databrickslabs
diff --git a/‎.build-constraints.txt‎
Lines changed: 68 additions & 0 deletions b/‎.build-constraints.txt‎
Lines changed: 68 additions & 0 deletions
diff --git a/‎.codegen.json‎
Lines changed: 3 additions & 3 deletions b/‎.codegen.json‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎.github/actions/jfrog-auth/action.yml‎
Lines changed: 46 additions & 0 deletions b/‎.github/actions/jfrog-auth/action.yml‎
Lines changed: 46 additions & 0 deletions
diff --git a/‎.github/actions/jfrog-auth/jfrog-auth‎
Lines changed: 37 additions & 0 deletions b/‎.github/actions/jfrog-auth/jfrog-auth‎
Lines changed: 37 additions & 0 deletions
diff --git a/‎.github/dependabot.yml‎
Lines changed: 5 additions & 5 deletions b/‎.github/dependabot.yml‎
Lines changed: 5 additions & 5 deletions
diff --git a/‎.github/workflows/acceptance.yml‎
Lines changed: 15 additions & 11 deletions b/‎.github/workflows/acceptance.yml‎
Lines changed: 15 additions & 11 deletions
diff --git a/‎.github/workflows/docs-release.yml‎
Lines changed: 3 additions & 0 deletions b/‎.github/workflows/docs-release.yml‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎.github/workflows/nightly.yml‎
Lines changed: 14 additions & 11 deletions b/‎.github/workflows/nightly.yml‎
Lines changed: 14 additions & 11 deletions
diff --git a/‎.github/workflows/no-cheat.yml‎
Lines changed: 6 additions & 1 deletion b/‎.github/workflows/no-cheat.yml‎
Lines changed: 6 additions & 1 deletion
diff --git a/‎.github/workflows/push.yml‎
Lines changed: 29 additions & 19 deletions b/‎.github/workflows/push.yml‎
Lines changed: 29 additions & 19 deletions
@@ -0,0 +1,68 @@
+hatchling==1.29.0 \
+    --hash=sha256:50af9343281f34785fab12da82e445ed987a6efb34fd8c2fc0f6e6630dbcc1b0 \
+    --hash=sha256:793c31816d952cee405b83488ce001c719f325d9cda69f1fc4cd750527640ea6
+packaging==26.0 \
+    --hash=sha256:00243ae351a257117b6a241061796684b084ed1c516a08c48a3f7e147a9d80b4 \
+    --hash=sha256:b36f1fef9334a5588b4166f8bcd26a14e521f2b55e6b9de3aaa80d3ff7a37529
+    # via hatchling
+pathspec==1.0.4 \
+    --hash=sha256:0210e2ae8a21a9137c0d470578cb0e595af87edaa6ebf12ff176f14a02e0e645 \
+    --hash=sha256:fb6ae2fd4e7c921a165808a552060e722767cfa526f99ca5156ed2ce45a5c723
+    # via hatchling
+pluggy==1.6.0 \
+    --hash=sha256:7dcc130b76258d33b90f61b658791dede3486c3e6bfb003ee5c9bfb396dd22f3 \
+    --hash=sha256:e920276dd6813095e9377c0bc5566d94c932c33b27a3e3945d8389c374dd4746
+    # via hatchling
+tomli==2.4.1 ; python_full_version < '3.11' \
+    --hash=sha256:01f520d4f53ef97964a240a035ec2a869fe1a37dde002b57ebc4417a27ccd853 \
+    --hash=sha256:0d85819802132122da43cb86656f8d1f8c6587d54ae7dcaf30e90533028b49fe \
+    --hash=sha256:136443dbd7e1dee43c68ac2694fde36b2849865fa258d39bf822c10e8068eac5 \
+    --hash=sha256:1d8591993e228b0c930c4bb0db464bdad97b3289fb981255d6c9a41aedc84b2d \
+    --hash=sha256:2190f2e9dd7508d2a90ded5ed369255980a1bcdd58e52f7fe24b8162bf9fedbd \
+    --hash=sha256:2c1c351919aca02858f740c6d33adea0c5deea37f9ecca1cc1ef9e884a619d26 \
+    --hash=sha256:36d2bd2ad5fb9eaddba5226aa02c8ec3fa4f192631e347b3ed28186d43be6b54 \
+    --hash=sha256:3d48a93ee1c9b79c04bb38772ee1b64dcf18ff43085896ea460ca8dec96f35f6 \
+    --hash=sha256:47149d5bd38761ac8be13a84864bf0b7b70bc051806bc3669ab1cbc56216b23c \
+    --hash=sha256:4ab97e64ccda8756376892c53a72bd1f964e519c77236368527f758fbc36a53a \
+    --hash=sha256:4b605484e43cdc43f0954ddae319fb75f04cc10dd80d830540060ee7cd0243cd \
+    --hash=sha256:504aa796fe0569bb43171066009ead363de03675276d2d121ac1a4572397870f \
+    --hash=sha256:51529d40e3ca50046d7606fa99ce3956a617f9b36380da3b7f0dd3dd28e68cb5 \
