Use Databricks protected runner group for CI actions (#1369)

## Summary
- Reverts #1350 (migration to GitHub-hosted runners) — GitHub-hosted
runner IPs are blocked by the Databricks org IP allow list
- Adds Maven dependency caching infrastructure for forked PRs to work
with JFrog Artifactory proxy

## Problem
After migrating to JFrog Artifactory as a Maven registry proxy (supply
chain security), forked PRs cannot authenticate to JFrog because GitHub
Actions restricts OIDC token minting for fork workflows. This breaks all
forked PR CI (unit tests, integration tests, formatting, coverage).

## Solution: Cache-based dependency resolution for forks

### New files
- `.github/actions/setup-maven/action.yml` — Reusable composite action
that detects forked PRs and either authenticates to JFrog (same-repo) or
restores the dependency cache (fork). Eliminates duplicated OIDC + cache
blocks across workflows.
- `.github/workflows/warmMavenCache.yml` — Privileged workflow that
resolves all dependencies via JFrog and saves the cache. Triggers: push
to main (on pom.xml changes), daily schedule (prevents 7-day cache
eviction), manual dispatch with optional PR number to warm cache from a
fork pom.xml (sparse checkout of only pom.xml files — no source code
from fork).

### Modified workflows (use composite action)
- `prCheck.yml` (formatting, unit tests, packaging) — 3 jobs now use
fork detection + composite action
- `prIntegrationTests.yml` — uses composite action
- `coverageReport.yml` — uses composite action

### How it works
1. Main branch and same-repo PRs: unchanged — OIDC to JFrog as before
2. Cache warmer saves dependencies with key
`{os}-maven-deps-{hash(pom.xml)}` — each unique pom.xml gets its own
cache entry (content-addressable), so concurrent PRs with different
dependency versions coexist
3. Forked PRs: restore cache from default branch (GitHub allows this per
cache sharing rules), no JFrog credentials
4. If a forked PR changes pom.xml and the new dependency is not in
cache, CI fails with a clear error. A maintainer triggers the cache
warmer with the PR number to warm the cache, then the contributor
re-runs CI.
5. Stale cache entries (from closed/merged PRs) are auto-evicted by
GitHub after 7 days of no access


## Test plan
- [ ] CI checks pass on this PR using Databricks runners
- [ ] After merge: manually trigger "Warm Maven Dependency Cache"
workflow on main
- [ ] Verify cache entries appear via Actions > Caches
- [ ] Create a test forked PR and verify CI restores cache and builds
pass
- [ ] Verify forked PR with pom.xml change fails clearly, then passes
after cache warm

NO_CHANGELOG=true

---------

Signed-off-by: Gopal Lal <gopal.lal@databricks.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Author: gopalldb

