Replace jfrog/setup-jfrog-cli with OIDC token exchange in goreleaser job #10
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: release-build | |
| on: | |
| push: | |
| tags: | |
| - "v*" | |
| branches: | |
| - "main" | |
| - "split-release-workflows" | |
| workflow_dispatch: | |
| jobs: | |
| goreleaser: | |
| environment: sign | |
| runs-on: | |
| group: databricks-deco-testing-runner-group | |
| labels: ubuntu-latest-deco | |
| permissions: | |
| id-token: write | |
| contents: write | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| fetch-depth: 0 | |
| fetch-tags: true | |
| - name: Get JFrog OIDC token | |
| run: | | |
| set -euo pipefail | |
| # Exchange GitHub OIDC token for JFrog access token. | |
| ID_TOKEN=$(curl -sLS \ | |
| -H "User-Agent: actions/oidc-client" \ | |
| -H "Authorization: Bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \ | |
| "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=jfrog-github" | jq -r .value) | |
| echo "::add-mask::${ID_TOKEN}" | |
| ACCESS_TOKEN=$(curl -sLS -XPOST -H "Content-Type: application/json" \ | |
| "https://databricks.jfrog.io/access/api/v1/oidc/token" \ | |
| -d "{\"grant_type\": \"urn:ietf:params:oauth:grant-type:token-exchange\", \"subject_token_type\":\"urn:ietf:params:oauth:token-type:id_token\", \"subject_token\": \"${ID_TOKEN}\", \"provider_name\": \"github-actions\"}" | jq -r .access_token) | |
| echo "::add-mask::${ACCESS_TOKEN}" | |
| if [ -z "$ACCESS_TOKEN" ] || [ "$ACCESS_TOKEN" = "null" ]; then | |
| echo "FAIL: Could not extract JFrog access token" | |
| exit 1 | |
| fi | |
| echo "JFROG_ACCESS_TOKEN=${ACCESS_TOKEN}" >> "$GITHUB_ENV" | |
| - name: Configure Go to use JFrog proxy | |
| run: | | |
| echo "GOPROXY=https://databricks.jfrog.io/artifactory/api/go/db-golang,direct" >> "$GITHUB_ENV" | |
| echo "GONOSUMDB=*" >> "$GITHUB_ENV" | |
| cat > ~/.netrc << EOF | |
| machine databricks.jfrog.io | |
| login gha-service-account | |
| password ${JFROG_ACCESS_TOKEN} | |
| EOF | |
| chmod 600 ~/.netrc | |
| - name: Setup Go | |
| uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0 | |
| with: | |
| go-version-file: go.mod | |
| cache-dependency-path: | | |
| go.sum | |
| .goreleaser-release.yaml | |
| - name: Download Go modules | |
| run: go mod download | |
| - name: Setup Java | |
| uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4.8.0 | |
| with: | |
| distribution: temurin | |
| java-version: '21' | |
| # jsign 7.4 from https://github.com/ebourg/jsign/releases/tag/7.4 | |
| - name: Download and verify jsign | |
| run: | | |
| curl -sfL -o "$RUNNER_TEMP/jsign.jar" \ | |
| https://github.com/ebourg/jsign/releases/download/7.4/jsign-7.4.jar | |
| echo "2abf2ade9ea322acc2d60c24794eadc465ff9380938fca4c932d09e0b25f1c28 $RUNNER_TEMP/jsign.jar" | sha256sum -c - | |
| echo "JSIGN_JAR=$RUNNER_TEMP/jsign.jar" >> $GITHUB_ENV | |
| - name: Get Azure Key Vault access token | |
| run: | | |
| TOKEN=$(curl -sf -X POST \ | |
| "https://login.microsoftonline.com/${{ secrets.DECO_SIGN_AZURE_TENANT_ID }}/oauth2/v2.0/token" \ | |
| -d "client_id=${{ secrets.DECO_SIGN_AZURE_CLIENT_ID }}" \ | |
| -d "client_secret=${{ secrets.DECO_SIGN_AZURE_CLIENT_SECRET }}" \ | |
| -d "scope=https://vault.azure.net/.default" \ | |
| -d "grant_type=client_credentials" | jq -r '.access_token') | |
| echo "::add-mask::$TOKEN" | |
| echo "AZURE_VAULT_TOKEN=$TOKEN" >> $GITHUB_ENV | |
| - name: Hide snapshot tag to outsmart GoReleaser | |
