Merge main, extract reusable ExtractHostQueryParams

Resolve merge conflicts with origin/main (discovery login flow).
Extract host URL query param parsing into libs/auth.ExtractHostQueryParams
so it can be reused by the bundle SPOG support PR (#4825).

Co-authored-by: Isaac

Author: simonfaltum

.github/dependabot.yml

@@ -4,6 +4,9 @@ updates:
     directory: "/"
     schedule:
       interval: "weekly"
+    ignore:
+      # Ignore Databricks Go SDK because its upgrade requires code generation
+      - dependency-name: github.com/databricks/databricks-sdk-go
   - package-ecosystem: "gomod"
     directory: "/tools"
     schedule:
@@ -15,7 +18,9 @@ updates:
       - "/.github/actions/setup-build-environment"
     schedule:
       interval: "monthly"
+    cooldown:
+      default-days: 7
     # tagging.yml is generated and maintained externally. Ignore
     # actions/create-github-app-token since it is only used in tagging.yml.
-    ignore:
-      - dependency-name: "actions/create-github-app-token"
+    exclude-paths:
+      - .github/workflows/tagging.yml

.github/workflows/push.yml

@@ -422,7 +422,7 @@ jobs:
       # Use Checks API (not Statuses API) to match the required "Integration Tests" check.
       - name: Skip integration tests (pull request)
         if: ${{ github.event_name == 'pull_request' && !contains(fromJSON(needs.testmask.outputs.targets), 'test') && !contains(fromJSON(needs.testmask.outputs.targets), 'test-exp-ssh') }}
-        uses: actions/github-script@v8
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
           github-token: ${{ steps.generate-check-token.outputs.token }}
           script: |
@@ -443,7 +443,7 @@ jobs:
       # Use Checks API (not Statuses API) to match the required "Integration Tests" check.
       - name: Auto-approve for merge group
         if: ${{ github.event_name == 'merge_group' }}
-        uses: actions/github-script@v8
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
           github-token: ${{ steps.generate-check-token.outputs.token }}
           script: |
@@ -487,7 +487,7 @@ jobs:
 
     steps:
       - name: Skip integration tests
-        uses: actions/github-script@v8
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
           script: |-
             await github.rest.checks.create({

.github/workflows/release.yml

@@ -115,7 +115,7 @@ jobs:
           AZURE_CLIENT_SECRET: ${{ secrets.DECO_SIGN_AZURE_CLIENT_SECRET }}
 
       - name: Upload Windows artifacts to GitHub Actions
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           name: windows-artifacts
           path: |
@@ -135,7 +135,7 @@ jobs:
 
     steps:
       - name: Download Windows artifacts
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           name: windows-artifacts
           path: dist

.github/workflows/tagging.yml

@@ -34,13 +34,13 @@ jobs:
     steps:
       - name: Generate GitHub App Token
         id: generate-token
-        uses: actions/create-github-app-token@v3
+        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3.0.0
         with:
           app-id: ${{ secrets.DECO_SDK_TAGGING_APP_ID }}
           private-key: ${{ secrets.DECO_SDK_TAGGING_PRIVATE_KEY }}
 
       - name: Checkout repository
-        uses: actions/checkout@v6.0.2
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
           token: ${{ steps.generate-token.outputs.token }}