.github/actions/setup-maven/action.yml

@@ -0,0 +1,110 @@
+name: 'Setup Maven with JFrog or Cache'
+description: |
+  Configures Maven for builds. For same-repo PRs and main branch pushes,
+  authenticates to JFrog Artifactory via OIDC token exchange. For forked PRs,
+  restores the Maven dependency cache from the default branch (no credentials).
+
+inputs:
+  is-fork:
+    description: 'Whether this is a forked PR (true/false). Caller should compute this.'
+    required: true
+
+runs:
+  using: 'composite'
+  steps:
+    # --- Forked PR path: restore cache only, no JFrog credentials ---
+    - name: Restore Maven cache (fork)
+      if: inputs.is-fork == 'true'
+      uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
+      with:
+        path: ~/.m2/repository
+        key: ${{ runner.os }}-maven-deps-${{ hashFiles('**/pom.xml') }}
+        restore-keys: ${{ runner.os }}-maven-deps-
+
+    - name: Configure Maven without credentials (fork)
+      if: inputs.is-fork == 'true'
+      shell: bash
+      run: |
+        mkdir -p ~/.m2
+        cat > ~/.m2/settings.xml << 'SETTINGS_EOF'
+        <settings>
+          <mirrors>
+            <mirror>
+              <id>jfrog-central</id>
+              <mirrorOf>*</mirrorOf>
+              <url>https://databricks.jfrog.io/artifactory/db-maven/</url>
+            </mirror>
+          </mirrors>
+          <!-- No <servers> block: forked PRs use cached dependencies only.
+               Any cache miss will produce a clear HTTP 401 error indicating
+               the dependency is not in cache. Ask a maintainer to run the
+               "Warm Maven Dependency Cache" workflow with your PR number. -->
+        </settings>
+        SETTINGS_EOF
+
+        echo "Maven configured for forked PR (cache-only, no JFrog credentials)"
+
+    # --- Same-repo path: full JFrog OIDC authentication ---
+    - name: Get JFrog OIDC token
+      if: inputs.is-fork == 'false'
+      shell: bash
+      run: |
+        set -euo pipefail
+
+        # Get GitHub OIDC ID token
+        ID_TOKEN=$(curl -sLS \
+          -H "User-Agent: actions/oidc-client" \
+          -H "Authorization: Bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
+          "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=jfrog-github" | jq .value | tr -d '"')
+        echo "::add-mask::${ID_TOKEN}"
+
+        # Exchange for JFrog access token
+        ACCESS_TOKEN=$(curl -sLS -XPOST -H "Content-Type: application/json" \
+          "https://databricks.jfrog.io/access/api/v1/oidc/token" \
+          -d "{\"grant_type\": \"urn:ietf:params:oauth:grant-type:token-exchange\", \"subject_token_type\":\"urn:ietf:params:oauth:token-type:id_token\", \"subject_token\": \"${ID_TOKEN}\", \"provider_name\": \"github-actions\"}" | jq .access_token | tr -d '"')
+        echo "::add-mask::${ACCESS_TOKEN}"
+
+        if [ -z "$ACCESS_TOKEN" ] || [ "$ACCESS_TOKEN" = "null" ]; then
+          echo "FAIL: Could not extract JFrog access token"
+          exit 1
+        fi
+
+        echo "JFROG_ACCESS_TOKEN=${ACCESS_TOKEN}" >> "$GITHUB_ENV"
+
+        echo "JFrog OIDC token obtained successfully"
+
+    - name: Configure Maven with JFrog credentials
+      if: inputs.is-fork == 'false'
+      shell: bash
+      run: |
+        set -euo pipefail
+
+        mkdir -p ~/.m2
+        cat > ~/.m2/settings.xml << EOF
+        <settings>
+          <mirrors>
+            <mirror>
+              <id>jfrog-central</id>
+              <mirrorOf>*</mirrorOf>
+              <url>https://databricks.jfrog.io/artifactory/db-maven/</url>
+            </mirror>
+          </mirrors>
+          <servers>
+            <server>
+              <id>jfrog-central</id>
+              <username>gha-service-account</username>
+              <password>${JFROG_ACCESS_TOKEN}</password>
+            </server>
+          </servers>
+        </settings>
+        EOF
+
+        echo "Maven configured to use JFrog registry"
+
+    - name: Cache Maven packages
+      if: inputs.is-fork == 'false'
+      uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
+      with:
+        path: ~/.m2
+        key: ${{ runner.os }}-maven-deps-${{ hashFiles('**/pom.xml') }}
+        restore-keys: ${{ runner.os }}-maven-deps-

.github/workflows/bugCatcher.yml

@@ -6,12 +6,15 @@ on:
     - cron: '0 0 * * 1'
 
 permissions:
+  id-token: write
   contents: read
 
 jobs:
   build-and-test:
     name: Build and Run Integration Tests
-    runs-on: ubuntu-latest
+    runs-on:
+      group: databricks-protected-runner-group
+      labels: linux-ubuntu-latest
     environment: azure-prod
     steps:
       - name: Checkout code
@@ -23,6 +26,58 @@ jobs:
           java-version: 21
           distribution: 'adopt'
 
