Use setup-jfrog composite action and protected runner group

pietern · pietern · commit e5dcda59cb1f · 2026-04-02T19:55:34.000+02:00
Replace inline JFrog OIDC token exchange with the shared
.github/actions/setup-jfrog composite action in both jobs.
Switch to databricks-protected-runner-group-large runner group.

Co-authored-by: Isaac
diff --git a/.github/workflows/release-build.yml b/.github/workflows/release-build.yml
@@ -16,8 +16,8 @@ jobs:
       name: sign
       deployment: false
     runs-on:
-      group: databricks-deco-testing-runner-group
-      labels: ubuntu-latest-deco
+      group: databricks-protected-runner-group-large
+      labels: linux-ubuntu-latest-large
 
     permissions:
       id-token: write
@@ -30,35 +30,8 @@ jobs:
           fetch-depth: 0
           fetch-tags: true
 
-      - name: Get JFrog OIDC token
-        run: |
-          set -euo pipefail
-          # Exchange GitHub OIDC token for JFrog access token.
-          ID_TOKEN=$(curl -sLS \
-            -H "User-Agent: actions/oidc-client" \
-            -H "Authorization: Bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
-            "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=jfrog-github" | jq -r .value)
-          echo "::add-mask::${ID_TOKEN}"
-          ACCESS_TOKEN=$(curl -sLS -XPOST -H "Content-Type: application/json" \
-            "https://databricks.jfrog.io/access/api/v1/oidc/token" \
-            -d "{\"grant_type\": \"urn:ietf:params:oauth:grant-type:token-exchange\", \"subject_token_type\":\"urn:ietf:params:oauth:token-type:id_token\", \"subject_token\": \"${ID_TOKEN}\", \"provider_name\": \"github-actions\"}" | jq -r .access_token)
-          echo "::add-mask::${ACCESS_TOKEN}"
-          if [ -z "$ACCESS_TOKEN" ] || [ "$ACCESS_TOKEN" = "null" ]; then
-            echo "FAIL: Could not extract JFrog access token"
-            exit 1
-          fi
-          echo "JFROG_ACCESS_TOKEN=${ACCESS_TOKEN}" >> "$GITHUB_ENV"
-
-      - name: Configure Go to use JFrog proxy
-        run: |
-          echo "GOPROXY=https://databricks.jfrog.io/artifactory/api/go/db-golang,direct" >> "$GITHUB_ENV"
-          echo "GONOSUMDB=*" >> "$GITHUB_ENV"
-          cat > ~/.netrc << EOF
-          machine databricks.jfrog.io
-          login gha-service-account
-          password ${JFROG_ACCESS_TOKEN}
-          EOF
-          chmod 600 ~/.netrc
+      - name: Setup JFrog
+        uses: ./.github/actions/setup-jfrog
 
       - name: Setup Go
         uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
@@ -148,8 +121,8 @@ jobs:
 
   python-wheel:
     runs-on:
-      group: databricks-deco-testing-runner-group
-      labels: ubuntu-latest-deco
+      group: databricks-protected-runner-group-large
+      labels: linux-ubuntu-latest-large
 
     permissions:
       id-token: write
@@ -162,28 +135,8 @@ jobs:
           fetch-depth: 0
           fetch-tags: true
 
-      - name: Get JFrog OIDC token
-        run: |
-          set -euo pipefail
-          # Exchange GitHub OIDC token for JFrog access token.
-          ID_TOKEN=$(curl -sLS \
-            -H "User-Agent: actions/oidc-client" \
-            -H "Authorization: Bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
-            "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=jfrog-github" | jq -r .value)
-          echo "::add-mask::${ID_TOKEN}"
-          ACCESS_TOKEN=$(curl -sLS -XPOST -H "Content-Type: application/json" \
-            "https://databricks.jfrog.io/access/api/v1/oidc/token" \
-            -d "{\"grant_type\": \"urn:ietf:params:oauth:grant-type:token-exchange\", \"subject_token_type\":\"urn:ietf:params:oauth:token-type:id_token\", \"subject_token\": \"${ID_TOKEN}\", \"provider_name\": \"github-actions\"}" | jq -r .access_token)
-          echo "::add-mask::${ACCESS_TOKEN}"
-          if [ -z "$ACCESS_TOKEN" ] || [ "$ACCESS_TOKEN" = "null" ]; then
-            echo "FAIL: Could not extract JFrog access token"
-            exit 1
-          fi
-          echo "JFROG_ACCESS_TOKEN=${ACCESS_TOKEN}" >> "$GITHUB_ENV"
-
-      - name: Configure uv to use JFrog PyPI proxy
-        run: |
-          echo "UV_INDEX_URL=https://gha-service-account:${JFROG_ACCESS_TOKEN}@databricks.jfrog.io/artifactory/api/pypi/db-pypi/simple" >> "$GITHUB_ENV"
+      - name: Setup JFrog
+        uses: ./.github/actions/setup-jfrog
 
       - name: Install uv
         uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0
