Skip to content

Security hardening: migrate CI to hardened runners + JFrog proxy (Phase 1)#1873

Merged
ilia-db merged 8 commits intomainfrom
security-hardening/harden-ci-runners
Apr 14, 2026
Merged

Security hardening: migrate CI to hardened runners + JFrog proxy (Phase 1)#1873
ilia-db merged 8 commits intomainfrom
security-hardening/harden-ci-runners

Conversation

@ilia-db
Copy link
Copy Markdown
Contributor

@ilia-db ilia-db commented Apr 10, 2026
edited
Loading

  • Migrate all Linux workflows to hardened runners (databricks-protected-runner-group)
  • Migrate Windows job in unit-tests.yml to databricks-protected-runner-group-large
  • Move push.yml and unit-tests.yml off macos-latest to Linux hardened runners
  • Add OIDC permissions + JFrog proxy scripts for npm/yarn and pip
  • Temporarily disable publish-to-vscode and publish-to-openvsx pending Phase 3

This pull request was AI-assisted by Isaac.

@ilia-db
Security hardening: migrate CI to hardened runners + JFrog proxy
66d9305 
- Migrate all Linux jobs to databricks-protected-runner-group / linux-ubuntu-latest
- Migrate unit-tests Windows job to databricks-protected-runner-group-large / windows-server-latest-large
- Migrate push.yml and unit-tests.yml off macos-latest to Linux hardened runners
- Add OIDC permissions (id-token: write, contents: read) to all migrated jobs
- Add JFrog OIDC proxy scripts for npm/yarn (db-npm) and pip (db-pypi)
- Temporarily disable publish-to-vscode and publish-to-openvsx jobs pending secure release repo migration

Part of security hardening initiative (GA April 9, 2026).
Ref: docs/security-hardening-unblock-plan.md Phase 1

Co-authored-by: Isaac
@ilia-db ilia-db temporarily deployed to test-trigger-is April 10, 2026 15:00 — with GitHub Actions Inactive
@ilia-db
Fix Yarn 3 JFrog auth: write ~/.yarnrc.yml instead of env vars
9b37b49 
YARN_NPM_AUTH_TOKEN env var is not reliably scoped to a custom
YARN_NPM_REGISTRY_SERVER in Yarn 3.2.1 — requests reached JFrog
but without an Authorization header ("anonymous user" error).

Write ~/.yarnrc.yml directly with npmRegistries entry so the auth
token is co-located with the registry URL, which is the correct
Yarn Berry approach for scoped registry authentication.

Co-authored-by: Isaac
@ilia-db ilia-db temporarily deployed to test-trigger-is April 13, 2026 09:16 — with GitHub Actions Inactive
@ilia-db
Fix unit-tests.yml: flatten runner matrix fields
19390f1 
GitHub Actions cannot expand a YAML map via ${{ matrix.arch.runner }}
into runs-on — it causes startup_failure. Use flat string fields
(runner_group + runner_labels) referenced directly in runs-on instead.

Co-authored-by: Isaac
@ilia-db ilia-db temporarily deployed to test-trigger-is April 13, 2026 11:58 — with GitHub Actions Inactive
ilia-db added 2 commits April 13, 2026 14:23
@ilia-db
Fix unit-tests.yml: use coactions/setup-xvfb@v1 tag per enterprise po…
b7fbaac 
…licy

The hardened runner policy allows coactions/setup-xvfb@v1 as an explicit
pattern but blocks SHA-pinned references to non-enterprise actions.

Co-authored-by: Isaac
@ilia-db
Fix unit-tests.yml: inline xvfb instead of blocked external action
343cdc9 
coactions/setup-xvfb@<sha> is blocked by the enterprise action policy
(allowlist only permits the tag form, but SHA pinning is also required).
Inline Xvfb startup on Linux; Windows needs no virtual display.

Co-authored-by: Isaac
@ilia-db ilia-db temporarily deployed to test-trigger-is April 13, 2026 14:27 — with GitHub Actions Inactive
@ilia-db
Fix unit-tests.yml: use standard Windows runner (databricks-vscode la…
953401b 
…cks large runner access)

databricks-protected-runner-group-large is only accessible to the CLI repo.
Switch to databricks-protected-runner-group + windows-server-latest.

Co-authored-by: Isaac
@ilia-db ilia-db temporarily deployed to test-trigger-is April 14, 2026 09:25 — with GitHub Actions Inactive
@ilia-db ilia-db requested a review from misha-db April 14, 2026 09:27
@ilia-db ilia-db marked this pull request as ready for review April 14, 2026 09:27
@ilia-db
Migrate external-message.yml and release-pr.yml to hardened runners
4acdb2a 
Two workflows were missed in the initial migration:
- external-message.yml: runner update only (no package installs)
- release-pr.yml: runner update + JFrog npm setup (runs yarn install)

Co-authored-by: Isaac
@ilia-db ilia-db temporarily deployed to test-trigger-is April 14, 2026 09:38 — with GitHub Actions Inactive
misha-db
misha-db reviewed Apr 14, 2026
View reviewed changes
misha-db
misha-db approved these changes Apr 14, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@misha-db misha-db left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@ilia-db
Remove ::add-mask:: echoes from jfrog-oidc-token.sh
8bcc7bc 
Tokens are never printed to stdout so masking is unnecessary.

Co-authored-by: Isaac
@ilia-db ilia-db temporarily deployed to test-trigger-is April 14, 2026 10:01 — with GitHub Actions Inactive
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 14, 2026

If integration tests don't run automatically, an authorized user can run them manually by following the instructions below:

Trigger:
go/deco-tests-run/vscode

Inputs:

  • PR number: 1873
  • Commit SHA: 8bcc7bc12e01e8f745bcf5a68ebb135aabe9f3ef

Checks will be approved automatically on success.

@ilia-db ilia-db merged commit 491e837 into main Apr 14, 2026
6 of 8 checks passed
@ilia-db ilia-db deleted the security-hardening/harden-ci-runners branch April 14, 2026 10:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@misha-db misha-db misha-db approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ilia-db @misha-db