Skip to content

Switch CI to hardened runners with JFrog OIDC authentication#753

Open
mihaimitrea-db wants to merge 4 commits intomainfrom
mihaimitrea-db/jfrog-artifactory-migration
Open

Switch CI to hardened runners with JFrog OIDC authentication#753
mihaimitrea-db wants to merge 4 commits intomainfrom
mihaimitrea-db/jfrog-artifactory-migration

Conversation

@mihaimitrea-db
Copy link
Copy Markdown
Contributor

@mihaimitrea-db mihaimitrea-db commented Apr 7, 2026

Summary

Route Maven dependency resolution through JFrog Artifactory on hardened runners that block direct access to Maven Central. Authenticate via GitHub Actions OIDC (zero stored secrets).

  • Add composite action for JFrog OIDC + Java setup
  • Switch fmt, unit-tests (Linux), and check-lock to databricks-protected-runner-group
  • Add workflow-level id-token: write permission for OIDC
  • Keep macOS unit-tests on public runners (not hardened)

Modeled after the CLI (#4875), Go SDK (#1609), and Python SDK (#1379).

Out of scope

  • release.yml: Needs special publish runners per migration guide (separate follow-up)
  • tagging.yml: Generated from Universe; JFrog setup needs to be upstreamed to the genkit template
  • conftest.yml: No Maven operations; can stay on ubuntu-latest

Test plan

  • Verify mvn --errors spotless:check passes (fmt job)
  • Verify mvn --errors test passes on Linux (Java 8, 11, 17, 20)
  • Verify mvn --errors test passes on macOS (Java 8, 11, 17, 20)
  • Verify make check-lock passes (lockfile validation)
  • Verify conftest passes on the new workflow files

NO_CHANGELOG=true

@mihaimitrea-db
Switch CI to hardened runners with JFrog OIDC authentication
f48d57f 
Route Maven dependency resolution through JFrog Artifactory on hardened
runners that block direct access to Maven Central. Authenticate via
GitHub Actions OIDC (zero stored secrets).

- Add composite action for JFrog OIDC + Java setup
- Switch fmt, unit-tests (Linux), and check-lock to
  databricks-protected-runner-group
- Add workflow-level id-token: write permission for OIDC
- Keep macOS unit-tests on public runners (not hardened)

NO_CHANGELOG=true
@mihaimitrea-db
Add Maven settings.xml with JFrog mirror configuration
99312ca 
Hardened runners terminate SSL handshakes to repo.maven.apache.org,
so Maven needs an explicit mirror pointing to JFrog Artifactory.
Generate ~/.m2/settings.xml with OIDC credentials from the JFrog
setup step.
@mihaimitrea-db
Add fix-lockfile target to normalize JFrog proxy URLs
2195ceb 
When lockfiles are regenerated while Maven resolves through JFrog
(CI or VPN), the resolved URLs point to databricks.jfrog.io instead
of repo.maven.apache.org. This target rewrites them back to public
Maven Central URLs before committing.
@mihaimitrea-db
Enforce no JFrog proxy URLs in committed lockfiles
1650408 
Run make fix-lockfile in the fmt job and fail on git diff, catching
any accidentally committed JFrog proxy URLs in lockfile.json. Same
CI enforcement pattern as the Python SDK.
@mihaimitrea-db mihaimitrea-db deployed to test-trigger-is April 7, 2026 09:12 — with GitHub Actions Active
@github-actions
Copy link
Copy Markdown

github-actions bot commented Apr 7, 2026

If integration tests don't run automatically, an authorized user can run them manually by following the instructions below:

Trigger:
go/deco-tests-run/sdk-java

Inputs:

  • PR number: 753
  • Commit SHA: 1650408787028a4768283d1df269d089b1c28517

Checks will be approved automatically on success.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@mihaimitrea-db