Skip to content

Support non-interactive configure with --profiles#156

Merged
rohita5l merged 1 commit into
databricks:mainfrom
bbqiu:pat-noninteractive-configure
Jun 12, 2026
Merged

Support non-interactive configure with --profiles#156
rohita5l merged 1 commit into
databricks:mainfrom
bbqiu:pat-noninteractive-configure

Conversation

@bbqiu

@bbqiu bbqiu commented Jun 12, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

ucode configure forced an interactive databricks auth login even when a static credential was available, and PAT profiles in ~/.databrickscfg were invisible to ucode (databricks auth token is OAuth-only). Now:

  • resolve_pat_token picks up DATABRICKS_BEARER, a DATABRICKS_TOKEN with matching DATABRICKS_HOST, or a PAT-type CLI profile (token read from ~/.databrickscfg), and configure skips the forced login when one exists; workspace access is still verified via the AI Gateway probe.
  • find_profile_name_for_host resolves PAT profiles (OAuth wins per host).
  • New ucode configure --profiles <names> uses already-authenticated CLI profiles with no interactive login; mutually exclusive with --workspaces.
  • The persisted agent auth shell command falls back to databricks auth describe --sensitive for PAT profiles so launched agents can refresh tokens.

tested manually:
--profiles and --workspaces still work

screenshot 2026-06-11-23-51-04-iTerm2

@rohita5l

rohita5l commented Jun 12, 2026

Copy link
Copy Markdown
Collaborator

@bbqiu Im okay with adding the configure --profiles as an analogous to configure --workspaces however I dont want ucode to automatically start using PAT token if its available. We generally want to heavily discourage use of that.

So to force ucode to use a PAT token can the contract be the following.

  1. DATABRICKS_BEARER should be available as env var. Thats the only key we respect
  2. Users need to pass in --skip-oauth

That can work in a Lakebox / CI like environment imo but for interactive use cases the default should force you to oauth.

rohita5l
rohita5l previously approved these changes Jun 12, 2026
View reviewed changes
@bbqiu
Support non-interactive configure with --profiles, --use-pat, and --s…
efaec90 
…kip-validate

Adds an explicit, fully non-interactive setup path for CI / headless
environments (e.g. lakebox sandboxes provisioned with a PAT-backed
DEFAULT profile):

- `configure --profiles <names>` resolves workspace URLs from existing
  ~/.databrickscfg profiles instead of prompting. Auth behaves like
  --workspaces: OAuth login is forced by default.
- `--use-pat` (requires --profiles) authenticates with the profile's
  personal access token instead of OAuth — ucode never picks up a PAT
  implicitly. The token is validated, exported as DATABRICKS_BEARER for
  the configure run and launched agents, and persisted as use_pat in
  state so launches inherit the mode; written agent configs carry a
  `databricks auth describe --sensitive`-based auth command so bare
  claude/codex runs refresh from the PAT too.
- `--skip-validate` skips the post-configure test message through each
  agent; configs are still written with freshly discovered models.

Co-authored-by: Isaac
Signed-off-by: Bryan Qiu <bryan.qiu@databricks.com>
@bbqiu bbqiu force-pushed the pat-noninteractive-configure branch from d863600 to efaec90 Compare June 12, 2026 21:48
@rohita5l rohita5l enabled auto-merge (squash) June 12, 2026 22:14
@rohita5l rohita5l merged commit 7cd9009 into databricks:main Jun 12, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rohita5l rohita5l rohita5l approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bbqiu @rohita5l