hashFiles('uv.lock', 'pyproject.toml') }}-latest
+        restore-keys: python-deps-${{ hashFiles('uv.lock', 'pyproject.toml') }}-
+
+    - name: Restore pre-commit cache
+      uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
+      with:
+        path: ~/.cache/pre-commit
+        key: pre-commit-deps-${{ hashFiles('.pre-commit-config.yaml') }}-latest
+        restore-keys: pre-commit-deps-${{ hashFiles('.pre-commit-config.yaml') }}-
+
+    - name: Enable offline mode
+      if: steps.uv-cache.outputs.cache-matched-key != ''
+      shell: bash
+      run: |
+        echo "UV_OFFLINE=true" >> "$GITHUB_ENV"
+        echo "PIP_NO_INDEX=1" >> "$GITHUB_ENV"
+        mkdir -p ~/.config/pip
+        printf '[global]\nno-index = true\n' > ~/.config/pip/pip.conf

.github/workflows/main.yml

@@ -1,9 +1,8 @@
 # **what?**
 # Runs code quality checks, unit tests, and verifies python build on
-# all code commited to the repository. This workflow should not
-# require any secrets since it runs for PRs from forked repos.
-# By default, secrets are not passed to workflows running from
-# a forked repo.
+# all code commited to the repository. Dependencies are served from a
+# pre-populated cache (see warmDepsCache.yml) when available, with a
+# JFrog OIDC fallback when the cache is cold.
 
 # **why?**
 # Ensure code for dbt meets a certain quality standard.
@@ -53,17 +52,19 @@ jobs:
 
     env:
       UV_FROZEN: "1"
-
-    strategy:
-      fail-fast: false
+      UV_CACHE_DIR: /home/runner/.cache/uv
 
     steps:
       - name: Check out the repository
         uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
 
-      - name: Setup JFrog PyPI Proxy
-        uses: ./.github/actions/setup-jfrog-pypi
+      - name: Setup Python Dependencies
+        id: deps
+        uses: ./.github/actions/setup-python-deps
 
+      - name: Setup JFrog PyPI Proxy (fallback)
+        if: steps.deps.outputs.cache-hit != 'true'
+        uses: ./.github/actions/setup-jfrog-pypi
 
       - name: Set up Python
         uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065  # v5
@@ -99,6 +100,7 @@ jobs:
 
     env:
       UV_FROZEN: "1"
+      UV_CACHE_DIR: /home/runner/.cache/uv
 
     strategy:
       fail-fast: false
@@ -109,9 +111,13 @@ jobs:
       - name: Check out the repository
         uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
 
-      - name: Setup JFrog PyPI Proxy
-        uses: ./.github/actions/setup-jfrog-pypi
+      - name: Setup Python Dependencies
+        id: deps
+        uses: ./.github/actions/setup-python-deps
 
+      - name: Setup JFrog PyPI Proxy (fallback)
+        if: steps.deps.outputs.cache-hit != 'true'
+        uses: ./.github/actions/setup-jfrog-pypi
 
       - name: Set up Python ${{ matrix.python-version }}
         uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065  # v5
@@ -129,6 +135,7 @@ jobs:
 
       # Only run coverage comment once (not for all python versions)
       - name: Coverage Comment
+        id: coverage_comment
         if: matrix.python-version == '3.12' && github.event_name == 'pull_request'
         uses: py-cov-action/python-coverage-comment-action@7188638f871f721a365d644f505d1ff3df20d683  # v3
         with:
@@ -149,14 +156,19 @@ jobs:
 
     env:
       UV_FROZEN: "1"
+      UV_CACHE_DIR: /home/runner/.cache/uv
 
     steps:
       - name: Check out the repository
         uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
 
-      - name: Setup JFrog PyPI Proxy
-        uses: ./.github/actions/setup-jfrog-pypi
+      - name: Setup Python Dependencies
+        id: deps
+        uses: ./.github/actions/setup-python-deps
 
+      - name: Setup JFrog PyPI Proxy (fallback)
+        if: steps.deps.outputs.cache-hit != 'true'
+        uses: ./.github/actions/setup-jfrog-pypi
 
       - name: Set up Python
         uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065  # v5