+      - name: Get JFrog OIDC token
+        run: |
+          set -euo pipefail
+
+          # Get GitHub OIDC ID token
+          ID_TOKEN=$(curl -sLS \
+            -H "User-Agent: actions/oidc-client" \
+            -H "Authorization: Bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
+            "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=jfrog-github" | jq .value | tr -d '"')
+          echo "::add-mask::${ID_TOKEN}"
+
+          # Exchange for JFrog access token
+          ACCESS_TOKEN=$(curl -sLS -XPOST -H "Content-Type: application/json" \
+            "https://databricks.jfrog.io/access/api/v1/oidc/token" \
+            -d "{\"grant_type\": \"urn:ietf:params:oauth:grant-type:token-exchange\", \"subject_token_type\":\"urn:ietf:params:oauth:token-type:id_token\", \"subject_token\": \"${ID_TOKEN}\", \"provider_name\": \"github-actions\"}" | jq .access_token | tr -d '"')
+          echo "::add-mask::${ACCESS_TOKEN}"
+
+          if [ -z "$ACCESS_TOKEN" ] || [ "$ACCESS_TOKEN" = "null" ]; then
+            echo "FAIL: Could not extract JFrog access token"
+            exit 1
+          fi
+
+          echo "JFROG_ACCESS_TOKEN=${ACCESS_TOKEN}" >> "$GITHUB_ENV"
+
+          echo "JFrog OIDC token obtained successfully"
+
+      - name: Configure maven
+        run: |
+          set -euo pipefail
+
+          mkdir -p ~/.m2
+          cat > ~/.m2/settings.xml << EOF
+          <settings>
+            <mirrors>
+              <mirror>
+                <id>jfrog-central</id>
+                <mirrorOf>*</mirrorOf>
+                <url>https://databricks.jfrog.io/artifactory/db-maven/</url>
+              </mirror>
+            </mirrors>
+            <servers>
+              <server>
+                <id>jfrog-central</id>
+                <username>gha-service-account</username>
+                <password>${JFROG_ACCESS_TOKEN}</password>
+              </server>
+            </servers>
+          </settings>
+          EOF
+
+          echo "Maven configured to use JFrog registry"
+
       - name: Cache Maven packages
         uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
         with:

.github/workflows/checkNextChangelog.yml

@@ -9,7 +9,9 @@ permissions:
 
 jobs:
   check-next-changelog:
-    runs-on: ubuntu-latest
+    runs-on:
+      group: databricks-protected-runner-group
+      labels: linux-ubuntu-latest
 
     steps:
       - name: Checkout base branch (main)

.github/workflows/claude-code-review.yml

@@ -12,7 +12,9 @@ jobs:
       (github.event.comment.author_association == 'OWNER' ||
        github.event.comment.author_association == 'MEMBER' ||
        github.event.comment.author_association == 'COLLABORATOR')
-    runs-on: ubuntu-latest
+    runs-on:
+      group: databricks-protected-runner-group
+      labels: linux-ubuntu-latest
     permissions:
       contents: read
       pull-requests: write

.github/workflows/claude.yml

@@ -21,7 +21,9 @@ jobs:
         (github.event.review.author_association == 'OWNER' || github.event.review.author_association == 'MEMBER' || github.event.review.author_association == 'COLLABORATOR')) ||
       (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')) &&
         (github.event.issue.author_association == 'OWNER' || github.event.issue.author_association == 'MEMBER' || github.event.issue.author_association == 'COLLABORATOR'))
-    runs-on: ubuntu-latest
+    runs-on:
+      group: databricks-protected-runner-group
+      labels: linux-ubuntu-latest
     permissions:
       contents: read
       pull-requests: read

.github/workflows/closeStale.yml

@@ -10,7 +10,9 @@ permissions:
 
 jobs:
   stale:
-    runs-on: ubuntu-latest
+    runs-on:
+      group: databricks-protected-runner-group
+      labels: linux-ubuntu-latest
     steps:
       # Release v8 (https://github.com/actions/stale/tree/v8.0.0)
       - uses: actions/stale@1160a2240286f5da8ec72b1c0816ce2481aabf84 # v8

.github/workflows/concurrencyExecutionTests.yml

@@ -15,12 +15,15 @@ on:
         default: 'databricks/databricks-jdbc'
 
 permissions:
+  id-token: write
   contents: read
 
 jobs:
   concurrency-tests:
     name: Run Concurrency Execution Tests
-    runs-on: ubuntu-latest
+    runs-on:
+      group: databricks-protected-runner-group
+      labels: linux-ubuntu-latest
     environment: azure-prod
     strategy:
       fail-fast: false
@@ -41,12 +44,12 @@ jobs:
           java-version: ${{ matrix.java-version }}
           distribution: 'adopt'
 
-      - name: Cache Maven packages
-        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
+      # This workflow only runs on push to main or manual dispatch — never on forked PRs.
+      # is-fork is always false here, but we use the composite action for consistency.
+      - name: Setup Maven
+        uses: ./.github/actions/setup-maven
         with:
-          path: ~/.m2
-          key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
-          restore-keys: ${{ runner.os }}-m2
+          is-fork: 'false'
 
       - name: Run Concurrency Execution Tests
         run: mvn -pl jdbc-core -B test -Dtest=com.databricks.jdbc.integration.e2e.ConcurrentExecutionTests -DargLine="-ea"

