diff --git a/.github/actions/setup-build/action.yml b/.github/actions/setup-build/action.yml index 6ba5e17f..e16f0629 100644 --- a/.github/actions/setup-build/action.yml +++ b/.github/actions/setup-build/action.yml @@ -35,3 +35,9 @@ runs: - name: Cache Coursier cache if: inputs.coursier-cache == 'true' uses: coursier/cache-action@90c37294538be80a558fd665531fcdc2b467b475 # 8.1.0 + - name: Get JFrog OIDC token + shell: bash + run: .github/scripts/get-jfrog-token.sh + - name: Fix Mill Bootstrap Script + shell: bash + run: .github/scripts/fix-build-config.sh diff --git a/.github/scripts/fix-build-config.sh b/.github/scripts/fix-build-config.sh new file mode 100755 index 00000000..fdbd27bc --- /dev/null +++ b/.github/scripts/fix-build-config.sh @@ -0,0 +1,45 @@ +#!/usr/bin/env bash +set -euo pipefail + +JFROG_HOSTNAME="databricks.jfrog.io" +JFROG_REALM="Artifactory Realm" +JFROG_USERNAME="gha-service-account" +JFROG_URL="https://${JFROG_HOSTNAME}/artifactory/db-maven/" + +# Configure sbt repositories +mkdir -p ~/.sbt +cat > ~/.sbt/repositories << EOF +[repositories] + local + databricks-jfrog: ${JFROG_URL} +EOF + +# Configure sbt credentials +cat > ~/.sbt/.credentials << EOF +realm=${JFROG_REALM} +host=${JFROG_HOSTNAME} +user=${JFROG_USERNAME} +password=${JFROG_ACCESS_TOKEN} +EOF + +# Configure global.sbt to load credentials +mkdir -p ~/.sbt/1.0 +cat > ~/.sbt/1.0/global.sbt << 'EOF' +def sbtCredentialsFile = file(sys.props("user.home")) / ".sbt" / ".credentials" +credentials ++= { + if (sbtCredentialsFile.exists()) List(Credentials(sbtCredentialsFile)) + else Nil +} +EOF + + +mkdir -p ~/.config/coursier +{ + echo "jfrog.host=${JFROG_HOSTNAME}" + echo "jfrog.realm=${JFROG_REALM}" + echo "jfrog.username=${JFROG_USERNAME}" + echo "jfrog.password=${JFROG_ACCESS_TOKEN}" +} > ~/.config/coursier/credentials.properties + +echo "COURSIER_REPOSITORIES=${JFROG_URL}" >> "$GITHUB_ENV" +sed -i "s|https://repo1.maven.org/maven2|https://${JFROG_USERNAME}:${JFROG_ACCESS_TOKEN}@${JFROG_URL:8}|g" ./mill diff --git a/.github/scripts/get-jfrog-token.sh b/.github/scripts/get-jfrog-token.sh new file mode 100755 index 00000000..1a222a47 --- /dev/null +++ b/.github/scripts/get-jfrog-token.sh @@ -0,0 +1,27 @@ +#!/usr/bin/env bash +set -euo pipefail + +# Exchange a GitHub Actions OIDC token for a JFrog access token and +# write JFROG_ACCESS_TOKEN to $GITHUB_ENV so subsequent steps can use it. + +# Get GitHub OIDC ID token +ID_TOKEN=$(curl -sLS \ + -H "User-Agent: actions/oidc-client" \ + -H "Authorization: Bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \ + "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=jfrog-github" | jq .value | tr -d '"') +echo "::add-mask::${ID_TOKEN}" + +# Exchange for JFrog access token (note: id_token with underscore, not hyphen) +ACCESS_TOKEN=$(curl -sLS -XPOST -H "Content-Type: application/json" \ + "https://databricks.jfrog.io/access/api/v1/oidc/token" \ + -d "{\"grant_type\": \"urn:ietf:params:oauth:grant-type:token-exchange\", \"subject_token_type\":\"urn:ietf:params:oauth:token-type:id_token\", \"subject_token\": \"${ID_TOKEN}\", \"provider_name\": \"github-actions\"}" | jq .access_token | tr -d '"') +echo "::add-mask::${ACCESS_TOKEN}" + +if [ -z "$ACCESS_TOKEN" ] || [ "$ACCESS_TOKEN" = "null" ]; then + echo "FAIL: Could not extract JFrog access token" + exit 1 +fi + +echo "JFROG_ACCESS_TOKEN=${ACCESS_TOKEN}" >> "$GITHUB_ENV" + +echo "JFrog OIDC token obtained successfully" diff --git a/.github/workflows/pr-build.yaml b/.github/workflows/pr-build.yaml index b8c8f251..c27fc221 100644 --- a/.github/workflows/pr-build.yaml +++ b/.github/workflows/pr-build.yaml @@ -4,11 +4,16 @@ on: pull_request: branches: [ master ] -permissions: {} +permissions: + contents: read + id-token: write jobs: build-jvm: - runs-on: linux-ubuntu-latest-hardened + runs-on: + group: databricks-protected-runner-group + labels: linux-ubuntu-latest + timeout-minutes: 20 name: Sjsonnet jvm build steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 @@ -19,13 +24,14 @@ jobs: - name: Check Formatting run: ./mill "_.jvm[_].__.checkFormat" - name: Run mill tests - timeout-minutes: 15 run: ./mill "_.jvm[_].__.test" - name: Run sbt tests - timeout-minutes: 15 run: sbt test build-graal: - runs-on: linux-ubuntu-latest-hardened + runs-on: + group: databricks-protected-runner-group + labels: linux-ubuntu-latest + timeout-minutes: 20 name: Sjsonnet Graal Native build steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 @@ -33,14 +39,16 @@ jobs: with: coursier-cache: 'true' - name: Run Native Image Test Suites - timeout-minutes: 15 run: sjsonnet/test/graalvm/run_test_suites.py build-other: - runs-on: linux-ubuntu-latest-hardened + runs-on: + group: databricks-protected-runner-group + labels: linux-ubuntu-latest + timeout-minutes: 20 strategy: fail-fast: false matrix: - lang: ['js', 'wasm', 'native'] + lang: ['js', 'wasm'] name: Sjsonnet ${{ matrix.lang }} build steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 @@ -52,5 +60,4 @@ jobs: - name: Check Formatting run: ./mill _.${{ matrix.lang }}[_].__.checkFormat - name: Run mill tests for ${{ matrix.lang }} - timeout-minutes: 15 run: ./mill _.${{ matrix.lang }}[_].__.test diff --git a/build.mill b/build.mill index 742cd764..7c58bf14 100644 --- a/build.mill +++ b/build.mill @@ -1,4 +1,4 @@ -//| mill-version: 1.1.2 +//| mill-version: 1.1.5 //| mill-jvm-version: zulu:21 //| mvnDeps: //| - com.lihaoyi::mill-contrib-jmh:$MILL_VERSION @@ -53,7 +53,7 @@ trait SjsonnetCrossModule extends CrossScalaModule with ScalafmtModule { def mvnDeps = Seq( mvn"com.lihaoyi::fastparse::3.1.1", mvn"com.lihaoyi::pprint::0.9.6", - mvn"com.lihaoyi::ujson::4.4.2", + mvn"com.lihaoyi::ujson::4.4.3", mvn"com.lihaoyi::scalatags::0.13.1", mvn"org.scala-lang.modules::scala-collection-compat::2.14.0" )