Merge branch 'main' into main

Author: samikshya-db

.github/actions/setup-jfrog/action.yml

@@ -0,0 +1,36 @@
+name: Setup JFrog OIDC
+description: Obtain a JFrog access token via GitHub OIDC and configure npm to use JFrog registry proxy
+
+runs:
+  using: composite
+  steps:
+    - name: Get JFrog OIDC token
+      shell: bash
+      run: |
+        set -euo pipefail
+        ID_TOKEN=$(curl -sLS \
+          -H "User-Agent: actions/oidc-client" \
+          -H "Authorization: Bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
+          "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=jfrog-github" | jq .value | tr -d '"')
+        echo "::add-mask::${ID_TOKEN}"
+        ACCESS_TOKEN=$(curl -sLS -XPOST -H "Content-Type: application/json" \
+          "https://databricks.jfrog.io/access/api/v1/oidc/token" \
+          -d "{\"grant_type\": \"urn:ietf:params:oauth:grant-type:token-exchange\", \"subject_token_type\":\"urn:ietf:params:oauth:token-type:id_token\", \"subject_token\": \"${ID_TOKEN}\", \"provider_name\": \"github-actions\"}" | jq .access_token | tr -d '"')
+        echo "::add-mask::${ACCESS_TOKEN}"
+        if [ -z "$ACCESS_TOKEN" ] || [ "$ACCESS_TOKEN" = "null" ]; then
+          echo "FAIL: Could not extract JFrog access token"
+          exit 1
+        fi
+        echo "JFROG_ACCESS_TOKEN=${ACCESS_TOKEN}" >> "$GITHUB_ENV"
+        echo "JFrog OIDC token obtained successfully"
+
+    - name: Configure npm for JFrog
+      shell: bash
+      run: |
+        set -euo pipefail
+        cat > ~/.npmrc << EOF
+        registry=https://databricks.jfrog.io/artifactory/api/npm/db-npm/
+        //databricks.jfrog.io/artifactory/api/npm/db-npm/:_authToken=${JFROG_ACCESS_TOKEN}
+        always-auth=true
+        EOF
+        echo "npm configured to use JFrog registry"

.github/dependabot.yml

@@ -0,0 +1,10 @@
+version: 2
+updates:
+  - package-ecosystem: npm
+    directory: /
+    schedule:
+      interval: weekly
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly

.github/workflows/dco-check.yml

@@ -2,15 +2,36 @@ name: DCO Check
 
 on: [pull_request]
 
+permissions:
+  contents: read
+  pull-requests: write
+
 jobs:
   check:
-    runs-on: ubuntu-latest
+    runs-on:
+      group: databricks-protected-runner-group
+      labels: linux-ubuntu-latest
     steps:
-      - name: Check for DCO
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        with:
+          fetch-depth: 0
+      - name: Check for DCO sign-off
         id: dco-check
-        uses: tisonkun/actions-dco@v1.1
+        run: |
+          base_sha="${{ github.event.pull_request.base.sha }}"
+          head_sha="${{ github.event.pull_request.head.sha }}"
+          failed=0
+          for sha in $(git rev-list "$base_sha".."$head_sha"); do
+            if ! git log -1 --format='%B' "$sha" | grep -qiE '^Signed-off-by: .+ <.+>'; then
+              echo "::error::Commit $sha is missing a DCO sign-off"
+              failed=1
+            fi
+          done
+          if [ "$failed" -eq 1 ]; then
+            exit 1
+          fi
       - name: Comment about DCO status
-        uses: actions/github-script@v6
+        uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6
         if: ${{ failure() }}
         with:
           script: |

.github/workflows/main.yml

@@ -8,13 +8,23 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+  id-token: write
+
 jobs:
   lint:
-    runs-on: ubuntu-latest
+    runs-on:
+      group: databricks-protected-runner-group
+      labels: linux-ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
+        with:
+          node-version: 20
+      - uses: ./.github/actions/setup-jfrog
       - name: Cache node modules
-        uses: actions/cache@v3
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
         env:
           cache-name: cache-node-modules
         with:
@@ -31,7 +41,9 @@ jobs:
           npm run lint
 
   unit-test:
-    runs-on: ubuntu-latest
+    runs-on:
+      group: databricks-protected-runner-group
+      labels: linux-ubuntu-latest
     strategy:
       matrix:
         # only LTS versions starting from the lowest we support
@@ -41,17 +53,18 @@ jobs:
       NYC_REPORT_DIR: coverage_unit_node${{ matrix.node-version }}
 
