Merge remote-tracking branch 'origin/main' into default-oidc-audience

# Conflicts:
#	databricks-sdk-java/src/main/java/com/databricks/sdk/core/HostType.java

Author: tanmay-db

.github/actions/setup-build-environment/action.yml

@@ -0,0 +1,50 @@
+name: Setup build environment
+description: Set up JDK with JFrog Artifactory as Maven mirror for hardened runners
+
+inputs:
+  java-version:
+    description: "Java version to install"
+    required: true
+
+runs:
+  using: composite
+  steps:
+    - name: Setup JFrog CLI with OIDC
+      if: runner.os != 'macOS'
+      id: jfrog
+      uses: jfrog/setup-jfrog-cli@279b1f629f43dd5bc658d8361ac4802a7ef8d2d5 # v4.9.1
+      env:
+        JF_URL: https://databricks.jfrog.io
+      with:
+        oidc-provider-name: github-actions
+
+    - name: Set up JDK
+      uses: actions/setup-java@b6e674f4b717d7b0ae3baee0fbe79f498905dfde # v1.4.4
+      with:
+        java-version: ${{ inputs.java-version }}
+
+    - name: Configure Maven for JFrog
+      if: runner.os != 'macOS'
+      shell: bash
+      run: |
+        mkdir -p ~/.m2
+        cat > ~/.m2/settings.xml << EOF
+        <settings xmlns="http://maven.apache.org/SETTINGS/1.0.0"
+                  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+                  xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.0.0 https://maven.apache.org/xsd/settings-1.0.0.xsd">
+          <mirrors>
+            <mirror>
+              <id>jfrog-maven</id>
+              <url>https://databricks.jfrog.io/artifactory/db-maven/</url>
+              <mirrorOf>*</mirrorOf>
+            </mirror>
+          </mirrors>
+          <servers>
+            <server>
+              <id>jfrog-maven</id>
+              <username>${{ steps.jfrog.outputs.oidc-user }}</username>
+              <password><![CDATA[${{ steps.jfrog.outputs.oidc-token }}]]></password>
+            </server>
+          </servers>
+        </settings>
+        EOF

.github/workflows/push.yml

@@ -6,66 +6,95 @@ on:
   merge_group:
     types: [checks_requested]
 
+permissions:
+  id-token: write
+  contents: read
+
 jobs:
   fmt:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Set up JDK 11
-        uses: actions/setup-java@b6e674f4b717d7b0ae3baee0fbe79f498905dfde # v1.4.4
-        with:
-          java-version: 11
+    runs-on:
+      group: databricks-protected-runner-group
+      labels: linux-ubuntu-latest
 
+    steps:
       - name: Checkout
         uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0
 
       - name: Cache Maven packages
         uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
         with:
-          path: ~/.m2
+          path: ~/.m2/repository
           key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
           restore-keys: ${{ runner.os }}-m2
 
+      - name: Setup build environment
+        uses: ./.github/actions/setup-build-environment
+        with:
+          java-version: 11
+
       - name: Check formatting
         run: mvn --errors spotless:check
 
+      - name: Check for JFrog proxy URLs in lockfiles
+        run: |
+          make fix-lockfile
+          git diff --exit-code -- '**/lockfile.json'
+
   unit-tests:
     strategy:
       fail-fast: false
       matrix:
         os: [macos-latest, ubuntu-latest]
         java-version: [8, 11, 17, 20] # 20 is the latest version as of 2023 and 17 is the latest LTS
+        include:
+          - os: ubuntu-latest
+            runner:
+              group: databricks-protected-runner-group
+              labels: linux-ubuntu-latest
+          - os: macos-latest
+            runner: macos-latest
 
-    runs-on: ${{ matrix.os }}
+    runs-on: ${{ matrix.runner }}
 
     steps:
-      - name: Set up JDK
-        uses: actions/setup-java@b6e674f4b717d7b0ae3baee0fbe79f498905dfde # v1.4.4
-        with:
-          java-version: ${{ matrix.java-version }}
-
       - name: Checkout
         uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0
 
       - name: Cache Maven packages
         uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
         with:
-          path: ~/.m2
+          path: ~/.m2/repository
           key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
           restore-keys: ${{ runner.os }}-m2
 
+      - name: Setup build environment
+        uses: ./.github/actions/setup-build-environment
+        with:
+          java-version: ${{ matrix.java-version }}
+
       - name: Check Unit Tests
         run: mvn --errors test
 
   check-lock:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Set up JDK 11
-        uses: actions/setup-java@b6e674f4b717d7b0ae3baee0fbe79f498905dfde # v1.4.4
-        with:
-          java-version: 11
+    runs-on:
+      group: databricks-protected-runner-group
+      labels: linux-ubuntu-latest
 
+    steps:
       - name: Checkout
         uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0
 
+      - name: Cache Maven packages
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
+        with:
+          path: ~/.m2/repository
+          key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
+          restore-keys: ${{ runner.os }}-m2
+
+      - name: Setup build environment
+        uses: ./.github/actions/setup-build-environment
+        with:
+          java-version: 11
+
       - name: Validate lockfile
         run: make check-lock

.github/workflows/release.yml

@@ -9,30 +9,79 @@ on:
     branches:
       - "**"
 