| run: git tag -d snapshot || true | |
| # Use --snapshot for branch builds (non-tag refs). | |
| - name: Run GoReleaser | |
| uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v7.0.0 | |
| with: | |
| version: ~> v2 | |
| args: release -f .goreleaser-release.yaml --skip=publish,docker ${{ !startsWith(github.ref, 'refs/tags/') && '--snapshot' || '' }} | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Verify Windows binary signatures | |
| run: | | |
| for exe in dist/windows_*/databricks.exe; do | |
| echo "=== $exe ===" | |
| java -jar "$JSIGN_JAR" extract --format PEM "$exe" | |
| openssl pkcs7 -in "${exe}.sig.pem" -inform PEM -print_certs -text -noout | |
| rm "${exe}.sig.pem" | |
| echo | |
| done | |
| - name: Upload artifacts | |
| uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 | |
| with: | |
| name: release-artifacts | |
| path: | | |
| dist/*.zip | |
| dist/*.tar.gz | |
| dist/*SHA256SUMS* | |
| # For snapshot builds on main: update the snapshot tag and release. | |
| - name: Update snapshot tag | |
| if: github.ref == 'refs/heads/main' | |
| run: | | |
| git tag snapshot | |
| git push origin snapshot --force | |
| - name: Update snapshot release | |
| if: github.ref == 'refs/heads/main' | |
| uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2.6.1 | |
| with: | |
| name: Snapshot | |
| prerelease: true | |
| tag_name: snapshot | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| files: |- | |
| dist/databricks_cli_*.zip | |
| dist/databricks_cli_*.tar.gz | |
| python-wheel: | |
| runs-on: | |
| group: databricks-deco-testing-runner-group | |
| labels: ubuntu-latest-deco | |
| permissions: | |
| id-token: write | |
| contents: read | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| fetch-depth: 0 | |
| fetch-tags: true | |
| - name: Get JFrog OIDC token | |
| run: | | |
| set -euo pipefail | |
| # Exchange GitHub OIDC token for JFrog access token. | |
| ID_TOKEN=$(curl -sLS \ | |
| -H "User-Agent: actions/oidc-client" \ | |
| -H "Authorization: Bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \ | |
| "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=jfrog-github" | jq -r .value) | |
| echo "::add-mask::${ID_TOKEN}" | |
| ACCESS_TOKEN=$(curl -sLS -XPOST -H "Content-Type: application/json" \ | |
| "https://databricks.jfrog.io/access/api/v1/oidc/token" \ | |
| -d "{\"grant_type\": \"urn:ietf:params:oauth:grant-type:token-exchange\", \"subject_token_type\":\"urn:ietf:params:oauth:token-type:id_token\", \"subject_token\": \"${ID_TOKEN}\", \"provider_name\": \"github-actions\"}" | jq -r .access_token) | |
| echo "::add-mask::${ACCESS_TOKEN}" | |
| if [ -z "$ACCESS_TOKEN" ] || [ "$ACCESS_TOKEN" = "null" ]; then | |
| echo "FAIL: Could not extract JFrog access token" | |
| exit 1 | |
| fi | |
| echo "JFROG_ACCESS_TOKEN=${ACCESS_TOKEN}" >> "$GITHUB_ENV" | |
| - name: Configure uv to use JFrog PyPI proxy | |
| run: | | |
| echo "UV_INDEX_URL=https://gha-service-account:${JFROG_ACCESS_TOKEN}@databricks.jfrog.io/artifactory/api/pypi/db-pypi/simple" >> "$GITHUB_ENV" | |
| - name: Install uv | |
| uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0 | |
| with: | |
| version: "0.6.5" | |
| - name: Build wheel | |
| working-directory: python | |
| run: make build | |
| - name: Upload Python wheel | |
| uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 | |
| with: | |
| name: python-wheel | |
| path: python/dist/* |