Switch CI to hardened runners with JFrog OIDC authentication (#753)

mihaimitrea-db · github-actions[bot] · web-flow · commit 69918b1fa902 · 2026-04-08T12:29:18.000Z
## Summary Route Maven dependency resolution through JFrog Artifactory on hardened runners that block direct access to Maven Central. Authenticate via GitHub Actions OIDC (zero stored secrets). Modeled after the CLI ([#4875](databricks/cli#4875)), Go SDK ([#1609](databricks/databricks-sdk-go#1609)), and Python SDK ([#1379](databricks/databricks-sdk-py#1379)). ## What changed - **New composite action** (`.github/actions/setup-build-environment/action.yml`): Sets up JFrog CLI via OIDC, installs the JDK, and generates a `~/.m2/settings.xml` that mirrors all Maven repositories through JFrog (`db-maven`). Skipped on macOS (not hardened). - **`push.yml`**: Added workflow-level `id-token: write` permission for OIDC. Switched `fmt`, `unit-tests` (Linux), and `check-lock` jobs to `databricks-protected-runner-group`. macOS tests remain on public runners. Used matrix `include` to map OS strings to runner configs, preserving the original check names for branch protection compatibility. - **`Makefile`**: Added `fix-lockfile` target. - **`lockfile.json`**: Regenerated to pick up `commons-configuration2` 2.13.0 (was out of date since PR #743 bumped the POM without regenerating the lockfile). ## Why settings.xml is needed Hardened runners terminate SSL handshakes to `repo.maven.apache.org`. Unlike Go (`GOPROXY` env var) or Python (`UV_INDEX_URL`), Maven has no environment variable to redirect repository access. The standard mechanism is a `~/.m2/settings.xml` with a `<mirror>` entry that routes all repository requests through JFrog. ## The lockfile problem Maven's `lockfile.json` stores the full download URL in each dependency's `resolved` field. When Maven resolves through JFrog, these become `https://databricks.jfrog.io/artifactory/db-maven/...` instead of `https://repo.maven.apache.org/maven2/...`. If someone runs `make lock` while Maven is routed through JFrog (CI, VPN), the lockfile would contain proxy URLs that shouldn't be committed. ### make fix-lockfile Replaces JFrog proxy URLs with their public Maven Central equivalents in all `lockfile.json` files. Prevents proxy URLs from being accidentally committed. **When to use it**: Run `make fix-lockfile` before committing if you regenerated the lockfile while Maven was routing through JFrog. **CI enforcement**: The `fmt` job runs `make fix-lockfile` followed by `git diff --exit-code`, so any committed proxy URLs will fail CI. ## Cache ordering The Maven cache (`~/.m2/repository`) must be restored **before** the composite action runs. The composite action generates `~/.m2/settings.xml` with a fresh OIDC token. If the cache step runs after and restores `~/.m2` (including a stale `settings.xml` from a previous run), the expired token causes 401 errors. Caching only `~/.m2/repository` (not all of `~/.m2`) prevents this. ## Out of scope - **release.yml**: Publishes to Maven Central via Sonatype. Needs special publish runners per the migration guide. Separate follow-up with the security team. - **tagging.yml**: Generated from Universe (openapi/genkit/sync/workflows/tagging.yml). JFrog setup needs to be upstreamed to the genkit template. - **conftest.yml**: Only downloads conftest binary from GitHub Releases (not Maven). Can stay on ubuntu-latest. ## Test plan - [x] Verify mvn --errors spotless:check passes (fmt job) - [x] Verify mvn --errors test passes on Linux (Java 8, 11, 17, 20) - [x] Verify mvn --errors test passes on macOS (Java 8, 11, 17, 20) - [x] Verify make check-lock passes (lockfile validation) - [x] Verify conftest passes on the new workflow files - [x] Verify check names match branch protection rules NO_CHANGELOG=true --------- Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
diff --git a/.github/actions/setup-build-environment/action.yml b/.github/actions/setup-build-environment/action.yml
@@ -0,0 +1,50 @@
+name: Setup build environment
+description: Set up JDK with JFrog Artifactory as Maven mirror for hardened runners
+
+inputs:
+  java-version:
+    description: "Java version to install"
+    required: true
+
+runs:
+  using: composite
+  steps:
+    - name: Setup JFrog CLI with OIDC
+      if: runner.os != 'macOS'
+      id: jfrog
+      uses: jfrog/setup-jfrog-cli@279b1f629f43dd5bc658d8361ac4802a7ef8d2d5 # v4.9.1
+      env:
+        JF_URL: https://databricks.jfrog.io
+      with:
+        oidc-provider-name: github-actions
+
+    - name: Set up JDK
+      uses: actions/setup-java@b6e674f4b717d7b0ae3baee0fbe79f498905dfde # v1.4.4
+      with:
+        java-version: ${{ inputs.java-version }}
+
+    - name: Configure Maven for JFrog
+      if: runner.os != 'macOS'
+      shell: bash
+      run: |
+        mkdir -p ~/.m2
+        cat > ~/.m2/settings.xml << EOF
+        <settings xmlns="http://maven.apache.org/SETTINGS/1.0.0"
+                  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+                  xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.0.0 https://maven.apache.org/xsd/settings-1.0.0.xsd">
+          <mirrors>
+            <mirror>
+              <id>jfrog-maven</id>
+              <url>https://databricks.jfrog.io/artifactory/db-maven/</url>
+              <mirrorOf>*</mirrorOf>
+            </mirror>
+          </mirrors>
+          <servers>
+            <server>
+              <id>jfrog-maven</id>
+              <username>${{ steps.jfrog.outputs.oidc-user }}</username>
+              <password><![CDATA[${{ steps.jfrog.outputs.oidc-token }}]]></password>
+            </server>
+          </servers>
+        </settings>
+        EOF
diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml
@@ -6,66 +6,95 @@ on:
   merge_group:
     types: [checks_requested]
 
