Add shared setup-jfrog composite action (#4890)

pietern · web-flow · commit 096b29da456f · 2026-04-02T10:33:07.000-07:00
## Summary
- Add `.github/actions/setup-jfrog` composite action that exchanges a
GitHub OIDC token for a JFrog access token and configures Go (GOPROXY)
and Python (UV_INDEX_URL + PIP_INDEX_URL) proxies using URL-embedded
credentials
- Replace the `jfrog/setup-jfrog-cli` third-party action in
`setup-build-environment` with the new action, removing an external
dependency
- Remove the macOS exclusion — all runners now go through JFrog
- Fail early with a clear error if `id-token: write` permission is
missing
- Verify token with an authenticated API call after exchange

## Test plan
- [x] Verify OIDC token exchange works on Linux and macOS runners
- [x] Verify Go and Python proxy URLs are configured correctly

This pull request was AI-assisted by Isaac.
diff --git a/.github/actions/setup-build-environment/action.yml b/.github/actions/setup-build-environment/action.yml
@@ -12,13 +12,8 @@ runs:
     - name: Checkout repository and submodules
       uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
-    - name: Setup JFrog CLI with OIDC
-      if: runner.os != 'macOS'
-      uses: jfrog/setup-jfrog-cli@279b1f629f43dd5bc658d8361ac4802a7ef8d2d5 # v4.9.1
-      env:
-        JF_URL: https://databricks.jfrog.io
-      with:
-        oidc-provider-name: github-actions
+    - name: Setup JFrog
+      uses: ./.github/actions/setup-jfrog
 
     - name: Create cache identifier
       run: echo "${{ inputs.cache-key }}" > cache.txt
@@ -32,14 +27,6 @@ runs:
           go.sum
           cache.txt
 
-    - name: Download Go modules via JFrog
-      if: runner.os != 'macOS'
-      shell: bash
-      run: |
-        jf goc --repo-resolve=db-golang
-        jf go mod download
-        jf go mod download -modfile=tools/go.mod
-
     - name: Setup Python
       uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
       with:
diff --git a/.github/actions/setup-jfrog/action.yml b/.github/actions/setup-jfrog/action.yml
@@ -0,0 +1,70 @@
+name: 'Setup JFrog'
+description: >-
+  Exchange a GitHub OIDC token for a JFrog access token and configure
+  Go and Python package managers to use the JFrog Artifactory proxy.
+  Requires the calling job to have "permissions: id-token: write".
+
+runs:
+  using: 'composite'
+  steps:
+    - name: Get JFrog OIDC token
+      shell: bash
+      run: |
+        set -euo pipefail
+
+        # Verify that the job has id-token: write permission.
+        if [ -z "${ACTIONS_ID_TOKEN_REQUEST_URL:-}" ] || [ -z "${ACTIONS_ID_TOKEN_REQUEST_TOKEN:-}" ]; then
+          echo "::error::OIDC token request URL/token not available. Does this job have 'permissions: id-token: write'?"
+          exit 1
+        fi
+
+        # Exchange GitHub OIDC token for JFrog access token.
+        ID_TOKEN=$(curl -sLS \
+          -H "User-Agent: actions/oidc-client" \
+          -H "Authorization: Bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
+          "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=jfrog-github" | jq -r .value)
+        echo "::add-mask::${ID_TOKEN}"
+
+        if [ -z "$ID_TOKEN" ] || [ "$ID_TOKEN" = "null" ]; then
+          echo "::error::Failed to obtain GitHub OIDC token."
+          exit 1
+        fi
+
+        ACCESS_TOKEN=$(curl -sLS -XPOST -H "Content-Type: application/json" \
+          "https://databricks.jfrog.io/access/api/v1/oidc/token" \
+          -d "{\"grant_type\": \"urn:ietf:params:oauth:grant-type:token-exchange\", \"subject_token_type\":\"urn:ietf:params:oauth:token-type:id_token\", \"subject_token\": \"${ID_TOKEN}\", \"provider_name\": \"github-actions\"}" | jq -r .access_token)
+        echo "::add-mask::${ACCESS_TOKEN}"
+
+        if [ -z "$ACCESS_TOKEN" ] || [ "$ACCESS_TOKEN" = "null" ]; then
+          echo "::error::Failed to exchange GitHub OIDC token for JFrog access token."
+          exit 1
+        fi
+
+        # Verify the token works.
+        HTTP_STATUS=$(curl -sL -o /dev/null -w "%{http_code}" \
+          -H "Authorization: Bearer ${ACCESS_TOKEN}" \
+          "https://databricks.jfrog.io/artifactory/api/system/version")
+        if [ "$HTTP_STATUS" != "200" ]; then
+          echo "::error::JFrog auth check failed (HTTP ${HTTP_STATUS})."
+          exit 1
+        fi
+
+        echo "JFROG_ACCESS_TOKEN=${ACCESS_TOKEN}" >> "$GITHUB_ENV"
+
+    - name: Configure Go to use JFrog proxy
+      shell: bash
+      run: |-
+        set -euo pipefail
+        CREDS="gha-service-account:${JFROG_ACCESS_TOKEN}"
+        echo "::add-mask::${CREDS}"
+        echo "GOPROXY=https://${CREDS}@databricks.jfrog.io/artifactory/api/go/db-golang,direct" >> "$GITHUB_ENV"
+        echo "GONOSUMDB=*" >> "$GITHUB_ENV"
+
+    - name: Configure Python (uv/pip) to use JFrog proxy
+      shell: bash
+      run: |-
+        set -euo pipefail
+        CREDS="gha-service-account:${JFROG_ACCESS_TOKEN}"
+        echo "::add-mask::${CREDS}"
+        echo "UV_INDEX_URL=https://${CREDS}@databricks.jfrog.io/artifactory/api/pypi/db-pypi/simple" >> "$GITHUB_ENV"
+        echo "PIP_INDEX_URL=https://${CREDS}@databricks.jfrog.io/artifactory/api/pypi/db-pypi/simple" >> "$GITHUB_ENV"
