diff --git a/.github/actions/setup-build-environment/action.yml b/.github/actions/setup-build-environment/action.yml new file mode 100644 index 000000000..e402edb8f --- /dev/null +++ b/.github/actions/setup-build-environment/action.yml @@ -0,0 +1,50 @@ +name: Setup build environment +description: Set up JDK with JFrog Artifactory as Maven mirror for hardened runners + +inputs: + java-version: + description: "Java version to install" + required: true + +runs: + using: composite + steps: + - name: Setup JFrog CLI with OIDC + if: runner.os != 'macOS' + id: jfrog + uses: jfrog/setup-jfrog-cli@279b1f629f43dd5bc658d8361ac4802a7ef8d2d5 # v4.9.1 + env: + JF_URL: https://databricks.jfrog.io + with: + oidc-provider-name: github-actions + + - name: Set up JDK + uses: actions/setup-java@b6e674f4b717d7b0ae3baee0fbe79f498905dfde # v1.4.4 + with: + java-version: ${{ inputs.java-version }} + + - name: Configure Maven for JFrog + if: runner.os != 'macOS' + shell: bash + run: | + mkdir -p ~/.m2 + cat > ~/.m2/settings.xml << EOF + + + + jfrog-maven + https://databricks.jfrog.io/artifactory/db-maven/ + * + + + + + jfrog-maven + ${{ steps.jfrog.outputs.oidc-user }} + + + + + EOF diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml index 4f5308562..990d885d5 100644 --- a/.github/workflows/push.yml +++ b/.github/workflows/push.yml @@ -6,66 +6,95 @@ on: merge_group: types: [checks_requested] +permissions: + id-token: write + contents: read + jobs: fmt: - runs-on: ubuntu-latest - steps: - - name: Set up JDK 11 - uses: actions/setup-java@b6e674f4b717d7b0ae3baee0fbe79f498905dfde # v1.4.4 - with: - java-version: 11 + runs-on: + group: databricks-protected-runner-group + labels: linux-ubuntu-latest + steps: - name: Checkout uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0 - name: Cache Maven packages uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: - path: ~/.m2 + path: ~/.m2/repository key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }} restore-keys: ${{ runner.os }}-m2 + - name: Setup build environment + uses: ./.github/actions/setup-build-environment + with: + java-version: 11 + - name: Check formatting run: mvn --errors spotless:check + - name: Check for JFrog proxy URLs in lockfiles + run: | + make fix-lockfile + git diff --exit-code -- '**/lockfile.json' + unit-tests: strategy: fail-fast: false matrix: os: [macos-latest, ubuntu-latest] java-version: [8, 11, 17, 20] # 20 is the latest version as of 2023 and 17 is the latest LTS + include: + - os: ubuntu-latest + runner: + group: databricks-protected-runner-group + labels: linux-ubuntu-latest + - os: macos-latest + runner: macos-latest - runs-on: ${{ matrix.os }} + runs-on: ${{ matrix.runner }} steps: - - name: Set up JDK - uses: actions/setup-java@b6e674f4b717d7b0ae3baee0fbe79f498905dfde # v1.4.4 - with: - java-version: ${{ matrix.java-version }} - - name: Checkout uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0 - name: Cache Maven packages uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: - path: ~/.m2 + path: ~/.m2/repository key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }} restore-keys: ${{ runner.os }}-m2 + - name: Setup build environment + uses: ./.github/actions/setup-build-environment + with: + java-version: ${{ matrix.java-version }} + - name: Check Unit Tests run: mvn --errors test check-lock: - runs-on: ubuntu-latest - steps: - - name: Set up JDK 11 - uses: actions/setup-java@b6e674f4b717d7b0ae3baee0fbe79f498905dfde # v1.4.4 - with: - java-version: 11 + runs-on: + group: databricks-protected-runner-group + labels: linux-ubuntu-latest + steps: - name: Checkout uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0 + - name: Cache Maven packages + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 + with: + path: ~/.m2/repository + key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }} + restore-keys: ${{ runner.os }}-m2 + + - name: Setup build environment + uses: ./.github/actions/setup-build-environment + with: + java-version: 11 + - name: Validate lockfile run: make check-lock diff --git a/Makefile b/Makefile index 8f059a447..811dd0577 100644 --- a/Makefile +++ b/Makefile @@ -10,3 +10,9 @@ lock: check-lock: mvn io.github.chains-project:maven-lockfile:5.5.2:validate +fix-lockfile: + @# Replace JFrog proxy URLs with public Maven Central equivalents in lockfiles. + @# Prevents proxy URLs from being accidentally committed. + find . -type f -name 'lockfile.json' \ + -exec sed -i 's|databricks\.jfrog\.io/artifactory/db-maven|repo.maven.apache.org/maven2|g' {} + + diff --git a/databricks-sdk-java/lockfile.json b/databricks-sdk-java/lockfile.json index 8ba1d918d..9c8761a2a 100644 --- a/databricks-sdk-java/lockfile.json +++ b/databricks-sdk-java/lockfile.json @@ -735,68 +735,68 @@ { "groupId": "org.apache.commons", "artifactId": "commons-configuration2", - "version": "2.11.0", + "version": "2.13.0", "checksumAlgorithm": "SHA-256", - "checksum": "48957fc3a0d9fbd221fe4f5ff6d0294ce6646ea139793c36706703da59402683", + "checksum": "7622799663317f95c81019b32b39e0c82e42b388f00abe6e5ab26489d90d9a6b", "scope": "compile", - "resolved": "https://repo.maven.apache.org/maven2/org/apache/commons/commons-configuration2/2.11.0/commons-configuration2-2.11.0.jar", - "selectedVersion": "2.11.0", + "resolved": "https://repo.maven.apache.org/maven2/org/apache/commons/commons-configuration2/2.13.0/commons-configuration2-2.13.0.jar", + "selectedVersion": "2.13.0", "included": true, - "id": "org.apache.commons:commons-configuration2:2.11.0", + "id": "org.apache.commons:commons-configuration2:2.13.0", "children": [ { "groupId": "commons-logging", "artifactId": "commons-logging", - "version": "1.3.2", + "version": "1.3.5", "checksumAlgorithm": "SHA-256", - "checksum": "6b858424f518015f32bfcd1183a373f4a827d72d026b6031da0c91cf0e8f3489", + "checksum": "6d7a744e4027649fbb50895df9497d109f98c766a637062fe8d2eabbb3140ba4", "scope": "compile", - "resolved": "https://repo.maven.apache.org/maven2/commons-logging/commons-logging/1.3.2/commons-logging-1.3.2.jar", - "selectedVersion": "1.3.2", + "resolved": "https://repo.maven.apache.org/maven2/commons-logging/commons-logging/1.3.5/commons-logging-1.3.5.jar", + "selectedVersion": "1.3.5", "included": true, - "id": "commons-logging:commons-logging:1.3.2", - "parent": "org.apache.commons:commons-configuration2:2.11.0", + "id": "commons-logging:commons-logging:1.3.5", + "parent": "org.apache.commons:commons-configuration2:2.13.0", "children": [] }, { "groupId": "org.apache.commons", "artifactId": "commons-lang3", - "version": "3.14.0", + "version": "3.20.0", "checksumAlgorithm": "SHA-256", - "checksum": "7b96bf3ee68949abb5bc465559ac270e0551596fa34523fddf890ec418dde13c", + "checksum": "69e5c9fa35da7a51a5fd2099dfe56a2d8d32cf233e2f6d770e796146440263f4", "scope": "compile", - "resolved": "https://repo.maven.apache.org/maven2/org/apache/commons/commons-lang3/3.14.0/commons-lang3-3.14.0.jar", - "selectedVersion": "3.14.0", + "resolved": "https://repo.maven.apache.org/maven2/org/apache/commons/commons-lang3/3.20.0/commons-lang3-3.20.0.jar", + "selectedVersion": "3.20.0", "included": true, - "id": "org.apache.commons:commons-lang3:3.14.0", - "parent": "org.apache.commons:commons-configuration2:2.11.0", + "id": "org.apache.commons:commons-lang3:3.20.0", + "parent": "org.apache.commons:commons-configuration2:2.13.0", "children": [] }, { "groupId": "org.apache.commons", "artifactId": "commons-text", - "version": "1.12.0", + "version": "1.14.0", "checksumAlgorithm": "SHA-256", - "checksum": "de023257ff166044a56bd1aa9124e843cd05dac5806cc705a9311f3556d5a15f", + "checksum": "121fce2282910c8f0c3ba793a5436b31beb710423cbe2d574a3fb7a73c508e92", "scope": "compile", - "resolved": "https://repo.maven.apache.org/maven2/org/apache/commons/commons-text/1.12.0/commons-text-1.12.0.jar", - "selectedVersion": "1.12.0", + "resolved": "https://repo.maven.apache.org/maven2/org/apache/commons/commons-text/1.14.0/commons-text-1.14.0.jar", + "selectedVersion": "1.14.0", "included": true, - "id": "org.apache.commons:commons-text:1.12.0", - "parent": "org.apache.commons:commons-configuration2:2.11.0", + "id": "org.apache.commons:commons-text:1.14.0", + "parent": "org.apache.commons:commons-configuration2:2.13.0", "children": [ { "groupId": "org.apache.commons", "artifactId": "commons-lang3", - "version": "3.14.0", + "version": "3.18.0", "checksumAlgorithm": "SHA-256", - "checksum": "7b96bf3ee68949abb5bc465559ac270e0551596fa34523fddf890ec418dde13c", + "checksum": "4eeeae8d20c078abb64b015ec158add383ac581571cddc45c68f0c9ae0230720", "scope": "compile", - "resolved": "https://repo.maven.apache.org/maven2/org/apache/commons/commons-lang3/3.14.0/commons-lang3-3.14.0.jar", - "selectedVersion": "3.14.0", + "resolved": "https://repo.maven.apache.org/maven2/org/apache/commons/commons-lang3/3.18.0/commons-lang3-3.18.0.jar", + "selectedVersion": "3.20.0", "included": false, - "id": "org.apache.commons:commons-lang3:3.14.0", - "parent": "org.apache.commons:commons-text:1.12.0", + "id": "org.apache.commons:commons-lang3:3.18.0", + "parent": "org.apache.commons:commons-text:1.14.0", "children": [] } ] @@ -837,7 +837,7 @@ "checksum": "daddea1ea0be0f56978ab3006b8ac92834afeefbd9b7e4e6316fca57df0fa636", "scope": "compile", "resolved": "https://repo.maven.apache.org/maven2/commons-logging/commons-logging/1.2/commons-logging-1.2.jar", - "selectedVersion": "1.3.2", + "selectedVersion": "1.3.5", "included": false, "id": "commons-logging:commons-logging:1.2", "parent": "org.apache.httpcomponents:httpclient:4.5.14", @@ -1274,7 +1274,7 @@ "metaData": { "environment": { "osName": "Linux", - "mavenVersion": "3.9.9", + "mavenVersion": "3.9.14", "javaVersion": "11.0.30" }, "config": {