From f9d2f8eda0c07b9de2ea9923845ff0ded616d05a Mon Sep 17 00:00:00 2001
From: Shreyas Goenka <shreyas.goenka@databricks.com>
Date: Mon, 22 Sep 2025 15:05:07 +0200
Subject: [PATCH 1/6] Try OIDC

---
 .github/workflows/experiment/oidc.yml | 38 +++++++++++++++++++++++++++
 1 file changed, 38 insertions(+)
 create mode 100644 .github/workflows/experiment/oidc.yml

diff --git a/.github/workflows/experiment/oidc.yml b/.github/workflows/experiment/oidc.yml
new file mode 100644
index 0000000000..0e9ae0c09b
--- /dev/null
+++ b/.github/workflows/experiment/oidc.yml
@@ -0,0 +1,38 @@
+name: Try OIDC
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened]
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    environment: prod
+    env:
+      DATABRICKS_AUTH_TYPE: github-oidc
+      DATABRICKS_HOST: https://my-workspace.cloud.databricks.com/
+      DATABRICKS_CLIENT_ID: d4116c39-c6c4-4107-80e8-feec3aebd5c5
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Install Databricks CLI
+        uses: databricks/setup-cli@main
+
+      - name: Run Databricks CLI commands
+        run: databricks current-user me
+
+# LIMIT TO MAIN AS WELL?
+# {
+#   "oidc_policy": {
+#     "issuer": "https://token.actions.githubusercontent.com",
+#     "audiences": [
+#       "https://github.com/databricks/cli"
+#     ],
+#     "subject": "repo:databricks/cli:job_workflow_ref:databricks-eng/ds-projects/.github/workflows/experiment/oidc.yaml"
+#   }
+# }'

From e2c6bd72b4b5cd184092a9ebbc4f84e2d8a1ff27 Mon Sep 17 00:00:00 2001
From: Shreyas Goenka <shreyas.goenka@databricks.com>
Date: Mon, 22 Sep 2025 15:07:02 +0200
Subject: [PATCH 2/6] Move OIDC workflow to correct location for GitHub Actions

---
 .github/workflows/{experiment => }/oidc.yml | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename .github/workflows/{experiment => }/oidc.yml (100%)

diff --git a/.github/workflows/experiment/oidc.yml b/.github/workflows/oidc.yml
similarity index 100%
rename from .github/workflows/experiment/oidc.yml
rename to .github/workflows/oidc.yml

From 6ce501ddd604fe3ea7112fdfb0a19bb7c6f95471 Mon Sep 17 00:00:00 2001
From: Shreyas Goenka <shreyas.goenka@databricks.com>
Date: Mon, 22 Sep 2025 15:09:25 +0200
Subject: [PATCH 3/6] -

---
 .github/workflows/oidc.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/oidc.yml b/.github/workflows/oidc.yml
index 0e9ae0c09b..f274c84ebb 100644
--- a/.github/workflows/oidc.yml
+++ b/.github/workflows/oidc.yml
@@ -14,7 +14,7 @@ jobs:
     environment: prod
     env:
       DATABRICKS_AUTH_TYPE: github-oidc
-      DATABRICKS_HOST: https://my-workspace.cloud.databricks.com/
+      DATABRICKS_HOST: https://adb-575821473882772.12.azuredatabricks.net
       DATABRICKS_CLIENT_ID: d4116c39-c6c4-4107-80e8-feec3aebd5c5
     steps:
       - name: Checkout repository

From 0b666388e658f3193d4a3799e5e4843b6c50c256 Mon Sep 17 00:00:00 2001
From: Shreyas Goenka <shreyas.goenka@databricks.com>
Date: Mon, 22 Sep 2025 15:11:12 +0200
Subject: [PATCH 4/6] fix client ID

---
 .github/workflows/oidc.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/oidc.yml b/.github/workflows/oidc.yml
index f274c84ebb..6fbdb5ba38 100644
--- a/.github/workflows/oidc.yml
+++ b/.github/workflows/oidc.yml
@@ -15,7 +15,7 @@ jobs:
     env:
       DATABRICKS_AUTH_TYPE: github-oidc
       DATABRICKS_HOST: https://adb-575821473882772.12.azuredatabricks.net
-      DATABRICKS_CLIENT_ID: d4116c39-c6c4-4107-80e8-feec3aebd5c5
+      DATABRICKS_CLIENT_ID: a71e69be-fe57-484b-ae8b-bb6ce382668a
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4

From 910a8948ecab404b69f23557f10ce39073b65862 Mon Sep 17 00:00:00 2001
From: Shreyas Goenka <shreyas.goenka@databricks.com>
Date: Mon, 22 Sep 2025 17:03:17 +0200
Subject: [PATCH 5/6] Refactor OIDC workflow into composite action

- Move Databricks CLI steps to .github/actions/foo/bar/action.yml
- Update workflow to use composite action with inputs
- Makes the OIDC testing logic reusable
---
 .github/actions/foo/bar/action.yml | 25 +++++++++++++++++++++++++
 .github/workflows/oidc.yml         | 29 +++++------------------------
 2 files changed, 30 insertions(+), 24 deletions(-)
 create mode 100644 .github/actions/foo/bar/action.yml

diff --git a/.github/actions/foo/bar/action.yml b/.github/actions/foo/bar/action.yml
new file mode 100644
index 0000000000..076bc57ab8
--- /dev/null
+++ b/.github/actions/foo/bar/action.yml
@@ -0,0 +1,25 @@
+name: 'Databricks OIDC Test'
+description: 'Test Databricks CLI with OIDC authentication'
+inputs:
+  databricks_host:
+    description: 'Databricks workspace host URL'
+    required: true
+  databricks_client_id:
+    description: 'Databricks client ID for OIDC'
+    required: true
+runs:
+  using: 'composite'
+  steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+
+    - name: Install Databricks CLI
+      uses: databricks/setup-cli@main
+
+    - name: Run Databricks CLI commands
+      shell: bash
+      env:
+        DATABRICKS_AUTH_TYPE: github-oidc
+        DATABRICKS_HOST: ${{ inputs.databricks_host }}
+        DATABRICKS_CLIENT_ID: ${{ inputs.databricks_client_id }}
+      run: databricks current-user me
diff --git a/.github/workflows/oidc.yml b/.github/workflows/oidc.yml
index 6fbdb5ba38..8c0c290e00 100644
--- a/.github/workflows/oidc.yml
+++ b/.github/workflows/oidc.yml
@@ -11,28 +11,9 @@ permissions:
 jobs:
   deploy:
     runs-on: ubuntu-latest
-    environment: prod
-    env:
-      DATABRICKS_AUTH_TYPE: github-oidc
-      DATABRICKS_HOST: https://adb-575821473882772.12.azuredatabricks.net
-      DATABRICKS_CLIENT_ID: a71e69be-fe57-484b-ae8b-bb6ce382668a
     steps:
-      - name: Checkout repository
-        uses: actions/checkout@v4
-
-      - name: Install Databricks CLI
-        uses: databricks/setup-cli@main
-
-      - name: Run Databricks CLI commands
-        run: databricks current-user me
-
-# LIMIT TO MAIN AS WELL?
-# {
-#   "oidc_policy": {
-#     "issuer": "https://token.actions.githubusercontent.com",
-#     "audiences": [
-#       "https://github.com/databricks/cli"
-#     ],
-#     "subject": "repo:databricks/cli:job_workflow_ref:databricks-eng/ds-projects/.github/workflows/experiment/oidc.yaml"
-#   }
-# }'
+      - name: Test Databricks OIDC
+        uses: ./.github/actions/foo/bar
+        with:
+          databricks_host: https://adb-575821473882772.12.azuredatabricks.net
+          databricks_client_id: a71e69be-fe57-484b-ae8b-bb6ce382668a

From ae4f2ab710463439349049d652d6b678e86b6723 Mon Sep 17 00:00:00 2001
From: Shreyas Goenka <shreyas.goenka@databricks.com>
Date: Mon, 22 Sep 2025 17:06:44 +0200
Subject: [PATCH 6/6] Fix local action checkout issue

- Add checkout step to main workflow before calling local action
- Remove redundant checkout from composite action
- Fixes 'Can't find action.yml' error
---
 .github/actions/foo/bar/action.yml | 3 ---
 .github/workflows/oidc.yml         | 3 +++
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/actions/foo/bar/action.yml b/.github/actions/foo/bar/action.yml
index 076bc57ab8..42e8d07222 100644
--- a/.github/actions/foo/bar/action.yml
+++ b/.github/actions/foo/bar/action.yml
@@ -10,9 +10,6 @@ inputs:
 runs:
   using: 'composite'
   steps:
-    - name: Checkout repository
-      uses: actions/checkout@v4
-
     - name: Install Databricks CLI
       uses: databricks/setup-cli@main
 
diff --git a/.github/workflows/oidc.yml b/.github/workflows/oidc.yml
index 8c0c290e00..a3d8401b50 100644
--- a/.github/workflows/oidc.yml
+++ b/.github/workflows/oidc.yml
@@ -12,6 +12,9 @@ jobs:
   deploy:
     runs-on: ubuntu-latest
     steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        
       - name: Test Databricks OIDC
         uses: ./.github/actions/foo/bar
         with: