Update documentation infrastructure (#2384)

## Changes

This PR updates the docusaurus plumbing so that CI/CD works with JFrog.
The yarn config/setup has also been updated to ensure that the developer
environment matches CI/CD.

Incidental changes:

 - Now building with Node 25 instead of 20.
- Sparse checkouts, and only the current version of the repo instead of
the complete history.

### Relevant implementation details

For some reason I had to pin the version of `webpack` to get the build
to succeed: newer versions aren't compatible with the version of
`docusaurus` that we are using.

### Caveats/things to watch out for when reviewing:

- This PR is only about the documentation workflows; the others are
still failing and out of scope for this PR.

### Linked issues

Replaces #2381 (bun is incompatible with JFrog)

### Tests

- manually tested
- CI/CD automation

Author: asnare

.github/actions/jfrog-auth/action.yml

@@ -1,5 +1,11 @@
 name: 'Authenticate for JFrog'
 description: 'Authenticate with JFrog using OIDC based on the GitHub repository.'
+# Some things to note:
+#  - Run this _after_ installing any tools that need to use JFrog; auth is configured all the (supported) tools that it
+#    detects.
+#  - Where possible we avoid exposing tokens in environment variables, preferring to write them into files instead.
+#    (Tokens in environment variables tend to be more exposed and easier to leak than those written into files.)
+#
 # TODO: Factor out into an external action, once releases are allowed.
 outputs:
   jfrog-access-token:
@@ -18,13 +24,35 @@ runs:
       name: Detecting python package/project managers.
       shell: bash
       run: |
-        for cmd in pip3 uv
+        for cmd in bun npm pip3 uv
         do
           command -v "${cmd}" > /dev/null && found=true || found=false
           printf '::debug::%s\n' "Found ${cmd}: ${found}"
           printf '%s=%s\n' "command_${cmd}" "${found}" >> "${GITHUB_OUTPUT}"
         done
 
+    - name: Configure bun for JFrog
+      if: "${{ steps.detect-cmds.outputs.command_bun == 'true' }}"
+      shell: bash
+      env:
+        JFROG_ACCESS_TOKEN: "${{ steps.jfrog-auth.outputs.jfrog-access-token }}"
+      run: |
+        umask 077
+        cat > ~/.bunfig.toml << EOF
+        [install]
+        registry = { url = "https://databricks.jfrog.io/artifactory/api/npm/db-npm/", token = "$jfrog_access_token" }
+        EOF
+        cat > "${RUNNER_TEMP}/.bun.env" << EOF
+        # Environment variables loaded by bun.
+        jfrog_access_token='${JFROG_ACCESS_TOKEN}'
+        EOF
+        printf '%s=%s\n' 'BUN_OPTIONS' "--env-file=${RUNNER_TEMP}/.bun.env" >> "${GITHUB_ENV}"
+        printf '::debug::%s\n' 'Configured JFrog access for bun.'
+        # There are currently the following issues with JFrog:
+        #  - The default set of CAs doesn't seem to cover the ones used by our JFrog instance.
+        #  - The JSON metadata returned for some NPM artefacts can be invalid JSON.
+        printf '::warning::%s\n' 'JFrog has compatibility issues with bun; it probably won't work.'
+
     - name: Configure pip for JFrog
       if: "${{ steps.detect-cmds.outputs.command_pip3 == 'true' }}"
       shell: bash
@@ -37,6 +65,7 @@ runs:
         index-url = https://gha-service-account:${JFROG_ACCESS_TOKEN}@databricks.jfrog.io/artifactory/api/pypi/db-pypi/simple
         EOF
         printf '%s=%s\n' 'PIP_CONFIG_FILE' "${RUNNER_TEMP}/.pip.conf" >> "${GITHUB_ENV}"
+        printf '::debug::%s\n' 'Configured JFrog access for pip.'
 
     - name: Configure uv for JFrog
       if: "${{ steps.detect-cmds.outputs.command_uv == 'true' }}"
@@ -46,5 +75,21 @@ runs:
         UV_INDEX_URL: 'https://databricks.jfrog.io/artifactory/api/pypi/db-pypi/simple'
       run: |
         uv auth login "${UV_INDEX_URL}" --username gha-service-account --password "${JFROG_ACCESS_TOKEN}"
-        printf "%s=%s\n" 'UV_INDEX_URL' "${UV_INDEX_URL}" >> "${GITHUB_ENV}"
-        printf "%s=%s\n" 'UV_FROZEN' '1' >> "${GITHUB_ENV}"
+        printf '%s=%s\n' 'UV_INDEX_URL' "${UV_INDEX_URL}" >> "${GITHUB_ENV}"
+        printf '%s=%s\n' 'UV_FROZEN' '1' >> "${GITHUB_ENV}"
+        printf '::debug::%s\n' 'Configured JFrog access for uv.'
+
+    - name: Configure npm/yarn (classic) for JFrog
+      if: "${{ steps.detect-cmds.outputs.command_npm == 'true' }}"
+      shell: bash
+      env:
+        JFROG_ACCESS_TOKEN: "${{ steps.jfrog-auth.outputs.jfrog-access-token }}"
+      run: |
+        umask 077
+        cat > ~/.npmrc << EOF
+        registry=https://databricks.jfrog.io/artifactory/api/npm/db-npm/
+        always-auth=true
+        ignore-scripts=true
+        //databricks.jfrog.io/artifactory/api/npm/db-npm/:_authToken=${JFROG_ACCESS_TOKEN}
+        EOF
+        printf '::debug::%s\n' 'Configured JFrog access for npm/yarn (classic).'

