From c61158cf743cf321f35c1410b905549ae92ceeac Mon Sep 17 00:00:00 2001
From: Pieter Noordhuis <pieter.noordhuis@databricks.com>
Date: Tue, 31 Mar 2026 17:32:59 +0200
Subject: [PATCH 1/6] Update snapshot workflow

Co-authored-by: Isaac
---
 .github/workflows/release-snapshot.yml | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/.github/workflows/release-snapshot.yml b/.github/workflows/release-snapshot.yml
index 019762d4e9..77e4d3bc4c 100644
--- a/.github/workflows/release-snapshot.yml
+++ b/.github/workflows/release-snapshot.yml
@@ -6,6 +6,7 @@ on:
       - "main"
       - "demo-*"
       - "bugbash-*"
+      - "eval-*"
 
   # Confirm that snapshot builds work if this file is modified.
   pull_request:
@@ -97,3 +98,21 @@ jobs:
           files: |-
             dist/databricks_cli_*.zip
             dist/databricks_cli_*.tar.gz
+
+  scan:
+    needs: goreleaser
+    runs-on: ubuntu-latest
+
+    strategy:
+      matrix:
+        artifact:
+          - cli_darwin_snapshot
+          - cli_linux_snapshot
+          - cli_windows_snapshot
+
+    steps:
+      - name: Scan artifact
+        uses: databricks/gh-action-scan@3599451f16bfeaecaf4fc7dc0853bcd6d89e9ea1
+        with:
+          download-artifact: ${{ matrix.artifact }}
+          artifact-name: ${{ matrix.artifact }}

From 94631dbd80b7b59dc70710a5ae7944ddd7d32f30 Mon Sep 17 00:00:00 2001
From: Pieter Noordhuis <pieter.noordhuis@databricks.com>
Date: Tue, 31 Mar 2026 17:40:38 +0200
Subject: [PATCH 2/6] Separate scan workflow for fast iteration

Co-authored-by: Isaac
---
 .github/workflows/release-snapshot.yml | 18 ---------
 .github/workflows/scan-snapshot.yml    | 55 ++++++++++++++++++++++++++
 2 files changed, 55 insertions(+), 18 deletions(-)
 create mode 100644 .github/workflows/scan-snapshot.yml

diff --git a/.github/workflows/release-snapshot.yml b/.github/workflows/release-snapshot.yml
index 77e4d3bc4c..79798b776f 100644
--- a/.github/workflows/release-snapshot.yml
+++ b/.github/workflows/release-snapshot.yml
@@ -98,21 +98,3 @@ jobs:
           files: |-
             dist/databricks_cli_*.zip
             dist/databricks_cli_*.tar.gz
-
-  scan:
-    needs: goreleaser
-    runs-on: ubuntu-latest
-
-    strategy:
-      matrix:
-        artifact:
-          - cli_darwin_snapshot
-          - cli_linux_snapshot
-          - cli_windows_snapshot
-
-    steps:
-      - name: Scan artifact
-        uses: databricks/gh-action-scan@3599451f16bfeaecaf4fc7dc0853bcd6d89e9ea1
-        with:
-          download-artifact: ${{ matrix.artifact }}
-          artifact-name: ${{ matrix.artifact }}
diff --git a/.github/workflows/scan-snapshot.yml b/.github/workflows/scan-snapshot.yml
new file mode 100644
index 0000000000..07f64d84e4
--- /dev/null
+++ b/.github/workflows/scan-snapshot.yml
@@ -0,0 +1,55 @@
+name: scan-snapshot
+
+on:
+  push:
+    branches:
+      - "eval-*"
+
+  workflow_dispatch:
+
+jobs:
+  download:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Download snapshot release assets
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          gh release download snapshot --repo ${{ github.repository }} --pattern '*.tar.gz' --dir dist
+
+      - name: Upload macOS binaries
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        with:
+          name: cli_darwin_snapshot
+          path: dist/*darwin*
+
+      - name: Upload Linux binaries
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        with:
+          name: cli_linux_snapshot
+          path: dist/*linux*
+
+      - name: Upload Windows binaries
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        with:
+          name: cli_windows_snapshot
+          path: dist/*windows*
+
+  scan:
+    needs: download
+    runs-on: ubuntu-latest
+
+    strategy:
+      matrix:
+        artifact:
+          - cli_darwin_snapshot
+          - cli_linux_snapshot
+          - cli_windows_snapshot
+
+    steps:
+      - name: Scan artifact
+        uses: databricks/gh-action-scan@3599451f16bfeaecaf4fc7dc0853bcd6d89e9ea1
+        with:
+          download-artifact: ${{ matrix.artifact }}
+          artifact-name: ${{ matrix.artifact }}

