Add shared setup-jfrog composite action

pietern · pietern · commit a2a996a3b43f · 2026-04-02T15:17:16.000+02:00
Replace the jfrog/setup-jfrog-cli third-party action and jf CLI
commands with a custom composite action that exchanges a GitHub
OIDC token for a JFrog access token and configures Go and Python
package managers to use the JFrog Artifactory proxy.

Co-authored-by: Isaac
diff --git a/.github/actions/setup-build-environment/action.yml b/.github/actions/setup-build-environment/action.yml
@@ -12,13 +12,8 @@ runs:
     - name: Checkout repository and submodules
       uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
-    - name: Setup JFrog CLI with OIDC
-      if: runner.os != 'macOS'
-      uses: jfrog/setup-jfrog-cli@279b1f629f43dd5bc658d8361ac4802a7ef8d2d5 # v4.9.1
-      env:
-        JF_URL: https://databricks.jfrog.io
-      with:
-        oidc-provider-name: github-actions
+    - name: Setup JFrog
+      uses: ./.github/actions/setup-jfrog
 
     - name: Create cache identifier
       run: echo "${{ inputs.cache-key }}" > cache.txt
@@ -32,14 +27,6 @@ runs:
           go.sum
           cache.txt
 
-    - name: Download Go modules via JFrog
-      if: runner.os != 'macOS'
-      shell: bash
-      run: |
-        jf goc --repo-resolve=db-golang
-        jf go mod download
-        jf go mod download -modfile=tools/go.mod
-
     - name: Setup Python
       uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
       with:
diff --git a/.github/actions/setup-jfrog/action.yml b/.github/actions/setup-jfrog/action.yml
@@ -0,0 +1,64 @@
+name: 'Setup JFrog'
+description: >-
+  Exchange a GitHub OIDC token for a JFrog access token and configure
+  Go and Python package managers to use the JFrog Artifactory proxy.
+  Requires the calling job to have "permissions: id-token: write".
+
+runs:
+  using: 'composite'
+  steps:
+    - name: Get JFrog OIDC token
+      shell: bash
+      run: |
+        set -euo pipefail
+
+        # Verify that the job has id-token: write permission.
+        if [ -z "${ACTIONS_ID_TOKEN_REQUEST_URL:-}" ] || [ -z "${ACTIONS_ID_TOKEN_REQUEST_TOKEN:-}" ]; then
+          echo "::error::OIDC token request URL/token not available. Does this job have 'permissions: id-token: write'?"
+          exit 1
+        fi
+
+        # Exchange GitHub OIDC token for JFrog access token.
+        ID_TOKEN=$(curl -sLS \
+          -H "User-Agent: actions/oidc-client" \
+          -H "Authorization: Bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
+          "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=jfrog-github" | jq -r .value)
+        echo "::add-mask::${ID_TOKEN}"
+
+        if [ -z "$ID_TOKEN" ] || [ "$ID_TOKEN" = "null" ]; then
+          echo "::error::Failed to obtain GitHub OIDC token."
+          exit 1
+        fi
+
+        ACCESS_TOKEN=$(curl -sLS -XPOST -H "Content-Type: application/json" \
+          "https://databricks.jfrog.io/access/api/v1/oidc/token" \
+          -d "{\"grant_type\": \"urn:ietf:params:oauth:grant-type:token-exchange\", \"subject_token_type\":\"urn:ietf:params:oauth:token-type:id_token\", \"subject_token\": \"${ID_TOKEN}\", \"provider_name\": \"github-actions\"}" | jq -r .access_token)
+        echo "::add-mask::${ACCESS_TOKEN}"
+
+        if [ -z "$ACCESS_TOKEN" ] || [ "$ACCESS_TOKEN" = "null" ]; then
+          echo "::error::Failed to exchange GitHub OIDC token for JFrog access token."
+          exit 1
+        fi
+
+        echo "JFROG_ACCESS_TOKEN=${ACCESS_TOKEN}" >> "$GITHUB_ENV"
+
+    - name: Configure Go to use JFrog proxy
+      shell: bash
+      run: |
+        set -euo pipefail
+        echo "GOPROXY=https://databricks.jfrog.io/artifactory/api/go/db-golang,direct" >> "$GITHUB_ENV"
+        echo "GONOSUMDB=*" >> "$GITHUB_ENV"
+        cat > ~/.netrc <<EOF
+        machine databricks.jfrog.io
+        login gha-service-account
+        password ${JFROG_ACCESS_TOKEN}
+        EOF
+        chmod 600 ~/.netrc
+
+    - name: Configure Python (uv/pip) to use JFrog proxy
+      shell: bash
+      run: |-
+        set -euo pipefail
+        echo "::add-mask::gha-service-account:${JFROG_ACCESS_TOKEN}"
+        echo "UV_INDEX_URL=https://gha-service-account:${JFROG_ACCESS_TOKEN}@databricks.jfrog.io/artifactory/api/pypi/db-pypi/simple" >> "$GITHUB_ENV"
+        echo "PIP_INDEX_URL=https://gha-service-account:${JFROG_ACCESS_TOKEN}@databricks.jfrog.io/artifactory/api/pypi/db-pypi/simple" >> "$GITHUB_ENV"
