ci: configure JFrog npm registry proxy for GitHub Actions, replace conventional commits PR checker (#233)

* chore(ci): configure JFrog npm registry proxy for GitHub Actions

Add a composite action (.github/actions/setup-jfrog-npm) that handles
OIDC token exchange with JFrog and configures npm to use the Artifactory
proxy. This is required per go/hardened-gha to protect against supply
chain attacks on public registries.

Applied to all workflow jobs that install npm packages:
- ci.yml (5 jobs)
- docs-deploy.yml (build job)
- release.yml (release + sync-template jobs)
- release-lakebase.yml (release job)

Signed-off-by: Pawel Kosiec <pawel.kosiec@databricks.com>

* fix(ci): move JFrog npm setup before pnpm/action-setup

pnpm/action-setup fetches pnpm from registry.npmjs.org, which is
blocked on hardened runners. Move JFrog config earlier so the registry
proxy is configured before any npm access.

Signed-off-by: Pawel Kosiec <pawel.kosiec@databricks.com>

* chore(ci): replace Docker-based PR title check with JS-based action

Replace ytanikin/pr-conventional-commits (Docker-based, builds at
runtime with npm ci) with amannn/action-semantic-pull-request (JS-based,
pre-bundled). The Docker action fails on hardened runners because npm ci
inside the container can't reach registry.npmjs.org.

Signed-off-by: Pawel Kosiec <pawel.kosiec@databricks.com>

---------

Signed-off-by: Pawel Kosiec <pawel.kosiec@databricks.com>

Author: pkosiec

.github/actions/setup-jfrog-npm/action.yml

@@ -0,0 +1,42 @@
+name: 'Setup JFrog npm registry'
+description: 'Obtains a JFrog OIDC token and configures npm to use the JFrog Artifactory proxy'
+inputs:
+  npmrc-path:
+    description: 'Path to write .npmrc file (use .npmrc for project-level override)'
+    required: false
+    default: '~/.npmrc'
+runs:
+  using: 'composite'
+  steps:
+    - name: Get JFrog OIDC token
+      shell: bash
+      run: |
+        set -euo pipefail
+        ID_TOKEN=$(curl -sLS \
+          -H "User-Agent: actions/oidc-client" \
+          -H "Authorization: Bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
+          "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=jfrog-github" | jq .value | tr -d '"')
+        echo "::add-mask::${ID_TOKEN}"
+        ACCESS_TOKEN=$(curl -sLS -XPOST -H "Content-Type: application/json" \
+          "https://databricks.jfrog.io/access/api/v1/oidc/token" \
+          -d "{\"grant_type\": \"urn:ietf:params:oauth:grant-type:token-exchange\", \"subject_token_type\":\"urn:ietf:params:oauth:token-type:id_token\", \"subject_token\": \"${ID_TOKEN}\", \"provider_name\": \"github-actions\"}" | jq .access_token | tr -d '"')
+        echo "::add-mask::${ACCESS_TOKEN}"
+        if [ -z "$ACCESS_TOKEN" ] || [ "$ACCESS_TOKEN" = "null" ]; then
+          echo "FAIL: Could not extract JFrog access token"
+          exit 1
+        fi
+        echo "JFROG_ACCESS_TOKEN=${ACCESS_TOKEN}" >> "$GITHUB_ENV"
+        echo "JFrog OIDC token obtained successfully"
+
+    - name: Configure npm
+      shell: bash
+      run: |
+        set -euo pipefail
+        NPMRC_PATH="${{ inputs.npmrc-path }}"
+        NPMRC_PATH="${NPMRC_PATH/#\~/$HOME}"
+        cat > "$NPMRC_PATH" << EOF
+        registry=https://databricks.jfrog.io/artifactory/api/npm/db-npm/
+        //databricks.jfrog.io/artifactory/api/npm/db-npm/:_authToken=${JFROG_ACCESS_TOKEN}
+        always-auth=true
+        EOF
+        echo "npm configured to use JFrog registry (wrote to $NPMRC_PATH)"

.github/workflows/ci.yml

@@ -11,6 +11,7 @@ concurrency:
 permissions:
   contents: read
   pull-requests: read
+  id-token: write
 
 jobs:
   detect-changes:
@@ -42,6 +43,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+      - name: Setup JFrog npm
+        uses: ./.github/actions/setup-jfrog-npm
       - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
       - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
@@ -80,6 +83,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+      - name: Setup JFrog npm
+        uses: ./.github/actions/setup-jfrog-npm
       - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
       - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
@@ -100,6 +105,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+      - name: Setup JFrog npm
+        uses: ./.github/actions/setup-jfrog-npm
       - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
       - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
@@ -128,6 +135,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+      - name: Setup JFrog npm
+        uses: ./.github/actions/setup-jfrog-npm
       - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
       - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
@@ -177,6 +186,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+      - name: Setup JFrog npm
+        uses: ./.github/actions/setup-jfrog-npm
       - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
       - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:

.github/workflows/docs-deploy.yml

@@ -25,6 +25,8 @@ jobs:
     name: Build Docs
     steps:
       - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+      - name: Setup JFrog npm
+        uses: ./.github/actions/setup-jfrog-npm
       - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
       - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:

.github/workflows/pr-title.yml

@@ -18,7 +18,19 @@ jobs:
     name: Conventional Commit Title
     steps:
       - name: Validate PR title
-        uses: ytanikin/pr-conventional-commits@fda730cb152c05a849d6d84325e50c6182d9d1e9 # 1.5.1
+        uses: amannn/action-semantic-pull-request@48f256284bd46cdaab1048c3721360e808335d50 # v6.1.1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
-          task_types: '["feat","fix","docs","test","ci","refactor","perf","chore","revert","style","build"]'
-          add_label: 'false'
+          types: |
+            feat
+            fix
+            docs
+            test
+            ci
+            refactor
+            perf
+            chore
+            revert
+            style
+            build

.github/workflows/release-lakebase.yml

@@ -45,6 +45,11 @@ jobs:
           git config user.name "github-actions[bot]"
           git config user.email "github-actions[bot]@users.noreply.github.com"
 
+      - name: Setup JFrog npm
+        uses: ./.github/actions/setup-jfrog-npm
+        with:
+          npmrc-path: .npmrc
+
       - name: Setup pnpm
         uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
 

.github/workflows/release.yml

@@ -45,6 +45,11 @@ jobs:
           git config user.name "github-actions[bot]"
           git config user.email "github-actions[bot]@users.noreply.github.com"
 
+      - name: Setup JFrog npm
+        uses: ./.github/actions/setup-jfrog-npm
+        with:
+          npmrc-path: .npmrc
+
       - name: Setup pnpm
         uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
 
@@ -103,6 +108,7 @@ jobs:
 
     permissions:
       contents: write
+      id-token: write
 
     steps:
       - name: Checkout
@@ -117,6 +123,9 @@ jobs:
           git config user.name "github-actions[bot]"
           git config user.email "github-actions[bot]@users.noreply.github.com"
 
+      - name: Setup JFrog npm
+        uses: ./.github/actions/setup-jfrog-npm
+
       - name: Setup pnpm
         uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0