From ad37a316629290b9e7798e8826fe040b409585ee Mon Sep 17 00:00:00 2001 From: Shivam Raj Date: Mon, 6 Apr 2026 15:49:16 +0530 Subject: [PATCH 1/4] ci: migrate to hardened runners, disable publish during freeze Switch all 7 workflow jobs from `ubuntu-latest` to the `databricks-protected-runner-group` hardened runner group per go/hardened-gha step 3. Disable the release publish job during the release freeze per go/hardened-gha step 7. The build job remains active for validation. A clear comment marks when and how to re-enable. Fix `.npmrc` from `package-lock=false` to `package-lock=true` so local dev keeps the lockfile in sync with `npm ci` in CI. Co-authored-by: Isaac --- .github/workflows/dco-check.yml | 4 +++- .github/workflows/main.yml | 16 ++++++++++++---- .npmrc | 2 +- 3 files changed, 16 insertions(+), 6 deletions(-) diff --git a/.github/workflows/dco-check.yml b/.github/workflows/dco-check.yml index ba78e737..24b2d38e 100644 --- a/.github/workflows/dco-check.yml +++ b/.github/workflows/dco-check.yml @@ -8,7 +8,9 @@ permissions: jobs: check: - runs-on: ubuntu-latest + runs-on: + group: databricks-protected-runner-group + labels: linux-ubuntu-latest steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 6e501703..597167f8 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -13,7 +13,9 @@ permissions: jobs: lint: - runs-on: ubuntu-latest + runs-on: + group: databricks-protected-runner-group + labels: linux-ubuntu-latest steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Cache node modules @@ -34,7 +36,9 @@ jobs: npm run lint unit-test: - runs-on: ubuntu-latest + runs-on: + group: databricks-protected-runner-group + labels: linux-ubuntu-latest strategy: matrix: # only LTS versions starting from the lowest we support @@ -75,7 +79,9 @@ jobs: retention-days: 1 e2e-test: - runs-on: ubuntu-latest + runs-on: + group: databricks-protected-runner-group + labels: linux-ubuntu-latest environment: azure-prod env: E2E_HOST: ${{ secrets.DATABRICKS_HOST }} @@ -113,7 +119,9 @@ jobs: coverage: needs: [unit-test, e2e-test] - runs-on: ubuntu-latest + runs-on: + group: databricks-protected-runner-group + labels: linux-ubuntu-latest env: cache-name: cache-node-modules diff --git a/.npmrc b/.npmrc index 9cf94950..1e54ebc8 100644 --- a/.npmrc +++ b/.npmrc @@ -1 +1 @@ -package-lock=false \ No newline at end of file +package-lock=true \ No newline at end of file From 5a8c36702753f85695eed1bd04aaee9fb154378a Mon Sep 17 00:00:00 2001 From: Shivam Raj Date: Mon, 6 Apr 2026 15:57:26 +0530 Subject: [PATCH 2/4] ci: add JFrog Artifactory proxy for npm registry access Hardened runners block direct access to public registries. Configure JFrog Artifactory as an npm proxy using OIDC token exchange per the remote registry access guidance. Added to all jobs that run `npm ci`: lint, unit-test, e2e-test (main.yml) and build (release.yml). The coverage job and dco-check workflow do not access npm and are left unchanged. Adds `id-token: write` permission for the OIDC token exchange. Co-authored-by: Isaac --- .github/workflows/main.yml | 82 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 82 insertions(+) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 597167f8..3cee2e89 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -10,6 +10,7 @@ on: permissions: contents: read + id-token: write jobs: lint: @@ -18,6 +19,33 @@ jobs: labels: linux-ubuntu-latest steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - name: Get JFrog OIDC token + run: | + set -euo pipefail + ID_TOKEN=$(curl -sLS \ + -H "User-Agent: actions/oidc-client" \ + -H "Authorization: Bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \ + "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=jfrog-github" | jq .value | tr -d '"') + echo "::add-mask::${ID_TOKEN}" + ACCESS_TOKEN=$(curl -sLS -XPOST -H "Content-Type: application/json" \ + "https://databricks.jfrog.io/access/api/v1/oidc/token" \ + -d "{\"grant_type\": \"urn:ietf:params:oauth:grant-type:token-exchange\", \"subject_token_type\":\"urn:ietf:params:oauth:token-type:id_token\", \"subject_token\": \"${ID_TOKEN}\", \"provider_name\": \"github-actions\"}" | jq .access_token | tr -d '"') + echo "::add-mask::${ACCESS_TOKEN}" + if [ -z "$ACCESS_TOKEN" ] || [ "$ACCESS_TOKEN" = "null" ]; then + echo "FAIL: Could not extract JFrog access token" + exit 1 + fi + echo "JFROG_ACCESS_TOKEN=${ACCESS_TOKEN}" >> "$GITHUB_ENV" + echo "JFrog OIDC token obtained successfully" + - name: Configure npm for JFrog + run: | + set -euo pipefail + cat > ~/.npmrc << EOF + registry=https://databricks.jfrog.io/artifactory/api/npm/db-npm/ + //databricks.jfrog.io/artifactory/api/npm/db-npm/:_authToken=${JFROG_ACCESS_TOKEN} + always-auth=true + EOF + echo "npm configured to use JFrog registry" - name: Cache node modules uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 env: @@ -57,6 +85,33 @@ jobs: uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # v4 with: python-version: '3.10' + - name: Get JFrog OIDC token + run: | + set -euo pipefail + ID_TOKEN=$(curl -sLS \ + -H "User-Agent: actions/oidc-client" \ + -H "Authorization: Bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \ + "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=jfrog-github" | jq .value | tr -d '"') + echo "::add-mask::${ID_TOKEN}" + ACCESS_TOKEN=$(curl -sLS -XPOST -H "Content-Type: application/json" \ + "https://databricks.jfrog.io/access/api/v1/oidc/token" \ + -d "{\"grant_type\": \"urn:ietf:params:oauth:grant-type:token-exchange\", \"subject_token_type\":\"urn:ietf:params:oauth:token-type:id_token\", \"subject_token\": \"${ID_TOKEN}\", \"provider_name\": \"github-actions\"}" | jq .access_token | tr -d '"') + echo "::add-mask::${ACCESS_TOKEN}" + if [ -z "$ACCESS_TOKEN" ] || [ "$ACCESS_TOKEN" = "null" ]; then + echo "FAIL: Could not extract JFrog access token" + exit 1 + fi + echo "JFROG_ACCESS_TOKEN=${ACCESS_TOKEN}" >> "$GITHUB_ENV" + echo "JFrog OIDC token obtained successfully" + - name: Configure npm for JFrog + run: | + set -euo pipefail + cat > ~/.npmrc << EOF + registry=https://databricks.jfrog.io/artifactory/api/npm/db-npm/ + //databricks.jfrog.io/artifactory/api/npm/db-npm/:_authToken=${JFROG_ACCESS_TOKEN} + always-auth=true + EOF + echo "npm configured to use JFrog registry" - name: Cache node modules uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 with: @@ -96,6 +151,33 @@ jobs: steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - name: Get JFrog OIDC token + run: | + set -euo pipefail + ID_TOKEN=$(curl -sLS \ + -H "User-Agent: actions/oidc-client" \ + -H "Authorization: Bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \ + "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=jfrog-github" | jq .value | tr -d '"') + echo "::add-mask::${ID_TOKEN}" + ACCESS_TOKEN=$(curl -sLS -XPOST -H "Content-Type: application/json" \ + "https://databricks.jfrog.io/access/api/v1/oidc/token" \ + -d "{\"grant_type\": \"urn:ietf:params:oauth:grant-type:token-exchange\", \"subject_token_type\":\"urn:ietf:params:oauth:token-type:id_token\", \"subject_token\": \"${ID_TOKEN}\", \"provider_name\": \"github-actions\"}" | jq .access_token | tr -d '"') + echo "::add-mask::${ACCESS_TOKEN}" + if [ -z "$ACCESS_TOKEN" ] || [ "$ACCESS_TOKEN" = "null" ]; then + echo "FAIL: Could not extract JFrog access token" + exit 1 + fi + echo "JFROG_ACCESS_TOKEN=${ACCESS_TOKEN}" >> "$GITHUB_ENV" + echo "JFrog OIDC token obtained successfully" + - name: Configure npm for JFrog + run: | + set -euo pipefail + cat > ~/.npmrc << EOF + registry=https://databricks.jfrog.io/artifactory/api/npm/db-npm/ + //databricks.jfrog.io/artifactory/api/npm/db-npm/:_authToken=${JFROG_ACCESS_TOKEN} + always-auth=true + EOF + echo "npm configured to use JFrog registry" - name: Cache node modules uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 with: From 4528621cf1c9d24dbdc19382041509af4864679e Mon Sep 17 00:00:00 2001 From: Shivam Raj Date: Mon, 6 Apr 2026 16:05:24 +0530 Subject: [PATCH 3/4] ci: add setup-node to lint and e2e-test jobs Hardened runners may not have Node.js pre-installed (reported in #unblock-github-action-for-eng). Add explicit setup-node step to the lint and e2e-test jobs which run npm commands but previously relied on the runner having Node available. The unit-test and release build jobs already have setup-node. The coverage and dco-check jobs don't run npm commands and don't need it. Co-authored-by: Isaac --- .github/workflows/main.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 3cee2e89..b0c63e62 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -19,6 +19,9 @@ jobs: labels: linux-ubuntu-latest steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 + with: + node-version: 20 - name: Get JFrog OIDC token run: | set -euo pipefail @@ -151,6 +154,9 @@ jobs: steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 + with: + node-version: 20 - name: Get JFrog OIDC token run: | set -euo pipefail From ebb52d54f8d603ff4939796ce1c2165cb4e4fd53 Mon Sep 17 00:00:00 2001 From: Shivam Raj Date: Mon, 6 Apr 2026 16:31:59 +0530 Subject: [PATCH 4/4] ci: revert .npmrc change (moved to separate PR) Co-authored-by: Isaac --- .npmrc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.npmrc b/.npmrc index 1e54ebc8..9cf94950 100644 --- a/.npmrc +++ b/.npmrc @@ -1 +1 @@ -package-lock=true \ No newline at end of file +package-lock=false \ No newline at end of file