Skip to content

Commit a2a996a

Browse files
committed
Add shared setup-jfrog composite action
Replace the jfrog/setup-jfrog-cli third-party action and jf CLI commands with a custom composite action that exchanges a GitHub OIDC token for a JFrog access token and configures Go and Python package managers to use the JFrog Artifactory proxy. Co-authored-by: Isaac
1 parent 33d1007 commit a2a996a

File tree

2 files changed

+66
-15
lines changed

2 files changed

+66
-15
lines changed

.github/actions/setup-build-environment/action.yml

Lines changed: 2 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -12,13 +12,8 @@ runs:
1212
- name: Checkout repository and submodules
1313
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
1414

15-
- name: Setup JFrog CLI with OIDC
16-
if: runner.os != 'macOS'
17-
uses: jfrog/setup-jfrog-cli@279b1f629f43dd5bc658d8361ac4802a7ef8d2d5 # v4.9.1
18-
env:
19-
JF_URL: https://databricks.jfrog.io
20-
with:
21-
oidc-provider-name: github-actions
15+
- name: Setup JFrog
16+
uses: ./.github/actions/setup-jfrog
2217

2318
- name: Create cache identifier
2419
run: echo "${{ inputs.cache-key }}" > cache.txt
@@ -32,14 +27,6 @@ runs:
3227
go.sum
3328
cache.txt
3429
35-
- name: Download Go modules via JFrog
36-
if: runner.os != 'macOS'
37-
shell: bash
38-
run: |
39-
jf goc --repo-resolve=db-golang
40-
jf go mod download
41-
jf go mod download -modfile=tools/go.mod
42-
4330
- name: Setup Python
4431
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
4532
with:
Lines changed: 64 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,64 @@
1+
name: 'Setup JFrog'
2+
description: >-
3+
Exchange a GitHub OIDC token for a JFrog access token and configure
4+
Go and Python package managers to use the JFrog Artifactory proxy.
5+
Requires the calling job to have "permissions: id-token: write".
6+
7+
runs:
8+
using: 'composite'
9+
steps:
10+
- name: Get JFrog OIDC token
11+
shell: bash
12+
run: |
13+
set -euo pipefail
14+
15+
# Verify that the job has id-token: write permission.
16+
if [ -z "${ACTIONS_ID_TOKEN_REQUEST_URL:-}" ] || [ -z "${ACTIONS_ID_TOKEN_REQUEST_TOKEN:-}" ]; then
17+
echo "::error::OIDC token request URL/token not available. Does this job have 'permissions: id-token: write'?"
18+
exit 1
19+
fi
20+
21+
# Exchange GitHub OIDC token for JFrog access token.
22+
ID_TOKEN=$(curl -sLS \
23+
-H "User-Agent: actions/oidc-client" \
24+
-H "Authorization: Bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
25+
"${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=jfrog-github" | jq -r .value)
26+
echo "::add-mask::${ID_TOKEN}"
27+
28+
if [ -z "$ID_TOKEN" ] || [ "$ID_TOKEN" = "null" ]; then
29+
echo "::error::Failed to obtain GitHub OIDC token."
30+
exit 1
31+
fi
32+
33+
ACCESS_TOKEN=$(curl -sLS -XPOST -H "Content-Type: application/json" \
34+
"https://databricks.jfrog.io/access/api/v1/oidc/token" \
35+
-d "{\"grant_type\": \"urn:ietf:params:oauth:grant-type:token-exchange\", \"subject_token_type\":\"urn:ietf:params:oauth:token-type:id_token\", \"subject_token\": \"${ID_TOKEN}\", \"provider_name\": \"github-actions\"}" | jq -r .access_token)
36+
echo "::add-mask::${ACCESS_TOKEN}"
37+
38+
if [ -z "$ACCESS_TOKEN" ] || [ "$ACCESS_TOKEN" = "null" ]; then
39+
echo "::error::Failed to exchange GitHub OIDC token for JFrog access token."
40+
exit 1
41+
fi
42+
43+
echo "JFROG_ACCESS_TOKEN=${ACCESS_TOKEN}" >> "$GITHUB_ENV"
44+
45+
- name: Configure Go to use JFrog proxy
46+
shell: bash
47+
run: |
48+
set -euo pipefail
49+
echo "GOPROXY=https://databricks.jfrog.io/artifactory/api/go/db-golang,direct" >> "$GITHUB_ENV"
50+
echo "GONOSUMDB=*" >> "$GITHUB_ENV"
51+
cat > ~/.netrc <<EOF
52+
machine databricks.jfrog.io
53+
login gha-service-account
54+
password ${JFROG_ACCESS_TOKEN}
55+
EOF
56+
chmod 600 ~/.netrc
57+
58+
- name: Configure Python (uv/pip) to use JFrog proxy
59+
shell: bash
60+
run: |-
61+
set -euo pipefail
62+
echo "::add-mask::gha-service-account:${JFROG_ACCESS_TOKEN}"
63+
echo "UV_INDEX_URL=https://gha-service-account:${JFROG_ACCESS_TOKEN}@databricks.jfrog.io/artifactory/api/pypi/db-pypi/simple" >> "$GITHUB_ENV"
64+
echo "PIP_INDEX_URL=https://gha-service-account:${JFROG_ACCESS_TOKEN}@databricks.jfrog.io/artifactory/api/pypi/db-pypi/simple" >> "$GITHUB_ENV"

0 commit comments

Comments
 (0)