Move JFrog proxy setup to shared setup-build-environment action

pietern · pietern · commit eacae041130c · 2026-04-01T11:14:16.000+02:00
This ensures all test jobs that use the shared action get the
JFrog Go module proxy configured on hardened runners.

Co-authored-by: Isaac
diff --git a/.github/actions/setup-build-environment/action.yml b/.github/actions/setup-build-environment/action.yml
@@ -12,6 +12,14 @@ runs:
     - name: Checkout repository and submodules
       uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
+    - name: Setup JFrog CLI with OIDC
+      if: runner.os != 'macOS'
+      uses: jfrog/setup-jfrog-cli@279b1f629f43dd5bc658d8361ac4802a7ef8d2d5 # v4.9.1
+      env:
+        JF_URL: https://databricks.jfrog.io
+      with:
+        oidc-provider-name: github-actions
+
     - name: Create cache identifier
       run: echo "${{ inputs.cache-key }}" > cache.txt
       shell: bash
@@ -24,6 +32,14 @@ runs:
           go.sum
           cache.txt
 
+    - name: Download Go modules via JFrog
+      if: runner.os != 'macOS'
+      shell: bash
+      run: |
+        jf goc --repo-resolve=db-golang
+        jf go mod download
+        jf go mod download -modfile=tools/go.mod
+
     - name: Setup Python
       uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
       with:
diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml
@@ -125,27 +125,11 @@ jobs:
       - name: Checkout repository and submodules
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
-      - name: Setup JFrog CLI with OIDC
-        if: matrix.os.name != 'macos'
-        uses: jfrog/setup-jfrog-cli@279b1f629f43dd5bc658d8361ac4802a7ef8d2d5 # v4.9.1
-        env:
-          JF_URL: https://databricks.jfrog.io
-        with:
-          oidc-provider-name: github-actions
-
       - name: Setup build environment
         uses: ./.github/actions/setup-build-environment
         with:
           cache-key: test-${{ matrix.deployment }}
 
-      - name: Download Go modules via JFrog
-        if: matrix.os.name != 'macos'
-        shell: bash
-        run: |
-          jf goc --repo-resolve=db-golang
-          jf go mod download
-          jf go mod download -modfile=tools/go.mod
-
       - name: Run tests without coverage
         # We run tests without coverage on PR, merge_group, and schedule because we don't make use of coverage information
         # and would like to run the tests as fast as possible. We run it on schedule as well, because that is what
@@ -183,6 +167,10 @@ jobs:
     name: "make test-exp-aitools"
     runs-on: ${{ matrix.os }}
 
+    permissions:
+      id-token: write
+      contents: read
+
     strategy:
       fail-fast: false
       matrix:
@@ -215,6 +203,10 @@ jobs:
     name: "make test-exp-ssh"
     runs-on: ${{ matrix.os }}
 
+    permissions:
+      id-token: write
+      contents: read
+
     strategy:
       fail-fast: false
       matrix:
@@ -246,6 +238,10 @@ jobs:
     name: "make test-pipelines"
     runs-on: ${{ matrix.os }}
 
+    permissions:
+      id-token: write
+      contents: read
+
     strategy:
       fail-fast: false
       matrix:
