Replace jfrog/setup-jfrog-cli with OIDC token exchange in goreleaser job

pietern · pietern · commit a0296ffa253f · 2026-04-02T09:55:15.000+02:00
Use the same JFrog OIDC token acquisition as python-wheel. Configure
Go via GOPROXY and .netrc instead of jf CLI. This removes the
dependency on the jfrog GitHub action.

Co-authored-by: Isaac
diff --git a/.github/workflows/release-build.yml b/.github/workflows/release-build.yml
@@ -28,12 +28,35 @@ jobs:
           fetch-depth: 0
           fetch-tags: true
 
-      - name: Setup JFrog CLI with OIDC
-        uses: jfrog/setup-jfrog-cli@279b1f629f43dd5bc658d8361ac4802a7ef8d2d5 # v4.9.1
-        env:
-          JF_URL: https://databricks.jfrog.io
-        with:
-          oidc-provider-name: github-actions
+      - name: Get JFrog OIDC token
+        run: |
+          set -euo pipefail
+          # Exchange GitHub OIDC token for JFrog access token.
+          ID_TOKEN=$(curl -sLS \
+            -H "User-Agent: actions/oidc-client" \
+            -H "Authorization: Bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
+            "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=jfrog-github" | jq -r .value)
+          echo "::add-mask::${ID_TOKEN}"
+          ACCESS_TOKEN=$(curl -sLS -XPOST -H "Content-Type: application/json" \
+            "https://databricks.jfrog.io/access/api/v1/oidc/token" \
+            -d "{\"grant_type\": \"urn:ietf:params:oauth:grant-type:token-exchange\", \"subject_token_type\":\"urn:ietf:params:oauth:token-type:id_token\", \"subject_token\": \"${ID_TOKEN}\", \"provider_name\": \"github-actions\"}" | jq -r .access_token)
+          echo "::add-mask::${ACCESS_TOKEN}"
+          if [ -z "$ACCESS_TOKEN" ] || [ "$ACCESS_TOKEN" = "null" ]; then
+            echo "FAIL: Could not extract JFrog access token"
+            exit 1
+          fi
+          echo "JFROG_ACCESS_TOKEN=${ACCESS_TOKEN}" >> "$GITHUB_ENV"
+
+      - name: Configure Go to use JFrog proxy
+        run: |
+          echo "GOPROXY=https://databricks.jfrog.io/artifactory/api/go/db-golang,direct" >> "$GITHUB_ENV"
+          echo "GONOSUMDB=*" >> "$GITHUB_ENV"
+          cat > ~/.netrc << EOF
+          machine databricks.jfrog.io
+          login gha-service-account
+          password ${JFROG_ACCESS_TOKEN}
+          EOF
+          chmod 600 ~/.netrc
 
       - name: Setup Go
         uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
@@ -43,10 +66,8 @@ jobs:
             go.sum
             .goreleaser-release.yaml
 
-      - name: Download Go modules via JFrog
-        run: |
-          jf goc --repo-resolve=db-golang
-          jf go mod download
+      - name: Download Go modules
+        run: go mod download
 
       - name: Setup Java
         uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4.8.0
