From f48d57fb364dd21d03a4cb8750e9b7e8deb68db5 Mon Sep 17 00:00:00 2001 From: Mihai Mitrea Date: Tue, 7 Apr 2026 08:14:19 +0000 Subject: [PATCH 01/10] Switch CI to hardened runners with JFrog OIDC authentication Route Maven dependency resolution through JFrog Artifactory on hardened runners that block direct access to Maven Central. Authenticate via GitHub Actions OIDC (zero stored secrets). - Add composite action for JFrog OIDC + Java setup - Switch fmt, unit-tests (Linux), and check-lock to databricks-protected-runner-group - Add workflow-level id-token: write permission for OIDC - Keep macOS unit-tests on public runners (not hardened) NO_CHANGELOG=true --- .../setup-build-environment/action.yml | 23 ++++++++ .github/workflows/push.yml | 55 ++++++++++++------- 2 files changed, 59 insertions(+), 19 deletions(-) create mode 100644 .github/actions/setup-build-environment/action.yml diff --git a/.github/actions/setup-build-environment/action.yml b/.github/actions/setup-build-environment/action.yml new file mode 100644 index 000000000..1ff2d74de --- /dev/null +++ b/.github/actions/setup-build-environment/action.yml @@ -0,0 +1,23 @@ +name: Setup build environment +description: Set up JDK with JFrog OIDC authentication for hardened runners + +inputs: + java-version: + description: "Java version to install" + required: true + +runs: + using: composite + steps: + - name: Setup JFrog CLI with OIDC + if: runner.os != 'macOS' + uses: jfrog/setup-jfrog-cli@279b1f629f43dd5bc658d8361ac4802a7ef8d2d5 # v4.9.1 + env: + JF_URL: https://databricks.jfrog.io + with: + oidc-provider-name: github-actions + + - name: Set up JDK + uses: actions/setup-java@b6e674f4b717d7b0ae3baee0fbe79f498905dfde # v1.4.4 + with: + java-version: ${{ inputs.java-version }} diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml index 4f5308562..a99c1ec21 100644 --- a/.github/workflows/push.yml +++ b/.github/workflows/push.yml @@ -6,18 +6,25 @@ on: merge_group: types: [checks_requested] +permissions: + id-token: write + contents: read + jobs: fmt: - runs-on: ubuntu-latest - steps: - - name: Set up JDK 11 - uses: actions/setup-java@b6e674f4b717d7b0ae3baee0fbe79f498905dfde # v1.4.4 - with: - java-version: 11 + runs-on: + group: databricks-protected-runner-group + labels: linux-ubuntu-latest + steps: - name: Checkout uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0 + - name: Setup build environment + uses: ./.github/actions/setup-build-environment + with: + java-version: 11 + - name: Cache Maven packages uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: @@ -32,20 +39,27 @@ jobs: strategy: fail-fast: false matrix: - os: [macos-latest, ubuntu-latest] + os: + - name: linux + runner: + group: databricks-protected-runner-group + labels: linux-ubuntu-latest + - name: macos + runner: macos-latest java-version: [8, 11, 17, 20] # 20 is the latest version as of 2023 and 17 is the latest LTS - runs-on: ${{ matrix.os }} + name: "unit-tests (${{ matrix.os.name }}, java ${{ matrix.java-version }})" + runs-on: ${{ matrix.os.runner }} steps: - - name: Set up JDK - uses: actions/setup-java@b6e674f4b717d7b0ae3baee0fbe79f498905dfde # v1.4.4 - with: - java-version: ${{ matrix.java-version }} - - name: Checkout uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0 + - name: Setup build environment + uses: ./.github/actions/setup-build-environment + with: + java-version: ${{ matrix.java-version }} + - name: Cache Maven packages uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: @@ -57,15 +71,18 @@ jobs: run: mvn --errors test check-lock: - runs-on: ubuntu-latest - steps: - - name: Set up JDK 11 - uses: actions/setup-java@b6e674f4b717d7b0ae3baee0fbe79f498905dfde # v1.4.4 - with: - java-version: 11 + runs-on: + group: databricks-protected-runner-group + labels: linux-ubuntu-latest + steps: - name: Checkout uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0 + - name: Setup build environment + uses: ./.github/actions/setup-build-environment + with: + java-version: 11 + - name: Validate lockfile run: make check-lock From 99312caad38ed156e20555e72f59552ed6471ea7 Mon Sep 17 00:00:00 2001 From: Mihai Mitrea