ci: migrate to hardened runners, disable publish during freeze (#353)

* ci: migrate to hardened runners, disable publish during freeze

Switch all 7 workflow jobs from `ubuntu-latest` to the
`databricks-protected-runner-group` hardened runner group per
go/hardened-gha step 3.

Disable the release publish job during the release freeze per
go/hardened-gha step 7. The build job remains active for validation.
A clear comment marks when and how to re-enable.

Fix `.npmrc` from `package-lock=false` to `package-lock=true` so local
dev keeps the lockfile in sync with `npm ci` in CI.

Co-authored-by: Isaac

* ci: add JFrog Artifactory proxy for npm registry access

Hardened runners block direct access to public registries. Configure
JFrog Artifactory as an npm proxy using OIDC token exchange per the
remote registry access guidance.

Added to all jobs that run `npm ci`: lint, unit-test, e2e-test (main.yml)
and build (release.yml). The coverage job and dco-check workflow do not
access npm and are left unchanged.

Adds `id-token: write` permission for the OIDC token exchange.

Co-authored-by: Isaac

* ci: add setup-node to lint and e2e-test jobs

Hardened runners may not have Node.js pre-installed (reported in
#unblock-github-action-for-eng). Add explicit setup-node step to
the lint and e2e-test jobs which run npm commands but previously
relied on the runner having Node available.

The unit-test and release build jobs already have setup-node.
The coverage and dco-check jobs don't run npm commands and don't
need it.

Co-authored-by: Isaac

* ci: revert .npmrc change (moved to separate PR)

Co-authored-by: Isaac

* ci: extract JFrog OIDC setup into reusable composite action

Move the duplicated JFrog OIDC token exchange and npm registry
configuration into .github/actions/setup-jfrog/action.yml, replacing
three identical ~27-line blocks in lint, unit-test, and e2e-test jobs
with a single `uses: ./.github/actions/setup-jfrog` step.

Follows the pattern from databricks/databricks-sqlalchemy#59.

Co-authored-by: Isaac

Author: shivam2680

.github/actions/setup-jfrog/action.yml

@@ -0,0 +1,36 @@
+name: Setup JFrog OIDC
+description: Obtain a JFrog access token via GitHub OIDC and configure npm to use JFrog registry proxy
+
+runs:
+  using: composite
+  steps:
+    - name: Get JFrog OIDC token
+      shell: bash
+      run: |
+        set -euo pipefail
+        ID_TOKEN=$(curl -sLS \
+          -H "User-Agent: actions/oidc-client" \
+          -H "Authorization: Bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
+          "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=jfrog-github" | jq .value | tr -d '"')
+        echo "::add-mask::${ID_TOKEN}"
+        ACCESS_TOKEN=$(curl -sLS -XPOST -H "Content-Type: application/json" \
+          "https://databricks.jfrog.io/access/api/v1/oidc/token" \
+          -d "{\"grant_type\": \"urn:ietf:params:oauth:grant-type:token-exchange\", \"subject_token_type\":\"urn:ietf:params:oauth:token-type:id_token\", \"subject_token\": \"${ID_TOKEN}\", \"provider_name\": \"github-actions\"}" | jq .access_token | tr -d '"')
+        echo "::add-mask::${ACCESS_TOKEN}"
+        if [ -z "$ACCESS_TOKEN" ] || [ "$ACCESS_TOKEN" = "null" ]; then
+          echo "FAIL: Could not extract JFrog access token"
+          exit 1
+        fi
+        echo "JFROG_ACCESS_TOKEN=${ACCESS_TOKEN}" >> "$GITHUB_ENV"
+        echo "JFrog OIDC token obtained successfully"
+
+    - name: Configure npm for JFrog
+      shell: bash
+      run: |
+        set -euo pipefail
+        cat > ~/.npmrc << EOF
+        registry=https://databricks.jfrog.io/artifactory/api/npm/db-npm/
+        //databricks.jfrog.io/artifactory/api/npm/db-npm/:_authToken=${JFROG_ACCESS_TOKEN}
+        always-auth=true
+        EOF
+        echo "npm configured to use JFrog registry"

.github/workflows/dco-check.yml

@@ -8,7 +8,9 @@ permissions:
 
 jobs:
   check:
-    runs-on: ubuntu-latest
+    runs-on:
+      group: databricks-protected-runner-group
+      labels: linux-ubuntu-latest
     steps:
       - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:

.github/workflows/main.yml

@@ -10,12 +10,19 @@ on:
 
 permissions:
   contents: read
+  id-token: write
 
 jobs:
   lint:
-    runs-on: ubuntu-latest
+    runs-on:
+      group: databricks-protected-runner-group
+      labels: linux-ubuntu-latest
     steps:
       - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
+        with:
+          node-version: 20
+      - uses: ./.github/actions/setup-jfrog
       - name: Cache node modules
         uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
         env:
@@ -34,7 +41,9 @@ jobs:
           npm run lint
 
   unit-test:
-    runs-on: ubuntu-latest
+    runs-on:
+      group: databricks-protected-runner-group
+      labels: linux-ubuntu-latest
     strategy:
       matrix:
         # only LTS versions starting from the lowest we support
@@ -53,6 +62,7 @@ jobs:
         uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # v4
         with:
           python-version: '3.10'
+      - uses: ./.github/actions/setup-jfrog
       - name: Cache node modules
         uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
         with:
@@ -75,7 +85,9 @@ jobs:
           retention-days: 1
 
   e2e-test:
-    runs-on: ubuntu-latest
+    runs-on:
+      group: databricks-protected-runner-group
+      labels: linux-ubuntu-latest
     environment: azure-prod
     env:
       E2E_HOST: ${{ secrets.DATABRICKS_HOST }}
@@ -90,6 +102,10 @@ jobs:
 
     steps:
       - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
+        with:
+          node-version: 20
+      - uses: ./.github/actions/setup-jfrog
       - name: Cache node modules
         uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
         with:
@@ -113,7 +129,9 @@ jobs:
 
   coverage:
     needs: [unit-test, e2e-test]
-    runs-on: ubuntu-latest
+    runs-on:
+      group: databricks-protected-runner-group
+      labels: linux-ubuntu-latest
     env:
       cache-name: cache-node-modules