Security hardening: migrate CI to hardened runners + JFrog proxy (Phase 1) (#1873)

- Migrate all Linux workflows to hardened runners
(`databricks-protected-runner-group`)
- Migrate Windows job in `unit-tests.yml` to
`databricks-protected-runner-group-large`
- Move `push.yml` and `unit-tests.yml` off `macos-latest` to Linux
hardened runners
- Add OIDC permissions + JFrog proxy scripts for npm/yarn and pip
- Temporarily disable `publish-to-vscode` and `publish-to-openvsx`
pending Phase 3

This pull request was AI-assisted by Isaac.

Author: ilia-db

.github/scripts/configure-npm.sh

@@ -0,0 +1,28 @@
+#!/usr/bin/env bash
+# Point npm and Yarn at the internal JFrog npm registry.
+# Reads JFROG_ACCESS_TOKEN from the environment (set by jfrog-oidc-token.sh).
+set -euo pipefail
+
+JFROG_NPM_REGISTRY="https://databricks.jfrog.io/artifactory/api/npm/db-npm/"
+
+# Configure npm CLI
+cat > ~/.npmrc << EOF
+registry=${JFROG_NPM_REGISTRY}
+//databricks.jfrog.io/artifactory/api/npm/db-npm/:_authToken=${JFROG_ACCESS_TOKEN}
+always-auth=true
+EOF
+
+# Configure Yarn Berry (v2+).
+# YARN_NPM_AUTH_TOKEN env var is not reliably scoped to a custom
+# YARN_NPM_REGISTRY_SERVER in Yarn 3 — write ~/.yarnrc.yml directly so the
+# auth token is co-located with the registry entry, which is how Yarn Berry
+# handles scoped registry auth.
+cat >> ~/.yarnrc.yml << EOF
+npmRegistryServer: "${JFROG_NPM_REGISTRY}"
+npmRegistries:
+  "${JFROG_NPM_REGISTRY}":
+    npmAuthToken: "${JFROG_ACCESS_TOKEN}"
+    npmAlwaysAuth: true
+EOF
+
+echo "npm/yarn configured to use JFrog registry (db-npm)"

.github/scripts/configure-pip.sh

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+# Point pip at the internal JFrog PyPI registry.
+# Reads JFROG_ACCESS_TOKEN from the environment (set by jfrog-oidc-token.sh).
+set -euo pipefail
+
+echo "PIP_INDEX_URL=https://gha-service-account:${JFROG_ACCESS_TOKEN}@databricks.jfrog.io/artifactory/api/pypi/db-pypi/simple" >> "$GITHUB_ENV"
+
+echo "pip configured to use JFrog registry (db-pypi)"

.github/scripts/jfrog-oidc-token.sh

@@ -0,0 +1,25 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Exchange a GitHub Actions OIDC token for a JFrog access token and
+# write JFROG_ACCESS_TOKEN to $GITHUB_ENV so subsequent steps can use it.
+
+# Get GitHub OIDC ID token
+ID_TOKEN=$(curl -sLS \
+  -H "User-Agent: actions/oidc-client" \
+  -H "Authorization: Bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
+  "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=jfrog-github" | jq .value | tr -d '"')
+
+# Exchange for JFrog access token
+ACCESS_TOKEN=$(curl -sLS -XPOST -H "Content-Type: application/json" \
+  "https://databricks.jfrog.io/access/api/v1/oidc/token" \
+  -d "{\"grant_type\": \"urn:ietf:params:oauth:grant-type:token-exchange\", \"subject_token_type\":\"urn:ietf:params:oauth:token-type:id_token\", \"subject_token\": \"${ID_TOKEN}\", \"provider_name\": \"github-actions\"}" | jq .access_token | tr -d '"')
+
+if [ -z "$ACCESS_TOKEN" ] || [ "$ACCESS_TOKEN" = "null" ]; then
+  echo "FAIL: Could not extract JFrog access token"
+  exit 1
+fi
+
+echo "JFROG_ACCESS_TOKEN=${ACCESS_TOKEN}" >> "$GITHUB_ENV"
+
+echo "JFrog OIDC token obtained successfully"