     steps:
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
         with:
           node-version: ${{ matrix.node-version }}
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
       - name: Set up Python 3.10 for Node 14
         if: ${{ matrix.node-version == '14' }}
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # v4
         with:
           python-version: '3.10'
+      - uses: ./.github/actions/setup-jfrog
       - name: Cache node modules
-        uses: actions/cache@v3
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
         with:
           path: ~/.npm
           key: ${{ runner.os }}-${{ matrix.node-version }}-build-${{ env.cache-name }}-${{ hashFiles('**/package-lock.json') }}
@@ -65,14 +78,16 @@ jobs:
           npm run test
       - run: tar -cvf ${{ env.NYC_REPORT_DIR }}.tar ${{ env.NYC_REPORT_DIR }}
       - name: Store coverage report
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
         with:
           name: ${{ env.NYC_REPORT_DIR }}
           path: ${{ env.NYC_REPORT_DIR }}.tar
           retention-days: 1
 
   e2e-test:
-    runs-on: ubuntu-latest
+    runs-on:
+      group: databricks-protected-runner-group
+      labels: linux-ubuntu-latest
     environment: azure-prod
     env:
       E2E_HOST: ${{ secrets.DATABRICKS_HOST }}
@@ -86,9 +101,13 @@ jobs:
       NYC_REPORT_DIR: coverage_e2e
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
+        with:
+          node-version: 20
+      - uses: ./.github/actions/setup-jfrog
       - name: Cache node modules
-        uses: actions/cache@v3
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
         with:
           path: ~/.npm
           key: ${{ runner.os }}-build-${{ env.cache-name }}-${{ hashFiles('**/package-lock.json') }}
@@ -102,30 +121,32 @@ jobs:
           NODE_OPTIONS="--max-old-space-size=4096" npm run e2e
       - run: tar -cvf ${{ env.NYC_REPORT_DIR }}.tar ${{ env.NYC_REPORT_DIR }}
       - name: Store coverage report
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
         with:
           name: ${{ env.NYC_REPORT_DIR }}
           path: ${{ env.NYC_REPORT_DIR }}.tar
           retention-days: 1
 
   coverage:
     needs: [unit-test, e2e-test]
-    runs-on: ubuntu-latest
+    runs-on:
+      group: databricks-protected-runner-group
+      labels: linux-ubuntu-latest
     env:
       cache-name: cache-node-modules
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
       - name: Cache node modules
-        uses: actions/cache@v3
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
         with:
           path: ~/.npm
           key: ${{ runner.os }}-build-${{ env.cache-name }}-${{ hashFiles('**/package-lock.json') }}
           restore-keys: |
             ${{ runner.os }}-build-${{ env.cache-name }}-
             ${{ runner.os }}-build-
             ${{ runner.os }}-
-      - uses: actions/download-artifact@v4
+      - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
         with:
           pattern: coverage_*
           merge-multiple: true
@@ -135,7 +156,7 @@ jobs:
           rm coverage_*.tar
       - run: ls -la
       - name: Coverage
-        uses: codecov/codecov-action@v3
+        uses: codecov/codecov-action@ab904c41d6ece82784817410c45d8b8c02684457 # v3
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
           fail_ci_if_error: true

.github/workflows/release.yml

@@ -1 +1 @@
-package-lock=false
+package-lock=true

.npmrc

@@ -0,0 +1,38 @@
+/**
+ * Detects whether the Node.js SQL driver is being invoked by an AI coding agent
+ * by checking for well-known environment variables that agents set in their
+ * spawned shell processes.
+ *
+ * Detection only succeeds when exactly one agent environment variable is present,
+ * to avoid ambiguous attribution when multiple agent environments overlap.
+ *
+ * Adding a new agent requires only a new entry in `knownAgents`.
+ *
+ * References for each environment variable:
+ *   - ANTIGRAVITY_AGENT: Closed source. Google Antigravity sets this variable.
+ *   - CLAUDECODE: https://github.com/anthropics/claude-code (sets CLAUDECODE=1)
+ *   - CLINE_ACTIVE: https://github.com/cline/cline (shipped in v3.24.0)
+ *   - CODEX_CI: https://github.com/openai/codex (part of UNIFIED_EXEC_ENV array in codex-rs)
+ *   - CURSOR_AGENT: Closed source. Referenced in a gist by johnlindquist.
+ *   - GEMINI_CLI: https://google-gemini.github.io/gemini-cli/docs/tools/shell.html (sets GEMINI_CLI=1)
+ *   - OPENCODE: https://github.com/opencode-ai/opencode (sets OPENCODE=1)
+ */
+
+const knownAgents: Array<{ envVar: string; product: string }> = [
+  { envVar: 'ANTIGRAVITY_AGENT', product: 'antigravity' },
+  { envVar: 'CLAUDECODE', product: 'claude-code' },
+  { envVar: 'CLINE_ACTIVE', product: 'cline' },
+  { envVar: 'CODEX_CI', product: 'codex' },
+  { envVar: 'CURSOR_AGENT', product: 'cursor' },
+  { envVar: 'GEMINI_CLI', product: 'gemini-cli' },
+  { envVar: 'OPENCODE', product: 'opencode' },
+];
+
+export default function detectAgent(env: Record<string, string | undefined> = process.env): string {
+  const detected = knownAgents.filter((a) => env[a.envVar]).map((a) => a.product);
+
+  if (detected.length === 1) {
+    return detected[0];
+  }
+  return '';
+}

