ci: migrate to hardened runners, disable publish during freeze#353
Open
shivam2680 wants to merge 5 commits intomainfrom
Open
ci: migrate to hardened runners, disable publish during freeze#353shivam2680 wants to merge 5 commits intomainfrom
shivam2680 wants to merge 5 commits intomainfrom
Conversation
vikrantpuppala
approved these changes
Apr 6, 2026
Collaborator
|
You will need to configure remote npm repo access |
Switch all 7 workflow jobs from `ubuntu-latest` to the `databricks-protected-runner-group` hardened runner group per go/hardened-gha step 3. Disable the release publish job during the release freeze per go/hardened-gha step 7. The build job remains active for validation. A clear comment marks when and how to re-enable. Fix `.npmrc` from `package-lock=false` to `package-lock=true` so local dev keeps the lockfile in sync with `npm ci` in CI. Co-authored-by: Isaac
Hardened runners block direct access to public registries. Configure JFrog Artifactory as an npm proxy using OIDC token exchange per the remote registry access guidance. Added to all jobs that run `npm ci`: lint, unit-test, e2e-test (main.yml) and build (release.yml). The coverage job and dco-check workflow do not access npm and are left unchanged. Adds `id-token: write` permission for the OIDC token exchange. Co-authored-by: Isaac
Hardened runners may not have Node.js pre-installed (reported in #unblock-github-action-for-eng). Add explicit setup-node step to the lint and e2e-test jobs which run npm commands but previously relied on the runner having Node available. The unit-test and release build jobs already have setup-node. The coverage and dco-check jobs don't run npm commands and don't need it. Co-authored-by: Isaac
shivam2680
force-pushed
the
security/hardened-runners
branch
from
d067bad to
4528621
Compare
|
Thanks for your contribution! To satisfy the DCO policy in our contributing guide every commit message must include a sign-off message. One or more of your commits is missing this message. You can reword previous commit messages with an interactive rebase ( |
|
Thanks for your contribution! To satisfy the DCO policy in our contributing guide every commit message must include a sign-off message. One or more of your commits is missing this message. You can reword previous commit messages with an interactive rebase ( |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
main.ymlanddco-check.ymlfromubuntu-latesttodatabricks-protected-runner-grouphardened runners per go/hardened-gha step 3npm cinow authenticate via JFrog OIDC token exchange per the remote registry access guidancesetup-nodetolintande2e-testjobs — hardened runners may not have Node.js pre-installed (reported by Pieter in #unblock-github-action-for-eng)Related PRs: release workflow removed in #354, .npmrc fix in #355.
Context
This is part of the release freeze unblock process. The repo GitHub Actions are currently disabled at the org level. This PR addresses checklist steps 3 and 9 (registry access) to unblock CI re-enablement.
Known limitations
Test plan
This pull request was AI-assisted by Isaac.