Refactor pip/JFrog integration during CI/CD#4804
Merged
Conversation
This means the secret isn't embedded (and potentially exposed) by being present in the URL for the mirror, a value that isn't always handled carefully. Given that uv also supports netrc-based authentication, consolidating in this way is cleaner.
asnare
added
github_actions
4 tasks
|
✅ 2/2 passed, 20s total Running from acceptance #8986 |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #4804 +/- ##
==========================================
- Coverage 87.95% 87.77% -0.18%
==========================================
Files 123 123
Lines 17570 17569 -1
Branches 3714 3713 -1
==========================================
- Hits 15453 15422 -31
- Misses 1425 1458 +33
+ Partials 692 689 -3 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
github-merge-queue
Bot
removed this pull request from the merge queue due to failed status checks
github-merge-queue
Bot
removed this pull request from the merge queue due to failed status checks
FastLee
added a commit
that referenced
this pull request
Apr 29, 2026
Per asnare's review on #4803, the prior helper emulated pip's config-file loading and assumed env vars (PIP_INDEX_URL, UV_INDEX_URL) that aren't set in either dev or CI. Shell out to `pip config get global.index-url` instead and fall back to public PyPI when no mirror is configured. After #4804 the JFrog URL no longer carries credentials, so embedding it in the notebook fixture is safe. Co-authored-by: Isaac
FastLee
added a commit
that referenced
this pull request
Apr 29, 2026
Per asnare's review on #4803, the prior helper emulated pip's config-file loading and assumed env vars (PIP_INDEX_URL, UV_INDEX_URL) that aren't set in either dev or CI. Shell out to `pip config get global.index-url` instead and fall back to public PyPI when no mirror is configured. After #4804 the JFrog URL no longer carries credentials, so embedding it in the notebook fixture is safe. Co-authored-by: Isaac
a0x8o
pushed a commit
to alexxx-db/ucx
that referenced
this pull request
May 3, 2026
## Summary Three previously-failing integration tests, plus a CI fix for a coverage-config issue that was masking the runner's exit status. ### Test fixes - **`test_build_notebook_dependency_graphs_installs_pytest_from_index_url`** (and its installed-twice sibling) — generate the notebook fixture at test time using whichever pip mirror is configured locally. The helper shells out to `python -m pip config list` (not `pip config get`, because `get` only inspects `user`/`global`/`site` scopes and ignores the `env` scope that `PIP_CONFIG_FILE` loads as) and parses the `global.index-url='...'` line. Falls back to public PyPI when no mirror is configured. The same test now exercises the JFrog mirror in CI and the dev proxy locally without any environment knowledge baked into the test code. Depends on databrickslabs#4804 keeping the JFrog URL credential-free. - **`test_installation_when_dashboard_id_is_invalid`** — skipped; it exercises a deprecated dashboard API, matching the existing skip on line 185 of the same file. - **`test_create_account_level_groups_nested_groups`** — scoped the final assertion to the 4 groups the test actually creates, instead of asserting a global "no mismatches anywhere" log line that gets polluted by stale UCX groups left in the shared workspace by earlier runs. ### CI: pin `COVERAGE_RCFILE` The integration job was failing with `failed: trigger: run: unknown: exit status 3` even when zero tests failed. Root cause: the `databrickslabs/sandbox/acceptance` wrapper invokes pytest in multiple per-directory sessions, and coverage.py walks up from CWD looking for config. At least one CWD wasn't surfacing the project's `pyproject.toml`, so coverage fell back to defaults (`branch=false`) and wrote line data while sibling sessions wrote arc data. The final session's `cov.combine()` then raised `Can't combine arc data with line data`. Setting `COVERAGE_RCFILE: ${{ github.workspace }}/pyproject.toml` forces every session to read the same `[tool.coverage.run]` config regardless of CWD. ## Test plan - [x] `make fmt` (black, ruff, mypy, pylint 10.00/10) - [x] `make test` (2011 passed, coverage 89.83%) - [x] `labs test-one` for each of the three originally-failing integration tests - [x] CI integration job green (76 ✅ / 0 ❌ / 11 ⏭️, all 11 pytest sessions exit 0) --------- Co-authored-by: Andrew Snare <andrew.snare@databricks.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Changes
The purpose of this PR is to adjust the way pip is configured to use JFrog during CI/CD: in particular the username/password are no longer embedded in the URL of the mirror but are instead stored separately in a
.netrcfile. This is necessary because the mirror URL isn't always handled carefully and can easily be exposed.Further to the above:
uvhas been adjusted to use the same.netrcmechanism, which is slightly cleaner.jfrog-authaction has been synced with the latest version we have.Because the rest of the action has been synced, the commit to review is really a07085e.
Linked issues
Relates #4803.
Tests