+    --hash=sha256:52c8ef851d9a240f11a88c003eacb03c31fc1c9c4ec64a99a0f922b93874fda9 \
+    --hash=sha256:559db847dc486944896521f68d8190be1c9e719fced785720d2216fe7022b662 \
+    --hash=sha256:5a881ab208c0baf688221f8cecc5401bd291d67e38a1ac884d6736cbcd8247e9 \
+    --hash=sha256:5cb41aa38891e073ee49d55fbc7839cfdb2bc0e600add13874d048c94aadddd1 \
+    --hash=sha256:5e262d41726bc187e69af7825504c933b6794dc3fbd5945e41a79bb14c31f585 \
+    --hash=sha256:5ee18d9ebdb417e384b58fe414e8d6af9f4e7a0ae761519fb50f721de398dd4e \
+    --hash=sha256:7008df2e7655c495dd12d2a4ad038ff878d4ca4b81fccaf82b714e07eae4402c \
+    --hash=sha256:734e20b57ba95624ecf1841e72b53f6e186355e216e5412de414e3c51e5e3c41 \
+    --hash=sha256:7c7e1a961a0b2f2472c1ac5b69affa0ae1132c39adcb67aba98568702b9cc23f \
+    --hash=sha256:7f86fd587c4ed9dd76f318225e7d9b29cfc5a9d43de44e5754db8d1128487085 \
+    --hash=sha256:7f94b27a62cfad8496c8d2513e1a222dd446f095fca8987fceef261225538a15 \
+    --hash=sha256:88dceee75c2c63af144e456745e10101eb67361050196b0b6af5d717254dddf7 \
+    --hash=sha256:8a650c2dbafa08d42e51ba0b62740dae4ecb9338eefa093aa5c78ceb546fcd5c \
+    --hash=sha256:8d65a2fbf9d2f8352685bc1364177ee3923d6baf5e7f43ea4959d7d8bc326a36 \
+    --hash=sha256:96481a5786729fd470164b47cdb3e0e58062a496f455ee41b4403be77cb5a076 \
+    --hash=sha256:a120733b01c45e9a0c34aeef92bf0cf1d56cfe81ed9d47d562f9ed591a9828ac \
+    --hash=sha256:b1d22e6e9387bf4739fbe23bfa80e93f6b0373a7f1b96c6227c32bef95a4d7a8 \
+    --hash=sha256:b8c198f8c1805dc42708689ed6864951fd2494f924149d3e4bce7710f8eb5232 \
+    --hash=sha256:c2541745709bad0264b7d4705ad453b76ccd191e64aa6f0fc66b69a293a45ece \
+    --hash=sha256:c742f741d58a28940ce01d58f0ab2ea3ced8b12402f162f4d534dfe18ba1cd6a \
+    --hash=sha256:c7f2c7f2b9ca6bdeef8f0fa897f8e05085923eb091721675170254cbc5b02897 \
+    --hash=sha256:d312ef37c91508b0ab2cee7da26ec0b3ed2f03ce12bd87a588d771ae15dcf82d \
+    --hash=sha256:d4d8fe59808a54658fcc0160ecfb1b30f9089906c50b23bcb4c69eddc19ec2b4 \
+    --hash=sha256:da25dc3563bff5965356133435b757a795a17b17d01dbc0f42fb32447ddfd917 \
+    --hash=sha256:eab21f45c7f66c13f2a9e0e1535309cee140182a9cdae1e041d02e47291e8396 \
+    --hash=sha256:eb0dc4e38e6a1fd579e5d50369aa2e10acfc9cace504579b2faabb478e76941a \
+    --hash=sha256:ec9bfaf3ad2df51ace80688143a6a4ebc09a248f6ff781a9945e51937008fcbc \
+    --hash=sha256:ede3e6487c5ef5d28634ba3f31f989030ad6af71edfb0055cbbd14189ff240ba \
+    --hash=sha256:f3c6818a1a86dd6dca7ddcaaf76947d5ba31aecc28cb1b67009a5877c9a64f3f \
+    --hash=sha256:f758f1b9299d059cc3f6546ae2af89670cb1c4d48ea29c3cacc4fe7de3058257 \
+    --hash=sha256:f8f0fc26ec2cc2b965b7a3b87cd19c5c6b8c5e5f436b984e85f486d652285c30 \
+    --hash=sha256:fd0409a3653af6c147209d267a0e4243f0ae46b011aa978b1080359fddc9b6cf \
+    --hash=sha256:ff18e6a727ee0ab0388507b89d1bc6a22b138d1e2fa56d1ad494586d61d2eae9 \
+    --hash=sha256:ff2983983d34813c1aeb0fa89091e76c3a22889ee83ab27c5eeb45100560c049
+    # via hatchling
+trove-classifiers==2026.1.14.14 \
+    --hash=sha256:00492545a1402b09d4858605ba190ea33243d361e2b01c9c296ce06b5c3325f3 \
+    --hash=sha256:1f9553927f18d0513d8e5ff80ab8980b8202ce37ecae0e3274ed2ef11880e74d
+    # via hatchling
@@ -3,12 +3,12 @@
     "src/databricks/labs/ucx/__about__.py": "__version__ = \"$VERSION\""
   },
   "toolchain": {
-    "required": ["python3", "hatch"],
-    "pre_setup": ["hatch env create"],
+    "required": ["make", "uv"],
+    "pre_setup": ["make dev"],
     "prepend_path": ".venv/bin",
     "acceptance_path": "tests/integration",
     "test": [
-      "pytest -n 4 --cov src --cov-report=xml --timeout 30 tests/unit --durations 20"
+      "make test"
     ]
   }
 }
@@ -0,0 +1,46 @@
