Skip to content

Commit 516bc2d

Browse files
committed
Configure JFrog PyPI proxy for python-wheel job
The hardened runner can't reach pypi.org directly. Use OIDC token exchange to get a JFrog access token and set UV_INDEX_URL to route uv through the JFrog PyPI proxy (db-pypi). Co-authored-by: Isaac
1 parent 9020032 commit 516bc2d

1 file changed

Lines changed: 28 additions & 0 deletions

File tree

.github/workflows/release-build.yml

Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -128,13 +128,41 @@ jobs:
128128
group: databricks-deco-testing-runner-group
129129
labels: ubuntu-latest-deco
130130

131+
permissions:
132+
id-token: write
133+
contents: read
134+
131135
steps:
132136
- name: Checkout repository
133137
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
134138
with:
135139
fetch-depth: 0
136140
fetch-tags: true
137141

142+
- name: Get JFrog OIDC token
143+
run: |
144+
set -euo pipefail
145+
# Exchange GitHub OIDC token for JFrog access token.
146+
# Reference: https://docs.google.com/document/d/1zoHgolfZO_IUBIU3w40NmYsoZ9eTRdAmjlfwYOxkj70
147+
ID_TOKEN=$(curl -sLS \
148+
-H "User-Agent: actions/oidc-client" \
149+
-H "Authorization: Bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
150+
"${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=jfrog-github" | jq -r .value)
151+
echo "::add-mask::${ID_TOKEN}"
152+
ACCESS_TOKEN=$(curl -sLS -XPOST -H "Content-Type: application/json" \
153+
"https://databricks.jfrog.io/access/api/v1/oidc/token" \
154+
-d "{\"grant_type\": \"urn:ietf:params:oauth:grant-type:token-exchange\", \"subject_token_type\":\"urn:ietf:params:oauth:token-type:id_token\", \"subject_token\": \"${ID_TOKEN}\", \"provider_name\": \"github-actions\"}" | jq -r .access_token)
155+
echo "::add-mask::${ACCESS_TOKEN}"
156+
if [ -z "$ACCESS_TOKEN" ] || [ "$ACCESS_TOKEN" = "null" ]; then
157+
echo "FAIL: Could not extract JFrog access token"
158+
exit 1
159+
fi
160+
echo "JFROG_ACCESS_TOKEN=${ACCESS_TOKEN}" >> "$GITHUB_ENV"
161+
162+
- name: Configure uv to use JFrog PyPI proxy
163+
run: |
164+
echo "UV_INDEX_URL=https://gha-service-account:${JFROG_ACCESS_TOKEN}@databricks.jfrog.io/artifactory/api/pypi/db-pypi/simple" >> "$GITHUB_ENV"
165+
138166
- name: Install uv
139167
uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0
140168
with:

0 commit comments

Comments
 (0)