.github/workflows/coverageReport.yml

@@ -1,39 +1,52 @@
 name: Code Coverage
 
 permissions:
+  id-token: write
   contents: read
 
 on:
   pull_request:
 
 jobs:
   coverage:
-    runs-on: ubuntu-latest
-    
+    runs-on:
+      group: databricks-protected-runner-group
+      labels: linux-ubuntu-latest
+
     steps:
     - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
       with:
         fetch-depth: 0  # Needed for coverage comparison
         ref: ${{ github.event.pull_request.head.ref || github.ref_name }}
         repository: ${{ github.event.pull_request.head.repo.full_name ||  github.repository }}
-        
+
     - name: Set up JDK
       uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4
       with:
         java-version: '21'
         distribution: 'adopt'
-        
-    - name: Cache dependencies
-      uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
+
+    - name: Check if fork
+      id: fork-check
+      shell: bash
+      run: |
+        if [ "${{ github.event.pull_request.head.repo.full_name }}" != "" ] && \
+           [ "${{ github.event.pull_request.head.repo.full_name }}" != "${{ github.repository }}" ]; then
+          echo "is_fork=true" >> $GITHUB_OUTPUT
+          echo "This is a forked PR — will use cached dependencies"
+        else
+          echo "is_fork=false" >> $GITHUB_OUTPUT
+          echo "This is a same-repo PR — will use JFrog OIDC"
+        fi
+
+    - name: Setup Maven
+      uses: ./.github/actions/setup-maven
       with:
-        path: ~/.m2
-        key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
-        restore-keys: |
-          ${{ runner.os }}-m2-
-        
+        is-fork: ${{ steps.fork-check.outputs.is_fork }}
+
     - name: Run tests with coverage
       run: mvn -pl jdbc-core clean test -Dgroups='!Jvm17PlusAndArrowToNioReflectionDisabled' jacoco:report
-      
+
     - name: Check for coverage override
       id: override
       env:
@@ -49,7 +62,7 @@ jobs:
           echo "override=false" >> $GITHUB_OUTPUT
           echo "No coverage override found"
         fi
-      
+
     - name: Check coverage percentage
       if: steps.override.outputs.override == 'false'
       run: |
@@ -58,22 +71,22 @@ jobs:
           echo "ERROR: Coverage file not found at $COVERAGE_FILE"
           exit 1
         fi
-        
+
         # Install xmllint if not available
         if ! command -v xmllint &> /dev/null; then
           sudo apt-get update && sudo apt-get install -y libxml2-utils
         fi
-        
+
         COVERED=$(xmllint --xpath "string(//report/counter[@type='INSTRUCTION']/@covered)" "$COVERAGE_FILE")
         MISSED=$(xmllint --xpath "string(//report/counter[@type='INSTRUCTION']/@missed)" "$COVERAGE_FILE")
         TOTAL=$((COVERED + MISSED))
-        
+
         # Use Python for floating-point math
         PERCENTAGE=$(python3 -c "covered=${COVERED}; total=${TOTAL}; print(round((covered/total)*100, 2))")
-        
+
         echo "Branch Coverage: $PERCENTAGE%"
         echo "Required Coverage: 85%"
-        
+
         # Use Python to compare the coverage with 85
         python3 -c "import sys; sys.exit(0 if float('$PERCENTAGE') >= 85 else 1)"
         if [ $? -eq 1 ]; then
@@ -82,15 +95,15 @@ jobs:
         else
           echo "SUCCESS: Coverage is $PERCENTAGE%, which meets the required 85%"
         fi
-        
+
     - name: Coverage enforcement summary
       env:
         OVERRIDE: ${{ steps.override.outputs.override }}
         OVERRIDE_REASON: ${{ steps.override.outputs.reason }}
       run: |
         if [ "$OVERRIDE" == "true" ]; then
-          echo "⚠️ Coverage checks bypassed: $OVERRIDE_REASON"
+          echo "Coverage checks bypassed: $OVERRIDE_REASON"
           echo "Please ensure this override is justified and temporary"
         else
-          echo "✅ Coverage checks enforced - minimum 85% required"
-        fi
+          echo "Coverage checks enforced - minimum 85% required"
+        fi

.github/workflows/dco-check.yml

@@ -10,7 +10,9 @@ permissions:
 
 jobs:
   dco-check:
-    runs-on: ubuntu-latest
+    runs-on:
+      group: databricks-protected-runner-group
+      labels: linux-ubuntu-latest
     name: Check DCO Sign-off
     steps:
       - name: Checkout