From 3aeb8dac4960e34d8b893d34755a0fb3a96051d7 Mon Sep 17 00:00:00 2001
From: Pieter Noordhuis <pieter.noordhuis@databricks.com>
Date: Tue, 31 Mar 2026 17:44:54 +0200
Subject: [PATCH 3/6] Use deco runner group for IP allowlist

Co-authored-by: Isaac
---
 .github/workflows/scan-snapshot.yml | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/scan-snapshot.yml b/.github/workflows/scan-snapshot.yml
index 07f64d84e4..c2533f3e71 100644
--- a/.github/workflows/scan-snapshot.yml
+++ b/.github/workflows/scan-snapshot.yml
@@ -9,7 +9,9 @@ on:
 
 jobs:
   download:
-    runs-on: ubuntu-latest
+    runs-on:
+      group: databricks-deco-testing-runner-group
+      labels: ubuntu-latest-deco
 
     steps:
       - name: Download snapshot release assets
@@ -38,7 +40,9 @@ jobs:
 
   scan:
     needs: download
-    runs-on: ubuntu-latest
+    runs-on:
+      group: databricks-deco-testing-runner-group
+      labels: ubuntu-latest-deco
 
     strategy:
       matrix:

From 589012e909a0c1f07e29e1392b1cc94d9784ce16 Mon Sep 17 00:00:00 2001
From: Pieter Noordhuis <pieter.noordhuis@databricks.com>
Date: Tue, 31 Mar 2026 17:47:28 +0200
Subject: [PATCH 4/6] Checkout private action before use

Co-authored-by: Isaac
---
 .github/workflows/scan-snapshot.yml | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/scan-snapshot.yml b/.github/workflows/scan-snapshot.yml
index c2533f3e71..34fc2a3e94 100644
--- a/.github/workflows/scan-snapshot.yml
+++ b/.github/workflows/scan-snapshot.yml
@@ -52,8 +52,15 @@ jobs:
           - cli_windows_snapshot
 
     steps:
+      - name: Checkout scan action
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          repository: databricks/gh-action-scan
+          ref: 3599451f16bfeaecaf4fc7dc0853bcd6d89e9ea1
+          path: .gh-action-scan
+
       - name: Scan artifact
-        uses: databricks/gh-action-scan@3599451f16bfeaecaf4fc7dc0853bcd6d89e9ea1
+        uses: ./.gh-action-scan
         with:
           download-artifact: ${{ matrix.artifact }}
           artifact-name: ${{ matrix.artifact }}

From 7d144cfc5fa6f269e75591e6fcbc2e2fe8f49ccf Mon Sep 17 00:00:00 2001
From: Pieter Noordhuis <pieter.noordhuis@databricks.com>
Date: Tue, 31 Mar 2026 17:49:48 +0200
Subject: [PATCH 5/6] Use DECO_GITHUB_TOKEN for cross-repo checkout

Co-authored-by: Isaac
---
 .github/workflows/scan-snapshot.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/scan-snapshot.yml b/.github/workflows/scan-snapshot.yml
index 34fc2a3e94..5889cd5b1d 100644
--- a/.github/workflows/scan-snapshot.yml
+++ b/.github/workflows/scan-snapshot.yml
@@ -57,6 +57,7 @@ jobs:
         with:
           repository: databricks/gh-action-scan
           ref: 3599451f16bfeaecaf4fc7dc0853bcd6d89e9ea1
+          token: ${{ secrets.DECO_GITHUB_TOKEN }}
           path: .gh-action-scan
 
       - name: Scan artifact

From c8878b5abc1bb893e6b9f5d8f65cb2a63a928157 Mon Sep 17 00:00:00 2001
From: Pieter Noordhuis <pieter.noordhuis@databricks.com>
Date: Tue, 31 Mar 2026 17:59:38 +0200
Subject: [PATCH 6/6] Revert DECO_GITHUB_TOKEN usage

Co-authored-by: Isaac
---
 .github/workflows/scan-snapshot.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.github/workflows/scan-snapshot.yml b/.github/workflows/scan-snapshot.yml
index 5889cd5b1d..34fc2a3e94 100644
--- a/.github/workflows/scan-snapshot.yml
+++ b/.github/workflows/scan-snapshot.yml
@@ -57,7 +57,6 @@ jobs:
         with:
           repository: databricks/gh-action-scan
           ref: 3599451f16bfeaecaf4fc7dc0853bcd6d89e9ea1
-          token: ${{ secrets.DECO_GITHUB_TOKEN }}
           path: .gh-action-scan
 
       - name: Scan artifact