You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
ci: run fork-PR unit/lint/type checks offline from a prewarmed cache (#831) (#845)
Fork pull_request runs never receive a GitHub OIDC token, so
.github/actions/setup-jfrog (which mints a JFrog PyPI token from that OIDC
token) dies with "ACTIONS_ID_TOKEN_REQUEST_TOKEN: unbound variable" and every
required check goes red on every fork PR — regardless of the diff (#831,
reported against the trivial fork PR #671). Public PyPI is unreachable from the
protected runners, so a fork run can obtain no package source at all.
Adopt the Databricks SOP (mirrors databricks/dbt-databricks): a trusted warmer
workflow that DOES get OIDC pre-builds the in-project .venv for every matrix
leg and saves it to the Actions cache; fork PRs restore that .venv and run the
tools directly from .venv/bin, fully offline, never touching JFrog. Everything
still flows through JFrog (the warmer populates the cache from it); the fork
just holds no credentials, so there is no pull_request_target / secret-exposure
risk.
- .github/workflows/warm-deps-cache.yml: new, sole writer of the forkvenv-*
cache. Triggers on push:main (dep files), a daily schedule (beats GitHub's
7-day cache eviction), and workflow_dispatch with an optional pr_number that
warms a fork's changed lockfiles (fetches ONLY poetry.lock/pyproject.toml, no
source). Warms the full py x depset x extras matrix, priming mypy stubs too.
- .github/actions/restore-deps: new composite action; restores the newest
forkvenv-* entry for the leg via a restore-keys prefix and reports cache-hit.
- .github/workflows/code-quality-checks.yml: each job tries restore-deps first
and runs offline from .venv/bin on a hit; on a miss (all same-repo PRs, or a
fork whose lockfiles changed pre-warm) it falls back to the original
setup-poetry JFrog flow, unchanged. Same-repo PR behavior is unaffected.
Scope: unit + lint + type checks (the fork-reachable required checks). e2e /
kernel-e2e / integration / DBR-LTS stay merge-queue-gated (they need live
warehouse secrets).
Closes#831
Co-authored-by: Isaac
Signed-off-by: Vikrant Puppala <vikrant.puppala@databricks.com>
# --- Fallback path: same-repo PRs / cache miss use JFrog (unchanged) --
124
219
- name: Setup Poetry
220
+
if: steps.deps.outputs.cache-hit != 'true'
125
221
uses: ./.github/actions/setup-poetry
126
222
with:
127
223
python-version: ${{ matrix.python-version }}
@@ -132,19 +228,23 @@ jobs:
132
228
install-args: "--extras kernel"
133
229
cache-suffix: "kernel-"
134
230
- name: Show installed versions
231
+
if: steps.deps.outputs.cache-hit != 'true'
135
232
run: |
136
233
echo "=== with databricks-sql-kernel ==="
137
234
poetry run pip list
138
235
- name: Assert the real kernel wheel is installed (not a stub)
236
+
if: steps.deps.outputs.cache-hit != 'true'
139
237
run: |
140
238
poetry run python -c "import databricks_sql_kernel as k; assert k.__file__, 'kernel wheel missing __file__ — not the real wheel'; print('real kernel wheel:', k.__file__)"
141
239
- name: Unit tests (kernel wheel present, realkernel deselected)
240
+
if: steps.deps.outputs.cache-hit != 'true'
142
241
# The bulk of tests/unit fakes databricks_sql_kernel in
143
242
# sys.modules, so the real-wheel routing test is deselected here
144
243
# and run on its own below (a shared session would shadow the
145
244
# real wheel — both real-wheel tests fail loudly if that happens).
146
245
run: poetry run python -m pytest tests/unit -m "not realkernel"
147
246
- name: Drive use_kernel=True through the REAL wheel (routing)
247
+
if: steps.deps.outputs.cache-hit != 'true'
148
248
# Separate invocation, explicit file path: never collects the
149
249
# fake-module test file, so sys.modules stays unpolluted. This is
150
250
# the no-network proof that sql.connect(use_kernel=True) actually
0 commit comments