.github/workflows/warmDepsCache.yml

@@ -0,0 +1,138 @@
+# Warm Python Dependency Cache
+#
+# Pre-downloads all Python dependencies via JFrog Artifactory and saves them
+# to the GitHub Actions cache. PR workflows (including fork PRs, which cannot
+# authenticate to JFrog) restore this cache and build fully offline.
+#
+# Triggers:
+#   - push to main when dependency files change (keeps cache fresh)
+#   - daily schedule (prevents 7-day GitHub Actions cache eviction)
+#   - manual dispatch (with optional PR number to warm cache for a fork's deps)
+
+name: Warm Python Dependency Cache
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - "uv.lock"
+      - "pyproject.toml"
+      - ".pre-commit-config.yaml"
+  pull_request: # TEMPORARY: remove after testing
+  schedule:
+    - cron: "0 6 * * *" # Daily at 06:00 UTC
+  workflow_dispatch:
+    inputs:
+      pr_number:
+        description: "PR number to warm cache for (reads lockfiles from the PR branch). Leave empty to warm from main."
+        required: false
+        type: string
+
+permissions:
+  id-token: write
+  contents: read
+  pull-requests: read
+
+jobs:
+  warm-cache:
+    runs-on:
+      group: databricks-protected-runner-group
+      labels: linux-ubuntu-latest
+
+    env:
+      UV_FROZEN: "1"
+      # Pin cache dir so setup-uv doesn't override it to a temp path.
+      # Must match the path in setup-python-deps/action.yml cache restore.
+      UV_CACHE_DIR: /home/runner/.cache/uv
+
+    steps:
+      - name: Checkout main branch
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+
+      - name: Overlay PR dependency files
+        if: inputs.pr_number != ''
+        shell: bash
+        run: |
+          set -euo pipefail
+
+          PR_DATA=$(curl -sLS \
+            -H "Accept: application/vnd.github+json" \
+            -H "Authorization: Bearer ${{ github.token }}" \
+            "https://api.github.com/repos/${{ github.repository }}/pulls/${{ inputs.pr_number }}")
+
+          FORK_REPO=$(echo "$PR_DATA" | jq -r '.head.repo.full_name')
+          FORK_REF=$(echo "$PR_DATA" | jq -r '.head.ref')
+
+          echo "Warming cache for PR #${{ inputs.pr_number }} from ${FORK_REPO}@${FORK_REF}"
+
+          # Fetch only lockfiles from the fork — .github/actions/ always
+          # comes from main to prevent code injection from forks.
+          git remote add fork "https://github.com/${FORK_REPO}.git"
+          git fetch --depth=1 fork "${FORK_REF}"
+          git checkout FETCH_HEAD -- uv.lock pyproject.toml .pre-commit-config.yaml
+
+      - name: Setup JFrog PyPI Proxy
+        uses: ./.github/actions/setup-jfrog-pypi
+
+      - name: Set up Python
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
+        with:
+          python-version: "3.10"
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@38f3f104447c67c051c4a08e39b64a148898af3a # v4
+
+      - name: Install Hatch
+        uses: pypa/hatch@257e27e51a6a5616ed08a39a408a21c35c9931bc # install
+
+      - name: Install Python versions for test matrix
+        run: uv python install 3.10 3.11 3.12 3.13
+
+      - name: Create all hatch environments (populates uv cache)
+        run: |
+          set -euo pipefail
+          hatch env create default
+          hatch env create test.py3.10
+          hatch env create test.py3.11
+          hatch env create test.py3.12
+          hatch env create test.py3.13
+          hatch env create verify
+
+      - name: Warm pre-commit cache
+        run: hatch run pre-commit install-hooks
+
+      - name: Build and warm pip cache for verify environment
+        run: |
+          set -euo pipefail
+          hatch -v build
+          # Run verify to populate ~/.cache/pip/ with runtime transitive deps.
+          # Allow failure — we only care about populating the cache.
+          hatch run verify:check-all || true
+
+      - name: Generate cache key
+        id: cache-key
+        shell: bash
+        run: |
+          # Hash first so consumers can prefix-match on the hash alone.
+          # Timestamp suffix ensures each run creates a new immutable entry;
+          # consumers pick the latest timestamp for a given hash.
+          TIMESTAMP=$(date -u +%Y%m%d%H%M%S)
+          LOCK_HASH="${{ hashFiles('uv.lock', 'pyproject.toml') }}"
+          echo "python-deps-key=python-deps-${LOCK_HASH}-${TIMESTAMP}" >> "$GITHUB_OUTPUT"
+
+          PRECOMMIT_HASH="${{ hashFiles('.pre-commit-config.yaml') }}"
+          echo "pre-commit-key=pre-commit-deps-${PRECOMMIT_HASH}-${TIMESTAMP}" >> "$GITHUB_OUTPUT"
+
+      - name: Save uv and pip cache
+        uses: actions/cache/save@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
+        with:
+          path: |
+            ~/.cache/uv
+            ~/.cache/pip
+          key: ${{ steps.cache-key.outputs.python-deps-key }}
+
+      - name: Save pre-commit cache
+        uses: actions/cache/save@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
+        with:
+          path: ~/.cache/pre-commit
+          key: ${{ steps.cache-key.outputs.pre-commit-key }}