lib/utils/agentDetector.ts

@@ -1,5 +1,6 @@
 import os from 'os';
 import packageVersion from '../version';
+import detectAgent from './agentDetector';
 
 const productName = 'NodejsDatabricksSqlConnector';
 
@@ -27,5 +28,12 @@ export default function buildUserAgentString(userAgentEntry?: string): string {
   }
 
   const extra = [userAgentEntry, getNodeVersion(), getOperatingSystemVersion()].filter(Boolean);
-  return `${productName}/${packageVersion} (${extra.join('; ')})`;
+  let ua = `${productName}/${packageVersion} (${extra.join('; ')})`;
+
+  const agentProduct = detectAgent();
+  if (agentProduct) {
+    ua += ` agent/${agentProduct}`;
+  }
+
+  return ua;
 }

lib/utils/buildUserAgentString.ts

@@ -0,0 +1,36 @@
+import { expect } from 'chai';
+import detectAgent from '../../../lib/utils/agentDetector';
+
+describe('detectAgent', () => {
+  const allAgents = [
+    { envVar: 'ANTIGRAVITY_AGENT', product: 'antigravity' },
+    { envVar: 'CLAUDECODE', product: 'claude-code' },
+    { envVar: 'CLINE_ACTIVE', product: 'cline' },
+    { envVar: 'CODEX_CI', product: 'codex' },
+    { envVar: 'CURSOR_AGENT', product: 'cursor' },
+    { envVar: 'GEMINI_CLI', product: 'gemini-cli' },
+    { envVar: 'OPENCODE', product: 'opencode' },
+  ];
+
+  for (const { envVar, product } of allAgents) {
+    it(`detects ${product} when ${envVar} is set`, () => {
+      expect(detectAgent({ [envVar]: '1' })).to.equal(product);
+    });
+  }
+
+  it('returns empty string when no agent is detected', () => {
+    expect(detectAgent({})).to.equal('');
+  });
+
+  it('returns empty string when multiple agents are detected', () => {
+    expect(detectAgent({ CLAUDECODE: '1', CURSOR_AGENT: '1' })).to.equal('');
+  });
+
+  it('ignores empty env var values', () => {
+    expect(detectAgent({ CLAUDECODE: '' })).to.equal('');
+  });
+
+  it('ignores undefined env var values', () => {
+    expect(detectAgent({ CLAUDECODE: undefined })).to.equal('');
+  });
+});

tests/unit/utils/agentDetector.test.ts

@@ -32,7 +32,7 @@ describe('buildUserAgentString', () => {
     // Prefix: 'NodejsDatabricksSqlConnector/'
     // Version: three period-separated digits and optional suffix
     const re =
-      /^(?<productName>NodejsDatabricksSqlConnector)\/(?<productVersion>\d+\.\d+\.\d+(-[^(]+)?)\s*\((?<comment>[^)]+)\)$/i;
+      /^(?<productName>NodejsDatabricksSqlConnector)\/(?<productVersion>\d+\.\d+\.\d+(-[^(]+)?)\s*\((?<comment>[^)]+)\)(\s+agent\/[a-z-]+)?$/i;
     const match = re.exec(ua);
     expect(match).to.not.be.eq(null);
 
@@ -62,6 +62,21 @@ describe('buildUserAgentString', () => {
     const userAgentString = buildUserAgentString(userAgentEntry);
     expect(userAgentString).to.include('<REDACTED>');
   });
+
+  it('appends agent suffix when agent env var is set', () => {
+    const orig = process.env.CLAUDECODE;
+    try {
+      process.env.CLAUDECODE = '1';
+      const ua = buildUserAgentString();
+      expect(ua).to.include('agent/claude-code');
+    } finally {
+      if (orig === undefined) {
+        delete process.env.CLAUDECODE;
+      } else {
+        process.env.CLAUDECODE = orig;
+      }
+    }
+  });
 });
 
 describe('formatProgress', () => {