+permissions:
+  id-token: write
+  contents: read
+
 jobs:
   fmt:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Set up JDK 11
-        uses: actions/setup-java@b6e674f4b717d7b0ae3baee0fbe79f498905dfde # v1.4.4
-        with:
-          java-version: 11
+    runs-on:
+      group: databricks-protected-runner-group
+      labels: linux-ubuntu-latest
 
+    steps:
       - name: Checkout
         uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0
 
       - name: Cache Maven packages
         uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
         with:
-          path: ~/.m2
+          path: ~/.m2/repository
           key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
           restore-keys: ${{ runner.os }}-m2
 
+      - name: Setup build environment
+        uses: ./.github/actions/setup-build-environment
+        with:
+          java-version: 11
+
       - name: Check formatting
         run: mvn --errors spotless:check
 
+      - name: Check for JFrog proxy URLs in lockfiles
+        run: |
+          make fix-lockfile
+          git diff --exit-code -- '**/lockfile.json'
+
   unit-tests:
     strategy:
       fail-fast: false
       matrix:
         os: [macos-latest, ubuntu-latest]
         java-version: [8, 11, 17, 20] # 20 is the latest version as of 2023 and 17 is the latest LTS
+        include:
+          - os: ubuntu-latest
+            runner:
+              group: databricks-protected-runner-group
+              labels: linux-ubuntu-latest
+          - os: macos-latest
+            runner: macos-latest
 
-    runs-on: ${{ matrix.os }}
+    runs-on: ${{ matrix.runner }}
 
     steps:
-      - name: Set up JDK
-        uses: actions/setup-java@b6e674f4b717d7b0ae3baee0fbe79f498905dfde # v1.4.4
-        with:
-          java-version: ${{ matrix.java-version }}
-
       - name: Checkout
         uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0
 
       - name: Cache Maven packages
         uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
         with:
-          path: ~/.m2
+          path: ~/.m2/repository
           key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
           restore-keys: ${{ runner.os }}-m2
 
