Make tests work on hardened runner (#4875)

## Summary
- Configure JFrog Artifactory as Go module proxy via OIDC for Linux and
Windows runners
- Disable `run-local-node` acceptance test (needs npm registry access
via JFrog)
- Add setup-build-environment to testmask triggers so CI changes test
all targets
- Switch secondary test jobs (aitools, ssh, pipelines) to use custom
runner groups

## Test plan
- [x] Verify `make test` passes on Linux, Windows, macOS
- [x] Verify `test-exp-aitools`, `test-exp-ssh`, `test-pipelines` are
triggered and pass

This pull request was AI-assisted by Isaac.

Author: pietern

.github/actions/setup-build-environment/action.yml

@@ -12,6 +12,14 @@ runs:
     - name: Checkout repository and submodules
       uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
+    - name: Setup JFrog CLI with OIDC
+      if: runner.os != 'macOS'
+      uses: jfrog/setup-jfrog-cli@279b1f629f43dd5bc658d8361ac4802a7ef8d2d5 # v4.9.1
+      env:
+        JF_URL: https://databricks.jfrog.io
+      with:
+        oidc-provider-name: github-actions
+
     - name: Create cache identifier
       run: echo "${{ inputs.cache-key }}" > cache.txt
       shell: bash
@@ -24,6 +32,14 @@ runs:
           go.sum
           cache.txt
 
+    - name: Download Go modules via JFrog
+      if: runner.os != 'macOS'
+      shell: bash
+      run: |
+        jf goc --repo-resolve=db-golang
+        jf go mod download
+        jf go mod download -modfile=tools/go.mod
+
     - name: Setup Python
       uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
       with:

.github/workflows/push.yml

@@ -80,6 +80,10 @@ jobs:
     name: "make test (${{matrix.os.name}}, ${{matrix.deployment}})"
     runs-on: ${{ matrix.os.runner }}
 
+    permissions:
+      id-token: write
+      contents: read
+
     strategy:
       fail-fast: false
       matrix:
@@ -160,17 +164,31 @@ jobs:
 
     # Only run if the target is in the list of targets from testmask
     if: ${{ contains(fromJSON(needs.testmask.outputs.targets), 'test-exp-aitools') }}
-    name: "make test-exp-aitools"
-    runs-on: ${{ matrix.os }}
+    name: "make test-exp-aitools (${{matrix.os.name}})"
+    runs-on: ${{ matrix.os.runner }}
+
+    permissions:
+      id-token: write
+      contents: read
 
     strategy:
       fail-fast: false
       matrix:
         os:
-          - macos-latest
-          - ubuntu-latest
-          # The Windows tests are broken; see https://github.com/databricks/cli/pull/4024.
-          # - windows-latest
+          - name: linux
+            runner:
+              group: databricks-protected-runner-group-large
+              labels: linux-ubuntu-latest-large
+
+          - name: macos
+            runner:
+              labels: macos-latest
+
+        # The Windows tests are broken; see https://github.com/databricks/cli/pull/4024.
+        # - name: windows
+        #   runner:
+        #     group: databricks-protected-runner-group-large
+        #     labels: windows-server-latest-large
 
     steps:
       - name: Checkout repository and submodules
@@ -192,16 +210,30 @@ jobs:
 
     # Only run if the target is in the list of targets from testmask
     if: ${{ contains(fromJSON(needs.testmask.outputs.targets), 'test-exp-ssh') }}
-    name: "make test-exp-ssh"
-    runs-on: ${{ matrix.os }}
+    name: "make test-exp-ssh (${{matrix.os.name}})"
+    runs-on: ${{ matrix.os.runner }}
+
+    permissions:
+      id-token: write
+      contents: read
 
     strategy:
       fail-fast: false
       matrix:
         os:
-          - macos-latest
-          - ubuntu-latest
-          - windows-latest
+          - name: linux
+            runner:
+              group: databricks-protected-runner-group-large
+              labels: linux-ubuntu-latest-large
+
+          - name: windows
+            runner:
+              group: databricks-protected-runner-group-large
+              labels: windows-server-latest-large
+
+          - name: macos
+            runner:
+              labels: macos-latest
 
     steps:
       - name: Checkout repository and submodules
@@ -223,16 +255,30 @@ jobs:
 
     # Only run if the target is in the list of targets from testmask
     if: ${{ contains(fromJSON(needs.testmask.outputs.targets), 'test-pipelines') }}
-    name: "make test-pipelines"
-    runs-on: ${{ matrix.os }}
+    name: "make test-pipelines (${{matrix.os.name}})"
+    runs-on: ${{ matrix.os.runner }}
+
+    permissions:
+      id-token: write
+      contents: read
 
     strategy:
       fail-fast: false
       matrix:
         os:
-          - macos-latest
-          - ubuntu-latest
-          - windows-latest
+          - name: linux
+            runner:
+              group: databricks-protected-runner-group-large
+              labels: linux-ubuntu-latest-large
+
+          - name: windows
+            runner:
+              group: databricks-protected-runner-group-large
+              labels: windows-server-latest-large
+
+          - name: macos
+            runner:
+              labels: macos-latest
 
     steps:
       - name: Checkout repository and submodules

acceptance/cmd/workspace/apps/run-local-node/out.test.toml

@@ -1,5 +1,6 @@
+Badness = "need to enable NPM registry access"
 Cloud = false
-Local = true
+Local = false
 RecordRequests = false
 Timeout = '2m'
 TimeoutWindows = '10m'

acceptance/cmd/workspace/apps/run-local-node/test.toml

@@ -11,34 +11,35 @@ type targetMapping struct {
 	target   string
 }
 
-// goTriggerPatterns lists patterns that trigger all Go-dependent targets.
-var goTriggerPatterns = []string{
+// commonTriggerPatterns lists patterns that trigger all test targets.
+var commonTriggerPatterns = []string{
 	"go.mod",
 	"go.sum",
+	".github/actions/setup-build-environment/",
 }
 
 var fileTargetMappings = []targetMapping{
 	{
-		prefixes: slices.Concat(goTriggerPatterns, []string{
+		prefixes: slices.Concat(commonTriggerPatterns, []string{
 			// Specify files that match targets below and should still trigger the "test" target.
 		}),
 		target: "test",
 	},
 	{
-		prefixes: slices.Concat(goTriggerPatterns, []string{
+		prefixes: slices.Concat(commonTriggerPatterns, []string{
 			"experimental/aitools/",
 		}),
 		target: "test-exp-aitools",
 	},
 	{
-		prefixes: slices.Concat(goTriggerPatterns, []string{
+		prefixes: slices.Concat(commonTriggerPatterns, []string{
 			"experimental/ssh/",
 			"acceptance/ssh/",
 		}),
 		target: "test-exp-ssh",
 	},
 	{
-		prefixes: slices.Concat(goTriggerPatterns, []string{
+		prefixes: slices.Concat(commonTriggerPatterns, []string{
 			"cmd/pipelines/",
 			"acceptance/pipelines/",
 		}),

tools/testmask/targets.go

@@ -61,6 +61,13 @@ func TestGetTargets(t *testing.T) {
 			},
 			targets: []string{"test", "test-exp-aitools", "test-exp-ssh", "test-pipelines"},
 		},
+		{
+			name: "setup_build_environment_triggers_all",
+			files: []string{
+				".github/actions/setup-build-environment/action.yml",
+			},
+			targets: []string{"test", "test-exp-aitools", "test-exp-ssh", "test-pipelines"},
+		},
 		{
 			name:    "empty_files",
 			files:   []string{},