Security hardening: migrate CI to hardened runners + JFrog proxy (Pha… #5183
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: VSCode Extensions CI | |
| on: | |
| push: | |
| branches: [main] | |
| pull_request: | |
| branches: [main] | |
| jobs: | |
| package: | |
| name: Package Arm64 VSIX | |
| runs-on: | |
| group: databricks-protected-runner-group | |
| labels: linux-ubuntu-latest | |
| permissions: | |
| id-token: write | |
| contents: read | |
| steps: | |
| - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 | |
| - name: Obtain JFrog OIDC token | |
| run: bash .github/scripts/jfrog-oidc-token.sh | |
| - name: Configure JFrog npm registry | |
| run: bash .github/scripts/configure-npm.sh | |
| - name: Use Node.js 22.x | |
| uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 | |
| with: | |
| node-version: 22.x | |
| cache: "yarn" | |
| - run: yarn install --immutable | |
| - run: yarn run package:cli:fetch | |
| working-directory: packages/databricks-vscode | |
| env: | |
| CLI_ARCH: darwin_amd64 | |
| GH_TOKEN: ${{ github.token }} | |
| - name: Building packages | |
| run: yarn run build | |
| - run: mkdir -p packages/databricks-vscode/artifacts | |
| - name: Build VSIX | |
| run: yarn package -o artifacts -t darwin-arm64 | |
| working-directory: packages/databricks-vscode | |
| - name: Upload artifacts | |
| uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 | |
| with: | |
| name: VSIX artifacts | |
| path: packages/databricks-vscode/artifacts |