chore(deps): bump databricks-sdk and databricks-sql-connector ceilings (#1474)

Bump ceilings on `databricks-sdk` and `databricks-sql-connector` to
admit newer versions. Floors unchanged.

- `databricks-sdk`: `<0.78.0` → `<0.105.0`
- `databricks-sql-connector[pyarrow]`: `<4.1.6` → `<4.3.0`
- `packaging>=21.0, <26.0` declared explicitly (was transitive via
`dbt-core`).
- `uv.lock` refreshed to the latest within the new ranges.

Author: sd-db

CHANGELOG.md

@@ -8,6 +8,10 @@
 
 - Fix missing f-string prefix in `JobRunsApi.submit` debug log ([#1471](https://github.com/databricks/dbt-databricks/pull/1471))
 
+### Under the Hood
+
+- Defer SDK `Config` construction to connection-open time so offline paths (`dbt parse`/`list`/`compile`) don't trigger the host-metadata probe introduced in `databricks-sdk>=0.103`; as a side effect, auth errors now surface at first connection rather than during profile parsing. ([#1474](https://github.com/databricks/dbt-databricks/pull/1474))
+
 ## dbt-databricks 1.12.0 (May 18, 2026)
 
 ### Features

dbt/adapters/databricks/credentials.py

@@ -331,10 +331,15 @@ def authenticate_with_azure_client_secret(self) -> Config:
         )
 
     def __post_init__(self) -> None:
+        # Defer Config construction to first use so dbt parse/list/compile
+        # stay offline.
         if not hasattr(self, "_config"):
             self._config: Optional[Config] = None
+
+    def _ensure_config(self) -> Config:
+        """Build (or return cached) SDK Config. Triggers authentication."""
         if self._config is not None:
-            return
+            return self._config
 
         if self.token:
             self._config = self.authenticate_with_pat()
@@ -380,9 +385,13 @@ def __post_init__(self) -> None:
                         )
                         raise Exception(f"All authentication methods failed. Details: {exceptions}")
 
+        # Narrow Optional[Config] for the return type.
+        assert self._config is not None
+        return self._config
+
     @property
     def api_client(self) -> WorkspaceClient:
-        return WorkspaceClient(config=self._config)
+        return WorkspaceClient(config=self._ensure_config())
 
     @property
     def credentials_provider(self) -> PySQLCredentialProvider:
@@ -393,14 +402,10 @@ def inner() -> Callable[[], dict[str, str]]:
 
     @property
     def header_factory(self) -> CredentialsProvider:
-        if self._config is None:
-            raise RuntimeError("Config is not initialized")
-        header_factory = self._config._header_factory
+        header_factory = self._ensure_config()._header_factory
         assert header_factory is not None, "Header factory is not set."
         return header_factory
 
     @property
     def config(self) -> Config:
-        if self._config is None:
-            raise RuntimeError("Config is not initialized")
-        return self._config
+        return self._ensure_config()

pyproject.toml

@@ -23,13 +23,14 @@ classifiers = [
 ]
 dependencies = [
     "click>=8.2.0, <9.0.0",
-    "databricks-sdk>=0.68.0, <0.78.0",
-    "databricks-sql-connector[pyarrow]>=4.1.1, <4.1.6",
+    "databricks-sdk>=0.68.0, <0.105.0",
+    "databricks-sql-connector[pyarrow]>=4.1.1, <4.3.0",
     "dbt-adapters>=1.22.0, <1.23.0",
     "dbt-common>=1.37.0, <1.38.0",
     "dbt-core>=1.11.2, <1.11.9",
     "dbt-spark>=1.10.0, <1.11.0",
     "keyring>=23.13.0, <25.6.0",
+    "packaging>=21.0, <26.0",
     "pydantic>=1.10.0, <2.13.0",
 ]
 

tests/unit/conftest.py

@@ -0,0 +1,23 @@
+"""Unit-test-only fixtures."""
+
+from contextlib import nullcontext
+from unittest import mock
+
+import pytest
+from databricks.sdk import config as _sdk_config
+
+# databricks-sdk >=0.103 added a network probe to Config(); on older SDKs
+# this symbol doesn't exist and there's nothing to stub.
+_SDK_HAS_HOST_METADATA = hasattr(_sdk_config, "get_host_metadata")
+
+
+@pytest.fixture(autouse=True)
+def _stub_sdk_host_metadata():
+    """Stub the SDK's host-metadata probe — unit tests must stay offline."""
+    if not _SDK_HAS_HOST_METADATA:
+        with nullcontext() as m:
+            yield m
+        return
+    with mock.patch("databricks.sdk.config.get_host_metadata") as m:
+        m.side_effect = ValueError("offline unit test")
+        yield m

tests/unit/test_auth.py

@@ -1,12 +1,156 @@
 import os
 import tempfile
 from os.path import join
+from unittest import mock
 
 import keyring.backend
 import pytest
+from databricks.sdk import config as _sdk_config
 