+name: 'Authenticate for JFrog'
+description: 'Authenticate with JFrog using OIDC based on the GitHub repository.'
+outputs:
+  jfrog-access-token:
+    description: "Access token for JFrog"
+    value: "${{ steps.jfrog-auth.outputs.jfrog-access-token }}"
+runs:
+  using: "composite"
+  steps:
+    - id: jfrog-auth
+      name: Authenticate against JFrog
+      shell: bash
+      run: |
+        "${GITHUB_ACTION_PATH}/jfrog-auth" "${ACTIONS_ID_TOKEN_REQUEST_URL}" "${ACTIONS_ID_TOKEN_REQUEST_TOKEN}"
+    - id: detect-cmds
+      name: Detecting python package/project managers.
+      shell: bash
+      run: |
+        for cmd in pip3 uv
+        do
+          command -v "${cmd}" > /dev/null && found=true || found=false
+          printf '::debug::%s\n' "Found ${cmd}: ${found}"
+          printf '%s=%s\n' "command_${cmd}" "${found}" >> "${GITHUB_OUTPUT}"
+        done
+    - name: Configure pip for JFrog
+      if: "${{ steps.detect-cmds.outputs.command_pip3 == 'true' }}"
+      shell: bash
+      env:
+        JFROG_ACCESS_TOKEN: "${{ steps.jfrog-auth.outputs.jfrog-access-token }}"
+      run: |
+        umask 077
+        cat > "$RUNNER_TEMP/.pip.conf" <<EOF
+        [global]
+        index-url = https://gha-service-account:${JFROG_ACCESS_TOKEN}@databricks.jfrog.io/artifactory/api/pypi/db-pypi/simple
+        EOF
+        printf '%s=%s\n' 'PIP_CONFIG_FILE' "${RUNNER_TEMP}/.pip.conf" >> "${GITHUB_ENV}"
+    - name: Configure uv for JFrog
+      if: "${{ steps.detect-cmds.outputs.command_uv == 'true' }}"
+      shell: bash
+      env:
+        JFROG_ACCESS_TOKEN: "${{ steps.jfrog-auth.outputs.jfrog-access-token }}"
+        UV_INDEX_URL: 'https://databricks.jfrog.io/artifactory/api/pypi/db-pypi/simple'
+      run: |
+        uv auth login "${UV_INDEX_URL}" --username gha-service-account --password "${JFROG_ACCESS_TOKEN}"
+        printf "%s=%s\n" 'UV_INDEX_URL' "${UV_INDEX_URL}" >> "${GITHUB_ENV}"
+        printf "%s=%s\n" 'UV_FROZEN' '1' >> "${GITHUB_ENV}"
@@ -0,0 +1,37 @@
+#!/bin/sh
+#
+# Obtain a JFrog access token, assuming GitHub OIDC.
+#
+set -eu
+
+_request_url="$1"
+_request_token="$2"
+
+#
+# Step 1: Obtain the OIDC identifier token from GitHub.
+#
+printf '::debug::%s\n' "Fetching OIDC identifier token from GitHub..."
+_id_token="$(curl -sLS \
+    -H 'User-Agent: actions/oidc-client' \
+    -H "Authorization: Bearer ${_request_token}" \
+    "${_request_url}&audience=jfrog-github" |
+    jq -r .value)"
+printf '::add-mask::%s\n' "${_id_token}"
+
+#
+# Step 2: Exchange it for the JFrog access token.
+#
+printf '::debug::%s\n' "Exchanging OIDC identifier token for JFrog access token..."
+_access_token=$(curl -sLS \
+    --json "{\"grant_type\": \"urn:ietf:params:oauth:grant-type:token-exchange\", \"subject_token_type\":\"urn:ietf:params:oauth:token-type:id_token\", \"subject_token\": \"${_id_token}\", \"provider_name\": \"github-actions\"}" \
+    "https://databricks.jfrog.io/access/api/v1/oidc/token" |
+    jq -r .access_token)
+printf '::add-mask::%s\n' "${_access_token}"
+
+if [ -z "${_access_token}" ] || [ "${_access_token}" = 'null' ]
+then
+    printf '::error::%s\n' "Could not fetch JFrog access token."
+    exit 1
+fi
+
+printf '%s=%s\n' 'jfrog-access-token' "${_access_token}" >> "${GITHUB_OUTPUT}"
@@ -1,10 +1,10 @@
 version: 2
 updates:
-  - package-ecosystem: "pip"
-    directory: "/"
-    schedule:
-      interval: "daily"
-  - package-ecosystem: "github-actions"
+  - package-ecosystem: "uv"
     directory: "/"
+    cooldown:
+      default-days: 7
+      exclude:
+        - "databricks*"
     schedule:
       interval: "daily"
@@ -10,10 +10,7 @@ on:
       - main
 
