Skip to content

Commit dbedfe0

Browse files
ai: apply changes for #862 (1 review thread)
Addresses: - #3599241197 at .github/actions/install-bot-engine/action.yml:58
1 parent 021fc6c commit dbedfe0

1 file changed

Lines changed: 29 additions & 8 deletions

File tree

.github/actions/install-bot-engine/action.yml

Lines changed: 29 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -70,13 +70,21 @@ runs:
7070
if [ -z "$ACCESS_TOKEN" ] || [ "$ACCESS_TOKEN" = "null" ]; then
7171
echo "::error::Could not extract JFrog access token (is id-token:write granted?)"; exit 1
7272
fi
73-
echo "PIP_INDEX_URL=https://gha-service-account:${ACCESS_TOKEN}@databricks.jfrog.io/artifactory/api/pypi/db-pypi/simple" >> "$GITHUB_ENV"
74-
cat > ~/.npmrc << EOF
73+
# Do NOT export the token-bearing index URL to $GITHUB_ENV or write it to
74+
# ~/.npmrc: either would leak the embedded credential into the environment
75+
# of every LATER step in the job (the author/publish/comment steps that run
76+
# the model and `gh`). Instead stash both creds in JOB-LOCAL files (0600)
77+
# under RUNNER_TEMP; the install step below loads them into its own step-local
78+
# environment and removes them in its EXIT trap — the same scope-and-cleanup
79+
# discipline the git extraheader already uses.
80+
umask 077
81+
printf '%s\n' "https://gha-service-account:${ACCESS_TOKEN}@databricks.jfrog.io/artifactory/api/pypi/db-pypi/simple" > "${RUNNER_TEMP:-/tmp}/bot-jfrog-pip-index"
82+
cat > "${RUNNER_TEMP:-/tmp}/bot-jfrog-npmrc" << EOF
7583
registry=https://databricks.jfrog.io/artifactory/api/npm/db-npm/
7684
//databricks.jfrog.io/artifactory/api/npm/db-npm/:_authToken=${ACCESS_TOKEN}
7785
always-auth=true
7886
EOF
79-
echo "JFrog mirror configured for pip + npm"
87+
echo "JFrog mirror configured for pip + npm (job-local creds)"
8088
8189
- name: Install engine (pinned REF) + Claude SDK/CLI
8290
shell: bash
@@ -110,13 +118,26 @@ runs:
110118
echo "::add-mask::${BASIC}"
111119
export GIT_CONFIG_GLOBAL="${RUNNER_TEMP:-/tmp}/bot-engine-gitconfig-$$"
112120
: > "$GIT_CONFIG_GLOBAL"
113-
trap 'git config --global --unset-all "http.https://github.com/.extraheader" || true; rm -f "$GIT_CONFIG_GLOBAL"' EXIT
121+
# Job-local JFrog creds written by the mirror step above (if any). Load the
122+
# pip index into a per-command flag and point npm at the job-local .npmrc,
123+
# so neither credential lands in $GITHUB_ENV / ~/.npmrc for later steps.
124+
JFROG_PIP_INDEX_FILE="${RUNNER_TEMP:-/tmp}/bot-jfrog-pip-index"
125+
JFROG_NPMRC_FILE="${RUNNER_TEMP:-/tmp}/bot-jfrog-npmrc"
126+
trap 'git config --global --unset-all "http.https://github.com/.extraheader" || true; rm -f "$GIT_CONFIG_GLOBAL" "$JFROG_PIP_INDEX_FILE" "$JFROG_NPMRC_FILE"' EXIT
114127
git config --global "http.https://github.com/.extraheader" "Authorization: Basic ${BASIC}"
115-
python -m pip install --upgrade pip
128+
PIP_ARGS=()
129+
NPM_ARGS=()
130+
if [ -s "$JFROG_PIP_INDEX_FILE" ]; then
131+
PIP_ARGS=(--index-url "$(cat "$JFROG_PIP_INDEX_FILE")")
132+
fi
133+
if [ -s "$JFROG_NPMRC_FILE" ]; then
134+
NPM_ARGS=(--userconfig "$JFROG_NPMRC_FILE")
135+
fi
136+
python -m pip install "${PIP_ARGS[@]}" --upgrade pip
116137
# REF mode resolves the published engine's deps unpinned + installs the
117138
# SDK/CLI by version (a consumer can't see the engine's hash-locked
118139
# requirements). SDK_VERSION/CLI_VERSION track the engine at ENGINE_REF.
119-
pip install "databricks-bot-engine @ git+https://github.com/${ENGINE_REPO}@${ENGINE_REF}"
120-
pip install "claude-agent-sdk==${SDK_VERSION}"
121-
npm install -g "@anthropic-ai/claude-code@${CLI_VERSION}"
140+
pip install "${PIP_ARGS[@]}" "databricks-bot-engine @ git+https://github.com/${ENGINE_REPO}@${ENGINE_REF}"
141+
pip install "${PIP_ARGS[@]}" "claude-agent-sdk==${SDK_VERSION}"
142+
npm install "${NPM_ARGS[@]}" -g "@anthropic-ai/claude-code@${CLI_VERSION}"
122143
echo "$(npm prefix -g)/bin" >> "$GITHUB_PATH"

0 commit comments

Comments
 (0)