From ef2324ebe19791268f69dd545c584a5ecff19a13 Mon Sep 17 00:00:00 2001 From: Tanmay Rustagi Date: Wed, 8 Apr 2026 11:37:01 +0200 Subject: [PATCH 1/5] Add one-off security scan workflow to identify CVEs Co-authored-by: Isaac --- .github/workflows/security-scan.yml | 39 +++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 .github/workflows/security-scan.yml diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml new file mode 100644 index 000000000..073caad3b --- /dev/null +++ b/.github/workflows/security-scan.yml @@ -0,0 +1,39 @@ +name: Security Scan + +on: + workflow_dispatch: + +jobs: + build: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0 + + - name: Set up JDK 8 + uses: actions/setup-java@b6e674f4b717d7b0ae3baee0fbe79f498905dfde # v1.4.4 + with: + java-version: 8 + + - name: Cache Maven packages + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 + with: + path: ~/.m2 + key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }} + restore-keys: ${{ runner.os }}-m2 + + - name: Build JAR + run: mvn --errors package -DskipTests -pl databricks-sdk-java + + - name: Upload build artifact + uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0 + with: + name: build-artifact + path: databricks-sdk-java/target/*.jar + + security-scan: + needs: build + uses: databricks-eng/gh-action-scan/.github/workflows/scan.yml@v1.0.0 + with: + download-artifact: build-artifact + artifact-name: databricks-sdk-java From dd8238ca1a5c2b6c38ede4b5a0956f545d7330ac Mon Sep 17 00:00:00 2001 From: Tanmay Rustagi Date: Wed, 8 Apr 2026 11:37:43 +0200 Subject: [PATCH 2/5] Trigger security scan on push to java-security branch Co-authored-by: Isaac --- .github/workflows/security-scan.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml index 073caad3b..5791db67c 100644 --- a/.github/workflows/security-scan.yml +++ b/.github/workflows/security-scan.yml @@ -2,6 +2,9 @@ name: Security Scan on: workflow_dispatch: + push: + branches: + - java-security jobs: build: From 779c5a84e38cb4f21faa8075ad204dd9e3669510 Mon Sep 17 00:00:00 2001 From: Tanmay Rustagi Date: Wed, 8 Apr 2026 11:38:32 +0200 Subject: [PATCH 3/5] Switch to composite action approach for security scan Cross-org reusable workflows not supported, use composite action instead. Co-authored-by: Isaac --- .github/workflows/security-scan.yml | 17 +++++------------ 1 file changed, 5 insertions(+), 12 deletions(-) diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml index 5791db67c..6f45b5a0e 100644 --- a/.github/workflows/security-scan.yml +++ b/.github/workflows/security-scan.yml @@ -7,7 +7,7 @@ on: - java-security jobs: - build: + build-and-scan: runs-on: ubuntu-latest steps: - name: Checkout @@ -28,15 +28,8 @@ jobs: - name: Build JAR run: mvn --errors package -DskipTests -pl databricks-sdk-java - - name: Upload build artifact - uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0 + - name: Security scan + uses: databricks-eng/gh-action-scan@v1.0.0 with: - name: build-artifact - path: databricks-sdk-java/target/*.jar - - security-scan: - needs: build - uses: databricks-eng/gh-action-scan/.github/workflows/scan.yml@v1.0.0 - with: - download-artifact: build-artifact - artifact-name: databricks-sdk-java + artifact-path: databricks-sdk-java/target/ + artifact-name: databricks-sdk-java From 0e9384b768a3260c76c8addd1c1cb36cccca7302 Mon Sep 17 00:00:00 2001 From: Tanmay Rustagi Date: Wed, 8 Apr 2026 11:39:30 +0200 Subject: [PATCH 4/5] Pin gh-action-scan to full commit SHA (org requirement) Co-authored-by: Isaac --- .github/workflows/security-scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml index 6f45b5a0e..4f8edc516 100644 --- a/.github/workflows/security-scan.yml +++ b/.github/workflows/security-scan.yml @@ -29,7 +29,7 @@ jobs: run: mvn --errors package -DskipTests -pl databricks-sdk-java - name: Security scan - uses: databricks-eng/gh-action-scan@v1.0.0 + uses: databricks-eng/gh-action-scan@1c260de6986f77d8c505975ce434830a7afdb95f # main with: artifact-path: databricks-sdk-java/target/ artifact-name: databricks-sdk-java From 1d11cb769b311ee48ea64bbaa33eb7e7d316eb5c Mon Sep 17 00:00:00 2001 From: Tanmay Rustagi Date: Wed, 8 Apr 2026 11:40:31 +0200 Subject: [PATCH 5/5] Use direct CLI approach: clone scanner and run scan.sh Cross-org composite actions also blocked, checkout + run directly. Co-authored-by: Isaac --- .github/workflows/security-scan.yml | 25 +++++++++++++++++++++---- 1 file changed, 21 insertions(+), 4 deletions(-) diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml index 4f8edc516..4e91b8459 100644 --- a/.github/workflows/security-scan.yml +++ b/.github/workflows/security-scan.yml @@ -28,8 +28,25 @@ jobs: - name: Build JAR run: mvn --errors package -DskipTests -pl databricks-sdk-java - - name: Security scan - uses: databricks-eng/gh-action-scan@1c260de6986f77d8c505975ce434830a7afdb95f # main + - name: Checkout scanner + uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0 + with: + repository: databricks-eng/gh-action-scan + path: .scan + token: ${{ secrets.GITHUB_TOKEN }} + + - name: Run security scan + run: | + chmod +x .scan/scan.sh + .scan/scan.sh \ + --artifact-path databricks-sdk-java/target/ \ + --artifact-name databricks-sdk-java \ + --output-dir ./scan-results + + - name: Upload scan results + if: ${{ !cancelled() }} + uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0 with: - artifact-path: databricks-sdk-java/target/ - artifact-name: databricks-sdk-java + name: security-scan-results + path: ./scan-results/ + if-no-files-found: warn