+      - name: Setup build environment
+        uses: ./.github/actions/setup-build-environment
+        with:
+          java-version: ${{ matrix.java-version }}
+
       - name: Check Unit Tests
         run: mvn --errors test
 
   check-lock:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Set up JDK 11
-        uses: actions/setup-java@b6e674f4b717d7b0ae3baee0fbe79f498905dfde # v1.4.4
-        with:
-          java-version: 11
+    runs-on:
+      group: databricks-protected-runner-group
+      labels: linux-ubuntu-latest
 
+    steps:
       - name: Checkout
         uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0
 
+      - name: Cache Maven packages
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
+        with:
+          path: ~/.m2/repository
+          key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
+          restore-keys: ${{ runner.os }}-m2
+
+      - name: Setup build environment
+        uses: ./.github/actions/setup-build-environment
+        with:
+          java-version: 11
+
       - name: Validate lockfile
         run: make check-lock
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -9,30 +9,79 @@ on:
     branches:
       - "**"
 
+permissions:
+  id-token: write
+  contents: read
+
 jobs:
   publish:
     # Dynamically set the job name based on the trigger
     name: ${{ startsWith(github.ref, 'refs/tags/') && 'Publish Release' || 'Run Release Dry-Run' }}
 
     runs-on:
-      group: databricks-deco-testing-runner-group
-      labels: ubuntu-latest-deco
+      group: databricks-protected-runner-group
+      labels: linux-ubuntu-latest
 
     steps:
       - name: Checkout
         uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0
 
+      - name: Cache Maven packages
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
+        with:
+          path: ~/.m2/repository
+          key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
+          restore-keys: ${{ runner.os }}-m2
+
+      - name: Setup JFrog CLI with OIDC
+        id: jfrog
+        uses: jfrog/setup-jfrog-cli@279b1f629f43dd5bc658d8361ac4802a7ef8d2d5 # v4.9.1
+        env:
+          JF_URL: https://databricks.jfrog.io
+        with:
+          oidc-provider-name: github-actions
+
       - name: Set up Java for publishing to Maven Central Repository
         uses: actions/setup-java@17f84c3641ba7b8f6deff6309fc4c864478f5d62 # v3.14.1
         with:
           java-version: 8
-          server-id: central
           distribution: "adopt"
-          server-username: MAVEN_CENTRAL_USERNAME
-          server-password: MAVEN_CENTRAL_PASSWORD
           gpg-private-key: ${{ secrets.GPG_PRIVATE_KEY }}
           gpg-passphrase: GPG_PASSPHRASE
-          
+
+      - name: Configure Maven for JFrog and Maven Central
+        run: |
+          mkdir -p ~/.m2
+          cat > ~/.m2/settings.xml << EOF
+          <settings xmlns="http://maven.apache.org/SETTINGS/1.0.0"
+                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+                    xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.0.0 https://maven.apache.org/xsd/settings-1.0.0.xsd">
+            <mirrors>
+              <mirror>
+                <id>jfrog-maven</id>
+                <url>https://databricks.jfrog.io/artifactory/db-maven/</url>
+                <mirrorOf>*</mirrorOf>
+              </mirror>
+            </mirrors>
+            <servers>
+              <server>
+                <id>jfrog-maven</id>
+                <username>${{ steps.jfrog.outputs.oidc-user }}</username>
+                <password><![CDATA[${{ steps.jfrog.outputs.oidc-token }}]]></password>
+              </server>
+              <server>
+                <id>central</id>
+                <username>${{ secrets.MAVEN_CENTRAL_USERNAME }}</username>
+                <password>${{ secrets.MAVEN_CENTRAL_PASSWORD }}</password>
+              </server>
+              <server>
+                <id>gpg.passphrase</id>
+                <passphrase>\${env.GPG_PASSPHRASE}</passphrase>
+              </server>
+            </servers>
+          </settings>
+          EOF
+
       # This step runs ONLY on branch pushes (dry-run)
       - name: Run Release Dry-Run (Verify)
         if: "!startsWith(github.ref, 'refs/tags/')"
@@ -71,4 +120,4 @@ jobs:
         uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15
         with:
           files: databricks-sdk-java/target/*.jar
-          body_path: /tmp/release-notes/release-notes.md
+          body_path: /tmp/release-notes/release-notes.md
diff --git a/Makefile b/Makefile
@@ -10,3 +10,9 @@ lock:
 check-lock:
 	mvn io.github.chains-project:maven-lockfile:5.5.2:validate
 
+fix-lockfile:
+	@# Replace JFrog proxy URLs with public Maven Central equivalents in lockfiles.
+	@# Prevents proxy URLs from being accidentally committed.
+	find . -type f -name 'lockfile.json' \
+	  -exec sed -i 's|databricks\.jfrog\.io/artifactory/db-maven|repo.maven.apache.org/maven2|g' {} +
+
diff --git a/databricks-sdk-java/lockfile.json b/databricks-sdk-java/lockfile.json
@@ -735,68 +735,68 @@
     {
       "groupId": "org.apache.commons",
       "artifactId": "commons-configuration2",
-      "version": "2.11.0",
+      "version": "2.13.0",
       "checksumAlgorithm": "SHA-256",
-      "checksum": "48957fc3a0d9fbd221fe4f5ff6d0294ce6646ea139793c36706703da59402683",
+      "checksum": "7622799663317f95c81019b32b39e0c82e42b388f00abe6e5ab26489d90d9a6b",
       "scope": "compile",
-      "resolved": "https://repo.maven.apache.org/maven2/org/apache/commons/commons-configuration2/2.11.0/commons-configuration2-2.11.0.jar",
-      "selectedVersion": "2.11.0",
+      "resolved": "https://repo.maven.apache.org/maven2/org/apache/commons/commons-configuration2/2.13.0/commons-configuration2-2.13.0.jar",
+      "selectedVersion": "2.13.0",
       "included": true,
-      "id": "org.apache.commons:commons-configuration2:2.11.0",
+      "id": "org.apache.commons:commons-configuration2:2.13.0",
       "children": [
         {
           "groupId": "commons-logging",
           "artifactId": "commons-logging",
-          "version": "1.3.2",
+          "version": "1.3.5",
           "checksumAlgorithm": "SHA-256",
-          "checksum": "6b858424f518015f32bfcd1183a373f4a827d72d026b6031da0c91cf0e8f3489",
+          "checksum": "6d7a744e4027649fbb50895df9497d109f98c766a637062fe8d2eabbb3140ba4",
           "scope": "compile",
-          "resolved": "https://repo.maven.apache.org/maven2/commons-logging/commons-logging/1.3.2/commons-logging-1.3.2.jar",
-          "selectedVersion": "1.3.2",
+          "resolved": "https://repo.maven.apache.org/maven2/commons-logging/commons-logging/1.3.5/commons-logging-1.3.5.jar",
+          "selectedVersion": "1.3.5",
           "included": true,
-          "id": "commons-logging:commons-logging:1.3.2",
-          "parent": "org.apache.commons:commons-configuration2:2.11.0",
+          "id": "commons-logging:commons-logging:1.3.5",
+          "parent": "org.apache.commons:commons-configuration2:2.13.0",
           "children": []
         },
         {
           "groupId": "org.apache.commons",
           "artifactId": "commons-lang3",
-          "version": "3.14.0",
+          "version": "3.20.0",
           "checksumAlgorithm": "SHA-256",
-          "checksum": "7b96bf3ee68949abb5bc465559ac270e0551596fa34523fddf890ec418dde13c",
+          "checksum": "69e5c9fa35da7a51a5fd2099dfe56a2d8d32cf233e2f6d770e796146440263f4",
           "scope": "compile",
-          "resolved": "https://repo.maven.apache.org/maven2/org/apache/commons/commons-lang3/3.14.0/commons-lang3-3.14.0.jar",
-          "selectedVersion": "3.14.0",
+          "resolved": "https://repo.maven.apache.org/maven2/org/apache/commons/commons-lang3/3.20.0/commons-lang3-3.20.0.jar",
+          "selectedVersion": "3.20.0",
           "included": true,
-          "id": "org.apache.commons:commons-lang3:3.14.0",
-          "parent": "org.apache.commons:commons-configuration2:2.11.0",
+          "id": "org.apache.commons:commons-lang3:3.20.0",
+          "parent": "org.apache.commons:commons-configuration2:2.13.0",
           "children": []
         },
         {
           "groupId": "org.apache.commons",
           "artifactId": "commons-text",
-          "version": "1.12.0",
+          "version": "1.14.0",
           "checksumAlgorithm": "SHA-256",
-          "checksum": "de023257ff166044a56bd1aa9124e843cd05dac5806cc705a9311f3556d5a15f",
+          "checksum": "121fce2282910c8f0c3ba793a5436b31beb710423cbe2d574a3fb7a73c508e92",
           "scope": "compile",
-          "resolved": "https://repo.maven.apache.org/maven2/org/apache/commons/commons-text/1.12.0/commons-text-1.12.0.jar",
-          "selectedVersion": "1.12.0",
+          "resolved": "https://repo.maven.apache.org/maven2/org/apache/commons/commons-text/1.14.0/commons-text-1.14.0.jar",
+          "selectedVersion": "1.14.0",
           "included": true,
-          "id": "org.apache.commons:commons-text:1.12.0",
-          "parent": "org.apache.commons:commons-configuration2:2.11.0",
+          "id": "org.apache.commons:commons-text:1.14.0",
+          "parent": "org.apache.commons:commons-configuration2:2.13.0",
           "children": [
             {
               "groupId": "org.apache.commons",
               "artifactId": "commons-lang3",
-              "version": "3.14.0",
+              "version": "3.18.0",
               "checksumAlgorithm": "SHA-256",
-              "checksum": "7b96bf3ee68949abb5bc465559ac270e0551596fa34523fddf890ec418dde13c",
+              "checksum": "4eeeae8d20c078abb64b015ec158add383ac581571cddc45c68f0c9ae0230720",
               "scope": "compile",
-              "resolved": "https://repo.maven.apache.org/maven2/org/apache/commons/commons-lang3/3.14.0/commons-lang3-3.14.0.jar",
-              "selectedVersion": "3.14.0",
+              "resolved": "https://repo.maven.apache.org/maven2/org/apache/commons/commons-lang3/3.18.0/commons-lang3-3.18.0.jar",
+              "selectedVersion": "3.20.0",
               "included": false,
-              "id": "org.apache.commons:commons-lang3:3.14.0",
-              "parent": "org.apache.commons:commons-text:1.12.0",
+              "id": "org.apache.commons:commons-lang3:3.18.0",
+              "parent": "org.apache.commons:commons-text:1.14.0",
               "children": []
             }
           ]
@@ -837,7 +837,7 @@
           "checksum": "daddea1ea0be0f56978ab3006b8ac92834afeefbd9b7e4e6316fca57df0fa636",
           "scope": "compile",
           "resolved": "https://repo.maven.apache.org/maven2/commons-logging/commons-logging/1.2/commons-logging-1.2.jar",
-          "selectedVersion": "1.3.2",
+          "selectedVersion": "1.3.5",
           "included": false,
           "id": "commons-logging:commons-logging:1.2",
           "parent": "org.apache.httpcomponents:httpclient:4.5.14",
@@ -1274,7 +1274,7 @@
   "metaData": {
     "environment": {
       "osName": "Linux",
-      "mavenVersion": "3.9.9",
+      "mavenVersion": "3.9.14",
       "javaVersion": "11.0.30"
     },
     "config": {