+permissions:
+  id-token: write
+  contents: read
+
 jobs:
   publish:
     # Dynamically set the job name based on the trigger
     name: ${{ startsWith(github.ref, 'refs/tags/') && 'Publish Release' || 'Run Release Dry-Run' }}
 
     runs-on:
-      group: databricks-deco-testing-runner-group
-      labels: ubuntu-latest-deco
+      group: databricks-protected-runner-group
+      labels: linux-ubuntu-latest
 
     steps:
       - name: Checkout
         uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0
 
+      - name: Cache Maven packages
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
+        with:
+          path: ~/.m2/repository
+          key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
+          restore-keys: ${{ runner.os }}-m2
+
+      - name: Setup JFrog CLI with OIDC
+        id: jfrog
+        uses: jfrog/setup-jfrog-cli@279b1f629f43dd5bc658d8361ac4802a7ef8d2d5 # v4.9.1
+        env:
+          JF_URL: https://databricks.jfrog.io
+        with:
+          oidc-provider-name: github-actions
+
       - name: Set up Java for publishing to Maven Central Repository
         uses: actions/setup-java@17f84c3641ba7b8f6deff6309fc4c864478f5d62 # v3.14.1
         with:
           java-version: 8
-          server-id: central
           distribution: "adopt"
-          server-username: MAVEN_CENTRAL_USERNAME
-          server-password: MAVEN_CENTRAL_PASSWORD
           gpg-private-key: ${{ secrets.GPG_PRIVATE_KEY }}
           gpg-passphrase: GPG_PASSPHRASE
-          
+
+      - name: Configure Maven for JFrog and Maven Central
+        run: |
+          mkdir -p ~/.m2
+          cat > ~/.m2/settings.xml << EOF
+          <settings xmlns="http://maven.apache.org/SETTINGS/1.0.0"
+                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+                    xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.0.0 https://maven.apache.org/xsd/settings-1.0.0.xsd">
+            <mirrors>
+              <mirror>
+                <id>jfrog-maven</id>
+                <url>https://databricks.jfrog.io/artifactory/db-maven/</url>
+                <mirrorOf>*</mirrorOf>
+              </mirror>
+            </mirrors>
+            <servers>
+              <server>
+                <id>jfrog-maven</id>
+                <username>${{ steps.jfrog.outputs.oidc-user }}</username>
+                <password><![CDATA[${{ steps.jfrog.outputs.oidc-token }}]]></password>
+              </server>
+              <server>
+                <id>central</id>
+                <username>${{ secrets.MAVEN_CENTRAL_USERNAME }}</username>
+                <password>${{ secrets.MAVEN_CENTRAL_PASSWORD }}</password>
+              </server>
+              <server>
+                <id>gpg.passphrase</id>
+                <passphrase>\${env.GPG_PASSPHRASE}</passphrase>
+              </server>
+            </servers>
+          </settings>
+          EOF
+
       # This step runs ONLY on branch pushes (dry-run)
       - name: Run Release Dry-Run (Verify)
         if: "!startsWith(github.ref, 'refs/tags/')"
@@ -71,4 +120,4 @@ jobs:
         uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15
         with:
           files: databricks-sdk-java/target/*.jar
-          body_path: /tmp/release-notes/release-notes.md
+          body_path: /tmp/release-notes/release-notes.md

Makefile

@@ -10,3 +10,9 @@ lock:
 check-lock:
 	mvn io.github.chains-project:maven-lockfile:5.5.2:validate
 
+fix-lockfile:
+	@# Replace JFrog proxy URLs with public Maven Central equivalents in lockfiles.
+	@# Prevents proxy URLs from being accidentally committed.
+	find . -type f -name 'lockfile.json' \
+	  -exec sed -i 's|databricks\.jfrog\.io/artifactory/db-maven|repo.maven.apache.org/maven2|g' {} +
+

NEXT_CHANGELOG.md

@@ -6,6 +6,7 @@
 * Added automatic detection of AI coding agents (Antigravity, Claude Code, Cline, Codex, Copilot CLI, Cursor, Gemini CLI, OpenCode) in the user-agent string. The SDK now appends `agent/<name>` to HTTP request headers when running inside a known AI agent environment.
 
 ### Bug Fixes
+* Added `X-Databricks-Org-Id` header to deprecated workspace SCIM APIs (Groups, ServicePrincipals, Users) for SPOG host compatibility.
 * Fixed Databricks CLI authentication to detect when the cached token's scopes don't match the SDK's configured scopes. Previously, a scope mismatch was silently ignored, causing requests to use wrong permissions. The SDK now raises an error with instructions to re-authenticate.
 
 ### Security Vulnerabilities
@@ -23,4 +24,4 @@
 * Add `cascade` field for `com.databricks.sdk.service.pipelines.DeletePipelineRequest`.
 * Add `defaultBranch` field for `com.databricks.sdk.service.postgres.ProjectSpec`.
 * Add `defaultBranch` field for `com.databricks.sdk.service.postgres.ProjectStatus`.
-* Add `ingress` and `ingressDryRun` fields for `com.databricks.sdk.service.settings.AccountNetworkPolicy`.
+* Add `ingress` and `ingressDryRun` fields for `com.databricks.sdk.service.settings.AccountNetworkPolicy`.