 from dbt.adapters.databricks.credentials import DatabricksCredentials
 
+# databricks-sdk >=0.103 added a network probe to Config(); on older SDKs
+# this symbol doesn't exist and the lazy `_ensure_config` path is unnecessary.
+_REQUIRES_LAZY_CONFIG = pytest.mark.skipif(
+    not hasattr(_sdk_config, "get_host_metadata"),
+    reason="lazy _ensure_config is only required when Config() does a network probe",
+)
+
+
+_COMMON_KWARGS = {
+    "host": "yourorg.databricks.com",
+    "database": "andre",
+    "http_path": "sql/protocolv1/o/1234567890123456/1234-cluster",
+    "schema": "dbt",
+}
+
+
+@_REQUIRES_LAZY_CONFIG
+class TestParseTimeIsOffline:
+    """`dbt parse/list/compile` must stay fully offline. Building
+    `DatabricksCredentials` is on that path, so for every supported auth
+    method we verify that constructing the credentials never calls
+    `Config()` (which is what triggers the SDK's network I/O)."""
+
+    def test_pat_credentials_init_does_not_call_config(self):
+        with mock.patch("dbt.adapters.databricks.credentials.Config") as mock_config:
+            DatabricksCredentials(token="foo", **_COMMON_KWARGS)
+            mock_config.assert_not_called()
+
+    def test_oauth_m2m_credentials_init_does_not_call_config(self):
+        with mock.patch("dbt.adapters.databricks.credentials.Config") as mock_config:
+            DatabricksCredentials(
+                client_id="cid",
+                client_secret="dose-secret",
+                **_COMMON_KWARGS,
+            )
+            mock_config.assert_not_called()
+
+    def test_external_browser_credentials_init_does_not_call_config(self):
+        # client_id with no client_secret triggers external-browser auth
+        with mock.patch("dbt.adapters.databricks.credentials.Config") as mock_config:
+            DatabricksCredentials(client_id="cid", **_COMMON_KWARGS)
+            mock_config.assert_not_called()
+
+    def test_azure_client_secret_credentials_init_does_not_call_config(self):
+        with mock.patch("dbt.adapters.databricks.credentials.Config") as mock_config:
+            DatabricksCredentials(
+                azure_client_id="acid",
+                azure_client_secret="asecret",
+                **_COMMON_KWARGS,
+            )
+            mock_config.assert_not_called()
+
+
+@_REQUIRES_LAZY_CONFIG
+class TestEnsureConfigTriggersTheRightAuth:
+    """Connect-time counterpart to TestParseTimeIsOffline: when something
+    actually does need the config (e.g. opening a connection), `_ensure_config`
+    must build it via the correct auth method per credential shape. This also
+    exercises every branch of the selection logic in `_ensure_config`."""
+
+    def test_pat_uses_pat_auth(self):
+        creds = DatabricksCredentials(token="foo", **_COMMON_KWARGS)
+        with mock.patch("dbt.adapters.databricks.credentials.Config") as mock_config:
+            creds.authenticate().config
+            mock_config.assert_called_once_with(host=_COMMON_KWARGS["host"], token="foo")
+
+    def test_explicit_azure_uses_azure_client_secret(self):
+        creds = DatabricksCredentials(
+            azure_client_id="acid",
+            azure_client_secret="asecret",
+            auth_type="oauth",
+            **_COMMON_KWARGS,
+        )
+        with mock.patch("dbt.adapters.databricks.credentials.Config") as mock_config:
+            creds.authenticate().config
+            mock_config.assert_called_once_with(
+                host=_COMMON_KWARGS["host"],
+                azure_client_id="acid",
+                azure_client_secret="asecret",
+                auth_type="azure-client-secret",
+            )
+
+    def test_client_id_only_uses_external_browser(self):
+        creds = DatabricksCredentials(client_id="cid", auth_type="oauth", **_COMMON_KWARGS)
+        with mock.patch("dbt.adapters.databricks.credentials.Config") as mock_config:
+            creds.authenticate().config
+            mock_config.assert_called_once_with(
+                host=_COMMON_KWARGS["host"],
+                client_id="cid",
+                client_secret="",
+                auth_type="external-browser",
+            )
+
+    def test_dose_secret_tries_oauth_m2m_first(self):
+        creds = DatabricksCredentials(
+            client_id="cid",
+            client_secret="dose-secret",
+            auth_type="oauth",
+            **_COMMON_KWARGS,
+        )
+        with mock.patch("dbt.adapters.databricks.credentials.Config") as mock_config:
+            creds.authenticate().config
+            mock_config.assert_called_once_with(
+                host=_COMMON_KWARGS["host"],
+                client_id="cid",
+                client_secret="dose-secret",
+                auth_type="oauth-m2m",
+            )
+
+    def test_non_dose_secret_tries_legacy_azure_first(self):
+        creds = DatabricksCredentials(
+            client_id="cid",
+            client_secret="plain-secret",
+            auth_type="oauth",
+            **_COMMON_KWARGS,
+        )
+        with mock.patch("dbt.adapters.databricks.credentials.Config") as mock_config:
+            creds.authenticate().config
+            mock_config.assert_called_once_with(
+                host=_COMMON_KWARGS["host"],
+                azure_client_id="cid",
+                azure_client_secret="plain-secret",
+                auth_type="azure-client-secret",
+            )
+
+    def test_falls_back_to_second_method_when_first_raises(self):
+        creds = DatabricksCredentials(
+            client_id="cid",
+            client_secret="plain-secret",
+            auth_type="oauth",
+            **_COMMON_KWARGS,
+        )
+        fake_config = mock.MagicMock()
+        with mock.patch("dbt.adapters.databricks.credentials.Config") as mock_config:
+            mock_config.side_effect = [RuntimeError("first method fails"), fake_config]
+            creds.authenticate().config
+            assert mock_config.call_count == 2
+            # First call: legacy-azure (default order for non-dose secret).
+            assert mock_config.call_args_list[0].kwargs["auth_type"] == "azure-client-secret"
+            # Second call: oauth-m2m fallback.
+            assert mock_config.call_args_list[1].kwargs["auth_type"] == "oauth-m2m"
+
 
 @pytest.mark.skip(reason="Need to mock requests to OIDC")
 class TestM2MAuth: