diff --git a/.github/actions/setup-build-environment/action.yml b/.github/actions/setup-build-environment/action.yml
new file mode 100644
index 000000000..e402edb8f
--- /dev/null
+++ b/.github/actions/setup-build-environment/action.yml
@@ -0,0 +1,50 @@
+name: Setup build environment
+description: Set up JDK with JFrog Artifactory as Maven mirror for hardened runners
+
+inputs:
+ java-version:
+ description: "Java version to install"
+ required: true
+
+runs:
+ using: composite
+ steps:
+ - name: Setup JFrog CLI with OIDC
+ if: runner.os != 'macOS'
+ id: jfrog
+ uses: jfrog/setup-jfrog-cli@279b1f629f43dd5bc658d8361ac4802a7ef8d2d5 # v4.9.1
+ env:
+ JF_URL: https://databricks.jfrog.io
+ with:
+ oidc-provider-name: github-actions
+
+ - name: Set up JDK
+ uses: actions/setup-java@b6e674f4b717d7b0ae3baee0fbe79f498905dfde # v1.4.4
+ with:
+ java-version: ${{ inputs.java-version }}
+
+ - name: Configure Maven for JFrog
+ if: runner.os != 'macOS'
+ shell: bash
+ run: |
+ mkdir -p ~/.m2
+ cat > ~/.m2/settings.xml << EOF
+
+
+
+ jfrog-maven
+ https://databricks.jfrog.io/artifactory/db-maven/
+ *
+
+
+
+
+ jfrog-maven
+ ${{ steps.jfrog.outputs.oidc-user }}
+
+
+
+
+ EOF
diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml
index 4f5308562..990d885d5 100644
--- a/.github/workflows/push.yml
+++ b/.github/workflows/push.yml
@@ -6,66 +6,95 @@ on:
merge_group:
types: [checks_requested]
+permissions:
+ id-token: write
+ contents: read
+
jobs:
fmt:
- runs-on: ubuntu-latest
- steps:
- - name: Set up JDK 11
- uses: actions/setup-java@b6e674f4b717d7b0ae3baee0fbe79f498905dfde # v1.4.4
- with:
- java-version: 11
+ runs-on:
+ group: databricks-protected-runner-group
+ labels: linux-ubuntu-latest
+ steps:
- name: Checkout
uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0
- name: Cache Maven packages
uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
with:
- path: ~/.m2
+ path: ~/.m2/repository
key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
restore-keys: ${{ runner.os }}-m2
+ - name: Setup build environment
+ uses: ./.github/actions/setup-build-environment
+ with:
+ java-version: 11
+
- name: Check formatting
run: mvn --errors spotless:check
+ - name: Check for JFrog proxy URLs in lockfiles
+ run: |
+ make fix-lockfile
+ git diff --exit-code -- '**/lockfile.json'
+
unit-tests:
strategy:
fail-fast: false
matrix:
os: [macos-latest, ubuntu-latest]
java-version: [8, 11, 17, 20] # 20 is the latest version as of 2023 and 17 is the latest LTS
+ include:
+ - os: ubuntu-latest
+ runner:
+ group: databricks-protected-runner-group
+ labels: linux-ubuntu-latest
+ - os: macos-latest
+ runner: macos-latest
- runs-on: ${{ matrix.os }}
+ runs-on: ${{ matrix.runner }}
steps:
- - name: Set up JDK
- uses: actions/setup-java@b6e674f4b717d7b0ae3baee0fbe79f498905dfde # v1.4.4
- with:
- java-version: ${{ matrix.java-version }}
-
- name: Checkout
uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0
- name: Cache Maven packages
uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
with:
- path: ~/.m2
+ path: ~/.m2/repository
key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
restore-keys: ${{ runner.os }}-m2
+ - name: Setup build environment
+ uses: ./.github/actions/setup-build-environment
+ with:
+ java-version: ${{ matrix.java-version }}
+
- name: Check Unit Tests
run: mvn --errors test
check-lock:
- runs-on: ubuntu-latest
- steps:
- - name: Set up JDK 11
- uses: actions/setup-java@b6e674f4b717d7b0ae3baee0fbe79f498905dfde # v1.4.4
- with:
- java-version: 11
+ runs-on:
+ group: databricks-protected-runner-group
+ labels: linux-ubuntu-latest
+ steps:
- name: Checkout
uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0
+ - name: Cache Maven packages
+ uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
+ with:
+ path: ~/.m2/repository
+ key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
+ restore-keys: ${{ runner.os }}-m2
+
+ - name: Setup build environment
+ uses: ./.github/actions/setup-build-environment
+ with:
+ java-version: 11
+
- name: Validate lockfile
run: make check-lock
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 6cad41bf7..3d6f06d42 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -9,30 +9,79 @@ on:
branches:
- "**"
+permissions:
+ id-token: write
+ contents: read
+
jobs:
publish:
# Dynamically set the job name based on the trigger
name: ${{ startsWith(github.ref, 'refs/tags/') && 'Publish Release' || 'Run Release Dry-Run' }}
runs-on:
- group: databricks-deco-testing-runner-group
- labels: ubuntu-latest-deco
+ group: databricks-protected-runner-group
+ labels: linux-ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0
+ - name: Cache Maven packages
+ uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
+ with:
+ path: ~/.m2/repository
+ key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
+ restore-keys: ${{ runner.os }}-m2
+
+ - name: Setup JFrog CLI with OIDC
+ id: jfrog
+ uses: jfrog/setup-jfrog-cli@279b1f629f43dd5bc658d8361ac4802a7ef8d2d5 # v4.9.1
+ env:
+ JF_URL: https://databricks.jfrog.io
+ with:
+ oidc-provider-name: github-actions
+
- name: Set up Java for publishing to Maven Central Repository
uses: actions/setup-java@17f84c3641ba7b8f6deff6309fc4c864478f5d62 # v3.14.1
with:
java-version: 8
- server-id: central
distribution: "adopt"
- server-username: MAVEN_CENTRAL_USERNAME
- server-password: MAVEN_CENTRAL_PASSWORD
gpg-private-key: ${{ secrets.GPG_PRIVATE_KEY }}
gpg-passphrase: GPG_PASSPHRASE
-
+
+ - name: Configure Maven for JFrog and Maven Central
+ run: |
+ mkdir -p ~/.m2
+ cat > ~/.m2/settings.xml << EOF
+
+
+
+ jfrog-maven
+ https://databricks.jfrog.io/artifactory/db-maven/
+ *
+
+
+
+
+ jfrog-maven
+ ${{ steps.jfrog.outputs.oidc-user }}
+
+
+
+ central
+ ${{ secrets.MAVEN_CENTRAL_USERNAME }}
+ ${{ secrets.MAVEN_CENTRAL_PASSWORD }}
+
+
+ gpg.passphrase
+ \${env.GPG_PASSPHRASE}
+
+
+
+ EOF
+
# This step runs ONLY on branch pushes (dry-run)
- name: Run Release Dry-Run (Verify)
if: "!startsWith(github.ref, 'refs/tags/')"
@@ -71,4 +120,4 @@ jobs:
uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15
with:
files: databricks-sdk-java/target/*.jar
- body_path: /tmp/release-notes/release-notes.md
\ No newline at end of file
+ body_path: /tmp/release-notes/release-notes.md
diff --git a/Makefile b/Makefile
index 8f059a447..811dd0577 100644
--- a/Makefile
+++ b/Makefile
@@ -10,3 +10,9 @@ lock:
check-lock:
mvn io.github.chains-project:maven-lockfile:5.5.2:validate
+fix-lockfile:
+ @# Replace JFrog proxy URLs with public Maven Central equivalents in lockfiles.
+ @# Prevents proxy URLs from being accidentally committed.
+ find . -type f -name 'lockfile.json' \
+ -exec sed -i 's|databricks\.jfrog\.io/artifactory/db-maven|repo.maven.apache.org/maven2|g' {} +
+
diff --git a/databricks-sdk-java/lockfile.json b/databricks-sdk-java/lockfile.json
index 8ba1d918d..9c8761a2a 100644
--- a/databricks-sdk-java/lockfile.json
+++ b/databricks-sdk-java/lockfile.json
@@ -735,68 +735,68 @@
{
"groupId": "org.apache.commons",
"artifactId": "commons-configuration2",
- "version": "2.11.0",
+ "version": "2.13.0",
"checksumAlgorithm": "SHA-256",
- "checksum": "48957fc3a0d9fbd221fe4f5ff6d0294ce6646ea139793c36706703da59402683",
+ "checksum": "7622799663317f95c81019b32b39e0c82e42b388f00abe6e5ab26489d90d9a6b",
"scope": "compile",
- "resolved": "https://repo.maven.apache.org/maven2/org/apache/commons/commons-configuration2/2.11.0/commons-configuration2-2.11.0.jar",
- "selectedVersion": "2.11.0",
+ "resolved": "https://repo.maven.apache.org/maven2/org/apache/commons/commons-configuration2/2.13.0/commons-configuration2-2.13.0.jar",
+ "selectedVersion": "2.13.0",
"included": true,
- "id": "org.apache.commons:commons-configuration2:2.11.0",
+ "id": "org.apache.commons:commons-configuration2:2.13.0",
"children": [
{
"groupId": "commons-logging",
"artifactId": "commons-logging",
- "version": "1.3.2",
+ "version": "1.3.5",
"checksumAlgorithm": "SHA-256",
- "checksum": "6b858424f518015f32bfcd1183a373f4a827d72d026b6031da0c91cf0e8f3489",
+ "checksum": "6d7a744e4027649fbb50895df9497d109f98c766a637062fe8d2eabbb3140ba4",
"scope": "compile",
- "resolved": "https://repo.maven.apache.org/maven2/commons-logging/commons-logging/1.3.2/commons-logging-1.3.2.jar",
- "selectedVersion": "1.3.2",
+ "resolved": "https://repo.maven.apache.org/maven2/commons-logging/commons-logging/1.3.5/commons-logging-1.3.5.jar",
+ "selectedVersion": "1.3.5",
"included": true,
- "id": "commons-logging:commons-logging:1.3.2",
- "parent": "org.apache.commons:commons-configuration2:2.11.0",
+ "id": "commons-logging:commons-logging:1.3.5",
+ "parent": "org.apache.commons:commons-configuration2:2.13.0",
"children": []
},
{
"groupId": "org.apache.commons",
"artifactId": "commons-lang3",
- "version": "3.14.0",
+ "version": "3.20.0",
"checksumAlgorithm": "SHA-256",
- "checksum": "7b96bf3ee68949abb5bc465559ac270e0551596fa34523fddf890ec418dde13c",
+ "checksum": "69e5c9fa35da7a51a5fd2099dfe56a2d8d32cf233e2f6d770e796146440263f4",
"scope": "compile",
- "resolved": "https://repo.maven.apache.org/maven2/org/apache/commons/commons-lang3/3.14.0/commons-lang3-3.14.0.jar",
- "selectedVersion": "3.14.0",
+ "resolved": "https://repo.maven.apache.org/maven2/org/apache/commons/commons-lang3/3.20.0/commons-lang3-3.20.0.jar",
+ "selectedVersion": "3.20.0",
"included": true,
- "id": "org.apache.commons:commons-lang3:3.14.0",
- "parent": "org.apache.commons:commons-configuration2:2.11.0",
+ "id": "org.apache.commons:commons-lang3:3.20.0",
+ "parent": "org.apache.commons:commons-configuration2:2.13.0",
"children": []
},
{
"groupId": "org.apache.commons",
"artifactId": "commons-text",
- "version": "1.12.0",
+ "version": "1.14.0",
"checksumAlgorithm": "SHA-256",
- "checksum": "de023257ff166044a56bd1aa9124e843cd05dac5806cc705a9311f3556d5a15f",
+ "checksum": "121fce2282910c8f0c3ba793a5436b31beb710423cbe2d574a3fb7a73c508e92",
"scope": "compile",
- "resolved": "https://repo.maven.apache.org/maven2/org/apache/commons/commons-text/1.12.0/commons-text-1.12.0.jar",
- "selectedVersion": "1.12.0",
+ "resolved": "https://repo.maven.apache.org/maven2/org/apache/commons/commons-text/1.14.0/commons-text-1.14.0.jar",
+ "selectedVersion": "1.14.0",
"included": true,
- "id": "org.apache.commons:commons-text:1.12.0",
- "parent": "org.apache.commons:commons-configuration2:2.11.0",
+ "id": "org.apache.commons:commons-text:1.14.0",
+ "parent": "org.apache.commons:commons-configuration2:2.13.0",
"children": [
{
"groupId": "org.apache.commons",
"artifactId": "commons-lang3",
- "version": "3.14.0",
+ "version": "3.18.0",
"checksumAlgorithm": "SHA-256",
- "checksum": "7b96bf3ee68949abb5bc465559ac270e0551596fa34523fddf890ec418dde13c",
+ "checksum": "4eeeae8d20c078abb64b015ec158add383ac581571cddc45c68f0c9ae0230720",
"scope": "compile",
- "resolved": "https://repo.maven.apache.org/maven2/org/apache/commons/commons-lang3/3.14.0/commons-lang3-3.14.0.jar",
- "selectedVersion": "3.14.0",
+ "resolved": "https://repo.maven.apache.org/maven2/org/apache/commons/commons-lang3/3.18.0/commons-lang3-3.18.0.jar",
+ "selectedVersion": "3.20.0",
"included": false,
- "id": "org.apache.commons:commons-lang3:3.14.0",
- "parent": "org.apache.commons:commons-text:1.12.0",
+ "id": "org.apache.commons:commons-lang3:3.18.0",
+ "parent": "org.apache.commons:commons-text:1.14.0",
"children": []
}
]
@@ -837,7 +837,7 @@
"checksum": "daddea1ea0be0f56978ab3006b8ac92834afeefbd9b7e4e6316fca57df0fa636",
"scope": "compile",
"resolved": "https://repo.maven.apache.org/maven2/commons-logging/commons-logging/1.2/commons-logging-1.2.jar",
- "selectedVersion": "1.3.2",
+ "selectedVersion": "1.3.5",
"included": false,
"id": "commons-logging:commons-logging:1.2",
"parent": "org.apache.httpcomponents:httpclient:4.5.14",
@@ -1274,7 +1274,7 @@
"metaData": {
"environment": {
"osName": "Linux",
- "mavenVersion": "3.9.9",
+ "mavenVersion": "3.9.14",
"javaVersion": "11.0.30"
},
"config": {