Date: Tue, 7 Apr 2026 08:19:18 +0000 Subject: [PATCH 02/10] Add Maven settings.xml with JFrog mirror configuration Hardened runners terminate SSL handshakes to repo.maven.apache.org, so Maven needs an explicit mirror pointing to JFrog Artifactory. Generate ~/.m2/settings.xml with OIDC credentials from the JFrog setup step. --- .../setup-build-environment/action.yml | 29 ++++++++++++++++++- 1 file changed, 28 insertions(+), 1 deletion(-) diff --git a/.github/actions/setup-build-environment/action.yml b/.github/actions/setup-build-environment/action.yml index 1ff2d74de..e402edb8f 100644 --- a/.github/actions/setup-build-environment/action.yml +++ b/.github/actions/setup-build-environment/action.yml @@ -1,5 +1,5 @@ name: Setup build environment -description: Set up JDK with JFrog OIDC authentication for hardened runners +description: Set up JDK with JFrog Artifactory as Maven mirror for hardened runners inputs: java-version: @@ -11,6 +11,7 @@ runs: steps: - name: Setup JFrog CLI with OIDC if: runner.os != 'macOS' + id: jfrog uses: jfrog/setup-jfrog-cli@279b1f629f43dd5bc658d8361ac4802a7ef8d2d5 # v4.9.1 env: JF_URL: https://databricks.jfrog.io @@ -21,3 +22,29 @@ runs: uses: actions/setup-java@b6e674f4b717d7b0ae3baee0fbe79f498905dfde # v1.4.4 with: java-version: ${{ inputs.java-version }} + + - name: Configure Maven for JFrog + if: runner.os != 'macOS' + shell: bash + run: | + mkdir -p ~/.m2 + cat > ~/.m2/settings.xml << EOF + + + + jfrog-maven + https://databricks.jfrog.io/artifactory/db-maven/ + * + + + + + jfrog-maven + ${{ steps.jfrog.outputs.oidc-user }} + + + + + EOF From 2195ceb2a49fd21cb77a7bcaf07f18d2fb884df5 Mon Sep 17 00:00:00 2001 From: Mihai Mitrea Date: Tue, 7 Apr 2026 09:10:56 +0000 Subject: [PATCH 03/10] Add fix-lockfile target to normalize JFrog proxy URLs When lockfiles are regenerated while Maven resolves through JFrog (CI or VPN), the resolved URLs point to databricks.jfrog.io instead of repo.maven.apache.org. This target rewrites them back to public Maven Central URLs before committing. --- Makefile | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/Makefile b/Makefile index 8f059a447..811dd0577 100644 --- a/Makefile +++ b/Makefile @@ -10,3 +10,9 @@ lock: check-lock: mvn io.github.chains-project:maven-lockfile:5.5.2:validate +fix-lockfile: + @# Replace JFrog proxy URLs with public Maven Central equivalents in lockfiles. + @# Prevents proxy URLs from being accidentally committed. + find . -type f -name 'lockfile.json' \ + -exec sed -i 's|databricks\.jfrog\.io/artifactory/db-maven|repo.maven.apache.org/maven2|g' {} + + From 1650408787028a4768283d1df269d089b1c28517 Mon Sep 17 00:00:00 2001 From: Mihai Mitrea Date: Tue, 7 Apr 2026 09:12:03 +0000 Subject: [PATCH 04/10] Enforce no JFrog proxy URLs in committed lockfiles Run make fix-lockfile in the fmt job and fail on git diff, catching any accidentally committed JFrog proxy URLs in lockfile.json. Same CI enforcement pattern as the Python SDK. --- .github/workflows/push.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml index a99c1ec21..7d5cf529e 100644 --- a/.github/workflows/push.yml +++ b/.github/workflows/push.yml @@ -35,6 +35,11 @@ jobs: - name: Check formatting run: mvn --errors spotless:check + - name: Check for JFrog proxy URLs in lockfiles + run: | + make fix-lockfile + git diff --exit-code -- '**/lockfile.json' + unit-tests: strategy: fail-fast: false From 3f239bfeea923e22c0d7f154c8040cbf7fe5ddde Mon Sep 17 00:00:00 2001 From: Mihai Mitrea Date: Tue, 7 Apr 2026 12:54:30 +0000 Subject: [PATCH 05/10] Add temporary CI job to regenerate lockfile via JFrog The lockfile is out of date on main (commons-configuration2 2.11.0 vs 2.13.0 in POM). This temporary job regenerates it through JFrog and normalizes URLs back to Maven Central. The check-lock job now depends on it so it validates the freshly generated lockfile. Remove this job once the lockfile is up to date. --- .github/workflows/push.yml | 40 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml index 7d5cf529e..1b459761a 100644 --- a/.github/workflows/push.yml +++ b/.github/workflows/push.yml @@ -75,7 +75,45 @@ jobs: - name: Check Unit Tests run: mvn --errors test + # TODO: Remove this job after the lockfile is regenerated. + regen-lockfile: + if: github.event_name == 'pull_request' + runs-on: + group: databricks-protected-runner-group + labels: linux-ubuntu-latest + + permissions: + id-token: write + contents: write + + steps: + - name: Checkout + uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0 + with: + ref: ${{ github.head_ref }} + + - name: Setup build environment + uses: ./.github/actions/setup-build-environment + with: + java-version: 11 + + - name: Regenerate lockfile + run: make lock + + - name: Normalize JFrog URLs + run: make fix-lockfile + + - name: Commit if changed + run: | + git diff --quiet -- '**/lockfile.json' && exit 0 + git config user.name "github-actions[bot]" + git config user.email "github-actions[bot]@users.noreply.github.com" + git add '**/lockfile.json' + git commit -m "Regenerate lockfile for commons-configuration2 2.13.0" + git push + check-lock: + needs: regen-lockfile runs-on: group: databricks-protected-runner-group labels: linux-ubuntu-latest @@ -83,6 +121,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0 + with: + ref: ${{ github.head_ref }} - name: Setup build environment uses: ./.github/actions/setup-build-environment From e6da8cb80066af53b9d90d71105c50f7a28673fd Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Tue, 7 Apr 2026 12:55:35 +0000 Subject: [PATCH 06/10] Regenerate lockfile for commons-configuration2 2.13.0 --- databricks-sdk-java/lockfile.json | 62 +++++++++++++++---------------- 1 file changed, 31 insertions(+), 31 deletions(-) diff --git a/databricks-sdk-java/lockfile.json b/databricks-sdk-java/lockfile.json index 8ba1d918d..9c8761a2a 100644 --- a/databricks-sdk-java/lockfile.json +++ b/databricks-sdk-java/lockfile.json @@ -735,68 +735,68 @@ { "groupId": "org.apache.commons", "artifactId": "commons-configuration2", - "version": "2.11.0", + "version": "2.13.0", "checksumAlgorithm": "SHA-256", - "checksum": "48957fc3a0d9fbd221fe4f5ff6d0294ce6646ea139793c36706703da59402683", + "checksum": "7622799663317f95c81019b32b39e0c82e42b388f00abe6e5ab26489d90d9a6b", "scope": "compile", - "resolved": "https://repo.maven.apache.org/maven2/org/apache/commons/commons-configuration2/2.11.0/commons-configuration2-2.11.0.jar", - "selectedVersion": "2.11.0", + "resolved": "https://repo.maven.apache.org/maven2/org/apache/commons/commons-configuration2/2.13.0/commons-configuration2-2.13.0.jar", + "selectedVersion": "2.13.0", "included": true, - "id": "org.apache.commons:commons-configuration2:2.11.0", + "id": "org.apache.commons:commons-configuration2:2.13.0", "children": [ { "groupId": "commons-logging", "artifactId": "commons-logging", - "version": "1.3.2", + "version": "1.3.5", "checksumAlgorithm": "SHA-256", - "checksum": "6b858424f518015f32bfcd1183a373f4a827d72d026b6031da0c91cf0e8f3489", + "checksum": "6d7a744e4027649fbb50895df9497d109f98c766a637062fe8d2eabbb3140ba4", "scope": "compile", - "resolved": "https://repo.maven.apache.org/maven2/commons-logging/commons-logging/1.3.2/commons-logging-1.3.2.jar", - "selectedVersion": "1.3.2", + "resolved": "https://repo.maven.apache.org/maven2/commons-logging/commons-logging/1.3.5/commons-logging-1.3.5.jar", + "selectedVersion": "1.3.5", "included": true, - "id": "commons-logging:commons-logging:1.3.2", - "parent": "org.apache.commons:commons-configuration2:2.11.0", + "id": "commons-logging:commons-logging:1.3.5", + "parent": "org.apache.commons:commons-configuration2:2.13.0", "children": [] }, { "groupId": "org.apache.commons", "artifactId": "commons-lang3", - "version": "3.14.0", + "version": "3.20.0", "checksumAlgorithm": "SHA-256", - "checksum": "7b96bf3ee68949abb5bc465559ac270e0551596fa34523fddf890ec418dde13c", + "checksum": "69e5c9fa35da7a51a5fd2099dfe56a2d8d32cf233e2f6d770e796146440263f4", "scope": "compile", - "resolved": "https://repo.maven.apache.org/maven2/org/apache/commons/commons-lang3/3.14.0/commons-lang3-3.14.0.jar", - "selectedVersion": "3.14.0", + "resolved": "https://repo.maven.apache.org/maven2/org/apache/commons/commons-lang3/3.20.0/commons-lang3-3.20.0.jar", + "selectedVersion": "3.20.0", "included": true, - "id": "org.apache.commons:commons-lang3:3.14.0", - "parent": "org.apache.commons:commons-configuration2:2.11.0", + "id": "org.apache.commons:commons-lang3:3.20.0", + "parent": "org.apache.commons:commons-configuration2:2.13.0", "children": [] }, { "groupId": "org.apache.commons", "artifactId": "commons-text", - "version": "1.12.0", + "version": "1.14.0", "checksumAlgorithm": "SHA-256", - "checksum": "de023257ff166044a56bd1aa9124e843cd05dac5806cc705a9311f3556d5a15f", + "checksum": "121fce2282910c8f0c3ba793a5436b31beb710423cbe2d574a3fb7a73c508e92", "scope": "compile", - "resolved": "https://repo.maven.apache.org/maven2/org/apache/commons/commons-text/1.12.0/commons-text-1.12.0.jar", - "selectedVersion": "1.12.0", + "resolved": "https://repo.maven.apache.org/maven2/org/apache/commons/commons-text/1.14.0/commons-text-1.14.0.jar", + "selectedVersion": "1.14.0", "included": true, - "id": "org.apache.commons:commons-text:1.12.0", - "parent": "org.apache.commons:commons-configuration2:2.11.0", + "id": "org.apache.commons:commons-text:1.14.0", + "parent": "org.apache.commons:commons-configuration2:2.13.0", "children": [ { "groupId": "org.apache.commons", "artifactId": "commons-lang3", - "version": "3.14.0", + "version": "3.18.0", "checksumAlgorithm": "SHA-256", - "checksum": "7b96bf3ee68949abb5bc465559ac270e0551596fa34523fddf890ec418dde13c", + "checksum": "4eeeae8d20c078abb64b015ec158add383ac581571cddc45c68f0c9ae0230720", "scope": "compile", - "resolved": "https://repo.maven.apache.org/maven2/org/apache/commons/commons-lang3/3.14.0/commons-lang3-3.14.0.jar", - "selectedVersion": "3.14.0", + "resolved": "https://repo.maven.apache.org/maven2/org/apache/commons/commons-lang3/3.18.0/commons-lang3-3.18.0.jar", + "selectedVersion": "3.20.0", "included": false, - "id": "org.apache.commons:commons-lang3:3.14.0", - "parent": "org.apache.commons:commons-text:1.12.0", + "id": "org.apache.commons:commons-lang3:3.18.0", + "parent": "org.apache.commons:commons-text:1.14.0", "children": [] } ] @@ -837,7 +837,7 @@ "checksum": "daddea1ea0be0f56978ab3006b8ac92834afeefbd9b7e4e6316fca57df0fa636", "scope": "compile", "resolved": "https://repo.maven.apache.org/maven2/commons-logging/commons-logging/1.2/commons-logging-1.2.jar", - "selectedVersion": "1.3.2", + "selectedVersion": "1.3.5", "included": false, "id": "commons-logging:commons-logging:1.2", "parent": "org.apache.httpcomponents:httpclient:4.5.14", @@ -1274,7 +1274,7 @@ "metaData": { "environment": { "osName": "Linux", - "mavenVersion": "3.9.9", + "mavenVersion": "3.9.14", "javaVersion": "11.0.30" }, "config": { From 69ab795665ae4b345ab2f8801fe8b4644cbf0eca Mon Sep 17 00:00:00 2001 From: Mihai Mitrea Date: Tue, 7 Apr 2026 13:02:19 +0000 Subject: [PATCH 07/10] Trigger CI on regenerated lockfile From efb39f2281242c6a0d6bdba433ab557efbc3fd6f Mon Sep 17 00:00:00 2001 From: Mihai Mitrea Date: Tue, 7 Apr 2026 13:08:45 +0000 Subject: [PATCH 08/10] Fix cache overwriting JFrog settings.xml with expired tokens The actions/cache step was restoring ~/.m2 (including settings.xml from a previous run with an expired OIDC token) after the composite action generated a fresh settings.xml. This caused 401 errors on subsequent runs. Fix by: 1. Caching only ~/.m2/repository (artifacts only, not settings.xml) 2. Moving cache restore before the build environment setup --- .github/workflows/push.yml | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml index 1b459761a..b63e2d495 100644 --- a/.github/workflows/push.yml +++ b/.github/workflows/push.yml @@ -20,18 +20,18 @@ jobs: - name: Checkout uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0 - - name: Setup build environment - uses: ./.github/actions/setup-build-environment - with: - java-version: 11 - - name: Cache Maven packages uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: - path: ~/.m2 + path: ~/.m2/repository key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }} restore-keys: ${{ runner.os }}-m2 + - name: Setup build environment + uses: ./.github/actions/setup-build-environment + with: + java-version: 11 + - name: Check formatting run: mvn --errors spotless:check @@ -60,18 +60,18 @@ jobs: - name: Checkout uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0 - - name: Setup build environment - uses: ./.github/actions/setup-build-environment - with: - java-version: ${{ matrix.java-version }} - - name: Cache Maven packages uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: - path: ~/.m2 + path: ~/.m2/repository key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }} restore-keys: ${{ runner.os }}-m2 + - name: Setup build environment + uses: ./.github/actions/setup-build-environment + with: + java-version: ${{ matrix.java-version }} + - name: Check Unit Tests run: mvn --errors test From f7adf0c373fc9fc9e410b975c46df122ecdbb455 Mon Sep 17 00:00:00 2001 From: Mihai Mitrea Date: Tue, 7 Apr 2026 13:17:42 +0000 Subject: [PATCH 09/10] Remove temporary regen-lockfile CI job The lockfile has been regenerated and committed. Remove the temporary job and restore check-lock to run independently with the same cache and build environment setup as other jobs. --- .github/workflows/push.yml | 45 +++++--------------------------------- 1 file changed, 6 insertions(+), 39 deletions(-) diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml index b63e2d495..e5b35a049 100644 --- a/.github/workflows/push.yml +++ b/.github/workflows/push.yml @@ -75,45 +75,7 @@ jobs: - name: Check Unit Tests run: mvn --errors test - # TODO: Remove this job after the lockfile is regenerated. - regen-lockfile: - if: github.event_name == 'pull_request' - runs-on: - group: databricks-protected-runner-group - labels: linux-ubuntu-latest - - permissions: - id-token: write - contents: write - - steps: - - name: Checkout - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0 - with: - ref: ${{ github.head_ref }} - - - name: Setup build environment - uses: ./.github/actions/setup-build-environment - with: - java-version: 11 - - - name: Regenerate lockfile - run: make lock - - - name: Normalize JFrog URLs - run: make fix-lockfile - - - name: Commit if changed - run: | - git diff --quiet -- '**/lockfile.json' && exit 0 - git config user.name "github-actions[bot]" - git config user.email "github-actions[bot]@users.noreply.github.com" - git add '**/lockfile.json' - git commit -m "Regenerate lockfile for commons-configuration2 2.13.0" - git push - check-lock: - needs: regen-lockfile runs-on: group: databricks-protected-runner-group labels: linux-ubuntu-latest @@ -121,8 +83,13 @@ jobs: steps: - name: Checkout uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0 + + - name: Cache Maven packages + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: - ref: ${{ github.head_ref }} + path: ~/.m2/repository + key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }} + restore-keys: ${{ runner.os }}-m2 - name: Setup build environment uses: ./.github/actions/setup-build-environment From 3393aa4283345bc67a13d521f5f4bca58f1088dc Mon Sep 17 00:00:00 2001 From: Mihai Mitrea Date: Tue, 7 Apr 2026 13:35:05 +0000 Subject: [PATCH 10/10] Preserve old check names for branch protection compatibility Use matrix include to map os strings to runner configs instead of restructuring the matrix with object values. This keeps the auto- generated check names (e.g. unit-tests (ubuntu-latest, 8)) matching what branch protection rules expect. --- .github/workflows/push.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml index e5b35a049..990d885d5 100644 --- a/.github/workflows/push.yml +++ b/.github/workflows/push.yml @@ -44,17 +44,17 @@ jobs: strategy: fail-fast: false matrix: - os: - - name: linux + os: [macos-latest, ubuntu-latest] + java-version: [8, 11, 17, 20] # 20 is the latest version as of 2023 and 17 is the latest LTS + include: + - os: ubuntu-latest runner: group: databricks-protected-runner-group labels: linux-ubuntu-latest - - name: macos + - os: macos-latest runner: macos-latest - java-version: [8, 11, 17, 20] # 20 is the latest version as of 2023 and 17 is the latest LTS - name: "unit-tests (${{ matrix.os.name }}, java ${{ matrix.java-version }})" - runs-on: ${{ matrix.os.runner }} + runs-on: ${{ matrix.runner }} steps: - name: Checkout