.github/workflows/create-build-artifacts.yml

@@ -6,8 +6,12 @@ on:
 jobs:
   create-build-artifacts:
     runs-on:
-      group: databricks-deco-testing-runner-group
-      labels: ubuntu-latest-deco
+      group: databricks-protected-runner-group
+      labels: linux-ubuntu-latest
+
+    permissions:
+      id-token: write
+      contents: read
 
     defaults:
       run:
@@ -16,6 +20,12 @@ jobs:
     steps:
       - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
 
+      - name: Obtain JFrog OIDC token
+        run: bash .github/scripts/jfrog-oidc-token.sh
+
+      - name: Configure JFrog npm registry
+        run: bash .github/scripts/configure-npm.sh
+
       - name: Use Node.js 22
         uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:

.github/workflows/create-release.yml

@@ -17,8 +17,12 @@ jobs:
     needs: ["create-build-artifacts"]
 
     runs-on:
-      group: databricks-deco-testing-runner-group
-      labels: ubuntu-latest-deco
+      group: databricks-protected-runner-group
+      labels: linux-ubuntu-latest
+
+    permissions:
+      id-token: write
+      contents: read
 
     steps:
       - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1

.github/workflows/external-message.yml

@@ -14,8 +14,8 @@ on:
 jobs:
   comment-on-pr:
     runs-on:
-      group: databricks-deco-testing-runner-group
-      labels: ubuntu-latest-deco
+      group: databricks-protected-runner-group
+      labels: linux-ubuntu-latest
 
     permissions:
       pull-requests: write

.github/workflows/integration-tests.yml

@@ -11,8 +11,12 @@ jobs:
     name: Check secrets access
 
     runs-on:
-      group: databricks-deco-testing-runner-group
-      labels: ubuntu-latest-deco
+      group: databricks-protected-runner-group
+      labels: linux-ubuntu-latest
+
+    permissions:
+      id-token: write
+      contents: read
 
     environment: "test-trigger-is"
     outputs:
@@ -33,8 +37,12 @@ jobs:
     name: Trigger Tests
 
     runs-on:
-      group: databricks-deco-testing-runner-group
-      labels: ubuntu-latest-deco
+      group: databricks-protected-runner-group
+      labels: linux-ubuntu-latest
+
+    permissions:
+      id-token: write
+      contents: read
 
     needs: check-token
     if: github.event_name == 'pull_request'  && needs.check-token.outputs.has_token == 'true'
@@ -92,10 +100,11 @@ jobs:
     if: github.event_name == 'merge_group'
 
     runs-on:
-      group: databricks-deco-testing-runner-group
-      labels: ubuntu-latest-deco
+      group: databricks-protected-runner-group
+      labels: linux-ubuntu-latest
 
     permissions:
+      id-token: write
       checks: write
       contents: read
 

.github/workflows/nightly-release.yml

@@ -14,8 +14,12 @@ jobs:
     needs: "create-build-artifacts"
 
     runs-on:
-      group: databricks-deco-testing-runner-group
-      labels: ubuntu-latest-deco
+      group: databricks-protected-runner-group
+      labels: linux-ubuntu-latest
+
+    permissions:
+      id-token: write
+      contents: read
 
     steps:
       - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0

.github/workflows/publish-to-openvsx.yml

@@ -13,9 +13,10 @@ on:
 
 jobs:
   publish-to-openvsx:
+    if: false # Temporarily disabled — pending secure release repo migration
     runs-on:
-      group: databricks-deco-testing-runner-group
-      labels: ubuntu-latest-deco
+      group: databricks-protected-runner-group
+      labels: linux-ubuntu-latest
 
     environment: Production
 

.github/workflows/publish-to-vscode.yml

@@ -13,9 +13,10 @@ on:
 
 jobs:
   publish-to-vscode:
+    if: false # Temporarily disabled — pending secure release repo migration
     runs-on:
-      group: databricks-deco-testing-runner-group
-      labels: ubuntu-latest-deco
+      group: databricks-protected-runner-group
+      labels: linux-ubuntu-latest
 
     environment: Production