.github/workflows/docs-build.yml

@@ -19,21 +19,28 @@ jobs:
     runs-on:
       group: databrickslabs-protected-runner-group
       labels: linux-ubuntu-latest
-    defaults:
-      run:
-        working-directory: docs/lakebridge
+    permissions:
+      # JFrog OIDC authentication.
+      id-token: write
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
-          fetch-depth: 0
+          sparse-checkout: |
+            .github/actions
+            docs
+          sparse-checkout-cone-mode: 'true'
+
       - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
-          node-version: 20
+          node-version: 25.9.0
           cache: yarn
-          cache-dependency-path: docs/lakebridge/yarn.lock # need to put the lockfile path explicitly
+          cache-dependency-path: docs/lakebridge/yarn.lock
+
+      - name: Setup for JFrog
+        uses: ./.github/actions/jfrog-auth
 
       - name: Configure documentation environment
-        run: make dev
+        run: make docs-dev
 
       - name: Build website
-        run: yarn build
+        run: make docs-build

.github/workflows/docs-release.yml

@@ -16,24 +16,31 @@ jobs:
       group: databrickslabs-protected-runner-group
       labels: linux-ubuntu-latest
     environment: release
-    defaults:
-      run:
-        working-directory: docs/lakebridge
+    permissions:
+      # JFrog OIDC authentication.
+      id-token: write
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
-          fetch-depth: 0
+          sparse-checkout: |
+            .github/actions
+            docs
+          sparse-checkout-cone-mode: 'true'
+
       - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
-          node-version: 20
+          node-version: 25.9.0
           cache: yarn
-          cache-dependency-path: docs/lakebridge/yarn.lock # need to put the lockfile path explicitly
+          cache-dependency-path: docs/lakebridge/yarn.lock
+
+      - name: Setup for JFrog
+        uses: ./.github/actions/jfrog-auth
 
       - name: Configure documentation environment
-        run: make dev
+        run: make docs-dev
 
       - name: Build website
-        run: make build
+        run: make docs-build
 
       - name: Upload Build Artifact
         uses: actions/upload-pages-artifact@7b1f4a764d45c48632c6b24a0339c27f5614fb0b # v4.0.0
@@ -43,9 +50,6 @@ jobs:
   deploy:
     name: Deploy to GitHub Pages
     needs: build
-    defaults:
-      run:
-        working-directory: docs/lakebridge
 
     # Grant GITHUB_TOKEN the permissions required to make a Pages deployment
     permissions:

Makefile

@@ -52,7 +52,8 @@ lock-dependencies:
 	$(UV_RUN) --group yq tomlq -r '.["build-system"].requires[]' pyproject.toml | \
 	    uv pip compile --generate-hashes --universal --no-header --quiet - > build-constraints-new.txt
 	mv build-constraints-new.txt .build-constraints.txt
-	perl -pi -e 's|registry = "https://[^"]*"|registry = "https://pypi.org/simple/"|g' uv.lock
+	@perl -pi -e 's|registry = "https://[^"]*"|registry = "https://pypi.org/simple/"|g' uv.lock
+	@printf 'Stripped registry references from uv.lock.\n'
 
 clean_coverage_dir:
 	@printf "Deleting: %s\n" "$${OUTPUT_DIR:?must be set}"

docs/lakebridge/.yarnrc

@@ -1 +1,3 @@
 ignore-scripts true
+--engine-strict true
+--install.check-files true

docs/lakebridge/Makefile

@@ -18,7 +18,8 @@ serve: build
 lock-dependencies:
 	rm -f yarn.lock
 	yarn install
-	perl -pi -e 's|resolved "https://[^/]+/|resolved "https://registry.yarnpkg.com/|' yarn.lock
+	@perl -ni -e 'print unless /^\s*resolved\s+"https:/' yarn.lock
+	@printf 'Stripped repository references from yarn.lock.\n'
 
 .DEFAULT: all
 .PHONY: all clean dev build serve-dev serve lock-dependencies

docs/lakebridge/package.json

@@ -59,8 +59,9 @@
     ]
   },
   "engines": {
-    "node": ">=18.0"
+    "node": ">=25.0 <26"
   },
+  "engineStrict": true,
   "resolutions": {
     "ajv": ">=8.18.0",
     "brace-expansion": "^1.1.12",
@@ -74,6 +75,7 @@
     "schema-utils": ">=4.0.0",
     "serialize-javascript": ">=7.0.3",
     "svgo": ">=3.3.3",
+    "webpack": "~5.97.0",
     "webpack-dev-server": "^5.2.1"
   }
 }