databricks · stephenamar-db · Apr 7, 2026 · Apr 7, 2026
diff --git a/.github/actions/setup-build/action.yml b/.github/actions/setup-build/action.yml
@@ -35,3 +35,9 @@ runs:
     - name: Cache Coursier cache
       if: inputs.coursier-cache == 'true'
       uses: coursier/cache-action@90c37294538be80a558fd665531fcdc2b467b475 # 8.1.0
+    - name: Get JFrog OIDC token
+      shell: bash
+      run: .github/scripts/get-jfrog-token.sh
+    - name: Fix Mill Bootstrap Script
+      shell: bash
+      run: .github/scripts/fix-build-config.sh
diff --git a/.github/scripts/fix-build-config.sh b/.github/scripts/fix-build-config.sh
@@ -0,0 +1,45 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+JFROG_HOSTNAME="databricks.jfrog.io"
+JFROG_REALM="Artifactory Realm"
+JFROG_USERNAME="gha-service-account"
+JFROG_URL="https://${JFROG_HOSTNAME}/artifactory/db-maven/"
+
+# Configure sbt repositories
+mkdir -p ~/.sbt
+cat > ~/.sbt/repositories << EOF
+[repositories]
+  local
+  databricks-jfrog: ${JFROG_URL}
+EOF
+
+# Configure sbt credentials
+cat > ~/.sbt/.credentials << EOF
+realm=${JFROG_REALM}
+host=${JFROG_HOSTNAME}
+user=${JFROG_USERNAME}
+password=${JFROG_ACCESS_TOKEN}
+EOF
+
+# Configure global.sbt to load credentials
+mkdir -p ~/.sbt/1.0
+cat > ~/.sbt/1.0/global.sbt << 'EOF'
+def sbtCredentialsFile = file(sys.props("user.home")) / ".sbt" / ".credentials"
+credentials ++= {
+  if (sbtCredentialsFile.exists()) List(Credentials(sbtCredentialsFile))
+  else Nil
+}
+EOF
+
+
+mkdir -p ~/.config/coursier
+{
+  echo "jfrog.host=${JFROG_HOSTNAME}"
+  echo "jfrog.realm=${JFROG_REALM}"
+  echo "jfrog.username=${JFROG_USERNAME}"
+  echo "jfrog.password=${JFROG_ACCESS_TOKEN}"
+} > ~/.config/coursier/credentials.properties
+
+echo "COURSIER_REPOSITORIES=${JFROG_URL}" >> "$GITHUB_ENV"
+sed -i "s|https://repo1.maven.org/maven2|https://${JFROG_USERNAME}:${JFROG_ACCESS_TOKEN}@${JFROG_URL:8}|g" ./mill
diff --git a/.github/scripts/get-jfrog-token.sh b/.github/scripts/get-jfrog-token.sh
@@ -0,0 +1,27 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Exchange a GitHub Actions OIDC token for a JFrog access token and
+# write JFROG_ACCESS_TOKEN to $GITHUB_ENV so subsequent steps can use it.
+
+# Get GitHub OIDC ID token
+ID_TOKEN=$(curl -sLS \
+  -H "User-Agent: actions/oidc-client" \
+  -H "Authorization: Bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
+  "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=jfrog-github" | jq .value | tr -d '"')
+echo "::add-mask::${ID_TOKEN}"
+
+# Exchange for JFrog access token (note: id_token with underscore, not hyphen)
+ACCESS_TOKEN=$(curl -sLS -XPOST -H "Content-Type: application/json" \
+  "https://databricks.jfrog.io/access/api/v1/oidc/token" \
+  -d "{\"grant_type\": \"urn:ietf:params:oauth:grant-type:token-exchange\", \"subject_token_type\":\"urn:ietf:params:oauth:token-type:id_token\", \"subject_token\": \"${ID_TOKEN}\", \"provider_name\": \"github-actions\"}" | jq .access_token | tr -d '"')
+echo "::add-mask::${ACCESS_TOKEN}"
+
+if [ -z "$ACCESS_TOKEN" ] || [ "$ACCESS_TOKEN" = "null" ]; then
+  echo "FAIL: Could not extract JFrog access token"
+  exit 1
+fi
+
+echo "JFROG_ACCESS_TOKEN=${ACCESS_TOKEN}" >> "$GITHUB_ENV"
+
+echo "JFrog OIDC token obtained successfully"
diff --git a/.github/workflows/pr-build.yaml b/.github/workflows/pr-build.yaml
@@ -4,11 +4,16 @@ on:
   pull_request:
     branches: [ master ]
 
-permissions: {}
+permissions:
+  contents: read
+  id-token: write
 
 jobs:
   build-jvm:
-    runs-on: linux-ubuntu-latest-hardened
+    runs-on:
+      group: databricks-protected-runner-group
+      labels: linux-ubuntu-latest
+    timeout-minutes: 20
     name: Sjsonnet jvm build
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
@@ -19,28 +24,31 @@ jobs:
       - name: Check Formatting
         run: ./mill "_.jvm[_].__.checkFormat"
       - name: Run mill tests
-        timeout-minutes: 15
         run: ./mill "_.jvm[_].__.test"
       - name: Run sbt tests
-        timeout-minutes: 15
         run: sbt test
   build-graal:
-    runs-on: linux-ubuntu-latest-hardened
+    runs-on:
+      group: databricks-protected-runner-group
+      labels: linux-ubuntu-latest
+    timeout-minutes: 20
     name: Sjsonnet Graal Native build
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
       - uses: ./.github/actions/setup-build
         with:
           coursier-cache: 'true'
       - name: Run Native Image Test Suites
-        timeout-minutes: 15
         run: sjsonnet/test/graalvm/run_test_suites.py
   build-other:
-    runs-on: linux-ubuntu-latest-hardened
+    runs-on:
+      group: databricks-protected-runner-group
+      labels: linux-ubuntu-latest
+    timeout-minutes: 20
     strategy:
       fail-fast: false
       matrix:
-        lang: ['js', 'wasm', 'native']
+        lang: ['js', 'wasm']
     name: Sjsonnet ${{ matrix.lang }} build
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
@@ -52,5 +60,4 @@ jobs:
       - name: Check Formatting
         run: ./mill _.${{ matrix.lang }}[_].__.checkFormat
       - name: Run mill tests for ${{ matrix.lang }}
-        timeout-minutes: 15
         run: ./mill _.${{ matrix.lang }}[_].__.test
diff --git a/build.mill b/build.mill
@@ -1,4 +1,4 @@
-//| mill-version: 1.1.2
+//| mill-version: 1.1.5
 //| mill-jvm-version: zulu:21
 //| mvnDeps:
 //| - com.lihaoyi::mill-contrib-jmh:$MILL_VERSION
@@ -53,7 +53,7 @@ trait SjsonnetCrossModule extends CrossScalaModule with ScalafmtModule {
   def mvnDeps = Seq(
     mvn"com.lihaoyi::fastparse::3.1.1",
     mvn"com.lihaoyi::pprint::0.9.6",
-    mvn"com.lihaoyi::ujson::4.4.2",
+    mvn"com.lihaoyi::ujson::4.4.3",
     mvn"com.lihaoyi::scalatags::0.13.1",
     mvn"org.scala-lang.modules::scala-collection-compat::2.14.0"
   )