 permissions:
-  id-token: write
   contents: read
-  issues: write
-  pull-requests: write
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -23,22 +20,29 @@ jobs:
   integration:
     if: github.event_name == 'pull_request' && github.event.pull_request.draft == false
     environment: account-admin
-    runs-on: larger
+    runs-on:
+      group: larger-runners
+      labels: larger
+    permissions:
+      # Access to the integration testing infrastructure and JFrog package resolution.
+      id-token: write
+      # Write test results to the PR.
+      issues: write
+      pull-requests: write
     steps:
       - name: Checkout Code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
           fetch-depth: 0
 
-      - name: Install Python
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6.2.0
+      - name: Setup uv
+        uses: astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098  # v7.3.1
         with:
-          cache: 'pip'
-          cache-dependency-path: '**/pyproject.toml'
-          python-version: '3.10'
+          version: "0.11.2"
+          checksum: "7ac2ca0449c8d68dae9b99e635cd3bc9b22a4cb1de64b7c43716398447d42981"
 
-      - name: Install hatch
-        run: pip install hatch==1.9.4 'click<8.3.0' # https://github.com/pallets/click/issues/3065
+      - name: Setup for JFrog
+        uses: ./.github/actions/jfrog-auth
 
       - name: Fetch relevant branches
         run: |
 
@@ -6,6 +6,9 @@ on:
       - 'v*'
   workflow_dispatch: # Enables manual triggering of the workflow
 
+permissions:
+  contents: read
+
 jobs:
   build:
     name: Build Docusaurus
 
@@ -6,33 +6,36 @@ on:
     - cron: '0 5 * * *'
 
 permissions:
-  id-token: write
-  issues: write
   contents: read
-  pull-requests: read
 
 concurrency:
   group: single-acceptance-job-per-repo
 
 jobs:
   integration:
     environment: account-admin
-    runs-on: larger
+    runs-on:
+      group: larger-runners
+      labels: larger
+    permissions:
+      # Access to the integration testing infrastructure and JFrog package resolution.
+      id-token: write
+      # Create issues for nightly test failures.
+      issues: write
     steps:
       - name: Checkout Code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
           fetch-depth: 0
 