acceptance/bin/discovery_browser.py

@@ -0,0 +1,68 @@
+#!/usr/bin/env python3
+"""
+Simulates the login.databricks.com discovery flow for acceptance tests.
+
+When the CLI opens this "browser" with the login.databricks.com URL,
+the script extracts the OAuth parameters from the destination_url,
+constructs a callback to localhost with an iss parameter pointing
+at the testserver, and fetches it.
+
+Usage: discovery_browser.py <url>
+"""
+
+import os
+import sys
+import urllib.parse
+import urllib.request
+
+if len(sys.argv) < 2:
+    sys.stderr.write("Usage: discovery_browser.py <url>\n")
+    sys.exit(1)
+
+url = sys.argv[1]
+parsed = urllib.parse.urlparse(url)
+top_params = urllib.parse.parse_qs(parsed.query)
+
+destination_url = top_params.get("destination_url", [None])[0]
+if not destination_url:
+    sys.stderr.write(f"No destination_url found in: {url}\n")
+    sys.exit(1)
+
+dest_parsed = urllib.parse.urlparse(destination_url)
+dest_params = urllib.parse.parse_qs(dest_parsed.query)
+
+redirect_uri = dest_params.get("redirect_uri", [None])[0]
+state = dest_params.get("state", [None])[0]
+
+if not redirect_uri or not state:
+    sys.stderr.write(f"Missing redirect_uri or state in destination_url: {destination_url}\n")
+    sys.exit(1)
+
+# The testserver's host acts as the workspace issuer.
+testserver_host = os.environ.get("DATABRICKS_HOST", "")
+if not testserver_host:
+    sys.stderr.write("DATABRICKS_HOST not set\n")
+    sys.exit(1)
+
+issuer = testserver_host.rstrip("/") + "/oidc"
+
+# Build the callback URL with code, state, and iss (the workspace issuer).
+callback_params = urllib.parse.urlencode(
+    {
+        "code": "oauth-code",
+        "state": state,
+        "iss": issuer,
+    }
+)
+callback_url = f"{redirect_uri}?{callback_params}"
+
+try:
+    response = urllib.request.urlopen(callback_url)
+    if response.status != 200:
+        sys.stderr.write(f"Callback failed: {callback_url} (status {response.status})\n")
+        sys.exit(1)
+except Exception as e:
+    sys.stderr.write(f"Callback failed: {callback_url} ({e})\n")
+    sys.exit(1)
+
+sys.exit(0)

acceptance/cmd/auth/login/discovery/out.databrickscfg

@@ -0,0 +1,10 @@
+; The profile defined in the DEFAULT section is to be used as a fallback when no profile is explicitly specified.
+[DEFAULT]
+
+[discovery-test]
+host         = [DATABRICKS_URL]
+workspace_id = 12345
+auth_type    = databricks-cli
+
+[__settings__]
+default_profile = discovery-test

acceptance/cmd/auth/login/discovery/out.test.toml

@@ -0,0 +1,14 @@
+
+>>> [CLI] auth login --profile discovery-test
+Opening login.databricks.com in your browser...
+Profile discovery-test was successfully saved
+
+>>> [CLI] auth profiles
+Name                      Host                    Valid
+discovery-test (Default)  [DATABRICKS_URL]  YES
+
+>>> print_requests.py --get //tokens/introspect
+{
+  "method": "GET",
+  "path": "/api/2.0/tokens/introspect"
+}

acceptance/cmd/auth/login/discovery/output.txt

@@ -0,0 +1,14 @@
+sethome "./home"
+
+# Use the discovery browser script that simulates login.databricks.com
+export BROWSER="discovery_browser.py"
+
+trace $CLI auth login --profile discovery-test
+
+trace $CLI auth profiles
+
+# Verify the introspection endpoint was called (workspace_id in profile confirms this too).
+trace print_requests.py --get //tokens/introspect
+
+# Track the .databrickscfg file that was created to surface changes.
+mv "./home/.databrickscfg" "./out.databrickscfg"

acceptance/cmd/auth/login/discovery/script

@@ -0,0 +1,18 @@
+Ignore = [
+    "home"
+]
+RecordRequests = true
+
+# Override the introspection endpoint so we can verify it gets called.
+[[Server]]
+Pattern = "GET /api/2.0/tokens/introspect"
+Response.Body = '''
+{
+    "principal_context": {
+        "authentication_scope": {
+            "account_id": "test-account-123",
+            "workspace_id": 12345
+        }
+    }
+}
+'''