-      - name: Install Python
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6.2.0
+      - name: Setup uv
+        uses: astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098  # v7.3.1
         with:
-          cache: 'pip'
-          cache-dependency-path: '**/pyproject.toml'
-          python-version: '3.10'
+          version: "0.11.2"
+          checksum: "7ac2ca0449c8d68dae9b99e635cd3bc9b22a4cb1de64b7c43716398447d42981"
 
-      - name: Install hatch
-        run: pip install hatch==1.9.4 'click<8.3.0' # https://github.com/pallets/click/issues/3065
+      - name: Setup for JFrog
+        uses: ./.github/actions/jfrog-auth
 
       - name: Run nightly tests
         uses: databrickslabs/sandbox/acceptance@3313d06ce86227537b3f37f5974f7eecb2a8e59a  # acceptance/v0.4.4
 
@@ -10,9 +10,14 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   no-pylint-disable:
-    runs-on: ubuntu-latest
+    runs-on:
+      group: databrickslabs-protected-runner-group
+      labels: linux-ubuntu-latest
     if: github.event_name == 'pull_request' && (github.event.action == 'opened' || github.event.action == 'synchronize')
     steps:
       - name: Checkout
 
@@ -14,12 +14,17 @@ on:
     branches:
       - main
 
-env:
-  HATCH_VERSION: 1.9.4
+permissions:
+  contents: read
 
 jobs:
   ci:
-    runs-on: ubuntu-latest
+    runs-on:
+      group: databrickslabs-protected-runner-group
+      labels: linux-ubuntu-latest
+    permissions:
+      # Authenticate with JFrog for package resolution.
+      id-token: write
     strategy:
       fail-fast: false
       matrix:
@@ -30,41 +35,46 @@ jobs:
         with:
           fetch-depth: 0
 
-      - name: Install Python
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6.2.0
+      - name: Setup uv
+        uses: astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098  # v7.3.1
         with:
-          cache: 'pip'
-          cache-dependency-path: '**/pyproject.toml'
-          python-version: ${{ matrix.pyVersion }}
+          version: "0.11.2"
+          checksum: "7ac2ca0449c8d68dae9b99e635cd3bc9b22a4cb1de64b7c43716398447d42981"
 
-      - name: Install hatch
-        run: pip install hatch==$HATCH_VERSION 'click<8.3.0' # https://github.com/pallets/click/issues/3065
+      - name: Setup for JFrog
+        uses: ./.github/actions/jfrog-auth
 
       - name: Run unit tests
-        run: hatch run test
+        run: make test
+        env:
+          UV_PYTHON: ${{ matrix.pyVersion }}
 
       - name: Publish test coverage
         uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de  # v5.5.2
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
 
   fmt:
-    runs-on: ubuntu-latest
+    runs-on:
+      group: databrickslabs-protected-runner-group
+      labels: linux-ubuntu-latest
+    permissions:
+      # Authenticate with JFrog for package resolution.
+      id-token: write
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
           fetch-depth: 0
 
-      - name: Install Python
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6.2.0
+      - name: Setup uv
+        uses: astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098  # v7.3.1
         with:
-          cache: 'pip'
-          cache-dependency-path: '**/pyproject.toml'
-          python-version: 3.10.x
+          version: "0.11.2"
+          checksum: "7ac2ca0449c8d68dae9b99e635cd3bc9b22a4cb1de64b7c43716398447d42981"
 
-      - name: Install hatch
-        run: pip install hatch==$HATCH_VERSION 'click<8.3.0' # https://github.com/pallets/click/issues/3065
+      - name: Setup for JFrog
+        uses: ./.github/actions/jfrog-auth
 
       - name: Reformat code
         run: make fmt
Original file line number	Diff line number	Diff line change
`@@ -3,12 +3,12 @@`
`3`	`3`	`"src/databricks/labs/ucx/__about__.py": "__version__ = \"$VERSION\""`
`4`	`4`	`},`
`5`	`5`	`"toolchain": {`
`6`		`- "required": ["python3", "hatch"],`
`7`		`- "pre_setup": ["hatch env create"],`
	`6`	`+ "required": ["make", "uv"],`
	`7`	`+ "pre_setup": ["make dev"],`
`8`	`8`	`"prepend_path": ".venv/bin",`
`9`	`9`	`"acceptance_path": "tests/integration",`
`10`	`10`	`"test": [`
`11`		`- "pytest -n 4 --cov src --cov-report=xml --timeout 30 tests/unit --durations 20"`
	`11`	`+ "make test"`
`12`	`12`	`]`
`13`	`13`	`}`
`14`	`14`	`}`