Merge remote-tracking branch 'origin' into telemetry/logger-2

.codegen.json

@@ -11,7 +11,7 @@
         "required": ["go"],
         "post_generate": [
             "go test -timeout 240s -run TestConsistentDatabricksSdkVersion github.com/databricks/cli/internal/build",
-            "go run ./bundle/internal/schema/*.go ./bundle/schema/jsonschema.json",
+            "make schema",
             "echo 'bundle/internal/tf/schema/\\*.go linguist-generated=true' >> ./.gitattributes",
             "echo 'go.sum linguist-generated=true' >> ./.gitattributes",
             "echo 'bundle/schema/jsonschema.json linguist-generated=true' >> ./.gitattributes"

.codegen/_openapi_sha

@@ -1 +1 @@
-d25296d2f4aa7bd6195c816fdf82e0f960f775da
+a6a317df8327c9b1e5cb59a03a42ffa2aabeef6d

.codegen/service.go.tmpl

@@ -411,5 +411,5 @@ func new{{.PascalName}}() *cobra.Command {
 {{- define "request-body-obj" -}}
 	{{- $method := .Method -}}
 	{{- $field := .Field -}}
-	{{$method.CamelName}}Req{{ if (and $method.RequestBodyField (not $field.IsPath)) }}.{{$method.RequestBodyField.PascalName}}{{end}}.{{$field.PascalName}}
+	{{$method.CamelName}}Req{{ if (and $method.RequestBodyField (and (not $field.IsPath) (not $field.IsQuery))) }}.{{$method.RequestBodyField.PascalName}}{{end}}.{{$field.PascalName}}
 {{- end -}}

.git-blame-ignore-revs

@@ -0,0 +1,8 @@
+# Enable gofumpt and goimports in golangci-lint (#1999)
+2e018cfaec200a02ee2bd5b389e7da3c6f15f460
+
+# Enable errcheck everywhere and fix or silent remaining issues (#1987)
+8d5351c1c3d7befda4baae5d6adb99367aa50b3c
+
+# Add error checking in tests and enable errcheck there (#1980)
+1b2be1b2cb4b7909df2a8ad4cb6a0f43e8fcf0c6

.gitattributes

@@ -8,6 +8,7 @@ cmd/account/custom-app-integration/custom-app-integration.go linguist-generated=
 cmd/account/disable-legacy-features/disable-legacy-features.go linguist-generated=true
 cmd/account/encryption-keys/encryption-keys.go linguist-generated=true
 cmd/account/esm-enablement-account/esm-enablement-account.go linguist-generated=true
+cmd/account/federation-policy/federation-policy.go linguist-generated=true
 cmd/account/groups/groups.go linguist-generated=true
 cmd/account/ip-access-lists/ip-access-lists.go linguist-generated=true
 cmd/account/log-delivery/log-delivery.go linguist-generated=true
@@ -19,6 +20,7 @@ cmd/account/o-auth-published-apps/o-auth-published-apps.go linguist-generated=tr
 cmd/account/personal-compute/personal-compute.go linguist-generated=true
 cmd/account/private-access/private-access.go linguist-generated=true
 cmd/account/published-app-integration/published-app-integration.go linguist-generated=true
+cmd/account/service-principal-federation-policy/service-principal-federation-policy.go linguist-generated=true
 cmd/account/service-principal-secrets/service-principal-secrets.go linguist-generated=true
 cmd/account/service-principals/service-principals.go linguist-generated=true
 cmd/account/settings/settings.go linguist-generated=true
@@ -37,6 +39,9 @@ cmd/workspace/apps/apps.go linguist-generated=true
 cmd/workspace/artifact-allowlists/artifact-allowlists.go linguist-generated=true
 cmd/workspace/automatic-cluster-update/automatic-cluster-update.go linguist-generated=true
 cmd/workspace/catalogs/catalogs.go linguist-generated=true
+cmd/workspace/clean-room-assets/clean-room-assets.go linguist-generated=true
+cmd/workspace/clean-room-task-runs/clean-room-task-runs.go linguist-generated=true
+cmd/workspace/clean-rooms/clean-rooms.go linguist-generated=true
 cmd/workspace/cluster-policies/cluster-policies.go linguist-generated=true
 cmd/workspace/clusters/clusters.go linguist-generated=true
 cmd/workspace/cmd.go linguist-generated=true

.github/workflows/integration-approve.yml

@@ -0,0 +1,32 @@
+name: integration-approve
+
+on:
+  merge_group:
+
+jobs:
+  # Trigger for merge groups.
+  #
+  # Statuses and checks apply to specific commits (by hash).
+  # Enforcement of required checks is done both at the PR level and the merge queue level.
+  # In case of multiple commits in a single PR, the hash of the squashed commit
+  # will not match the one for the latest (approved) commit in the PR.
+  #
+  # We auto approve the check for the merge queue for two reasons:
+  #
+  #   * Queue times out due to duration of tests.
+  #   * Avoid running integration tests twice, since it was already run at the tip of the branch before squashing.
+  #
+  trigger:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Auto-approve squashed commit
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        shell: bash
+        run: |
+          gh api -X POST -H "Accept: application/vnd.github+json" \
+            -H "X-GitHub-Api-Version: 2022-11-28" \
+            /repos/${{ github.repository }}/statuses/${{ github.sha }} \
+            -f 'state=success' \
+            -f 'context=Integration Tests Check'

.github/workflows/integration-main.yml

@@ -0,0 +1,33 @@
+name: integration-main
+
+on:
+  push:
+    branches:
+      - main
+
+jobs:
+  # Trigger for pushes to the main branch.
+  #
+  # This workflow triggers the integration test workflow in a different repository.
+  # It requires secrets from the "test-trigger-is" environment, which are only available to authorized users.
+  trigger:
+    runs-on: ubuntu-latest
+    environment: "test-trigger-is"
+
+    steps:
+      - name: Generate GitHub App Token
+        id: generate-token
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ secrets.DECO_WORKFLOW_TRIGGER_APP_ID }}
+          private-key: ${{ secrets.DECO_WORKFLOW_TRIGGER_PRIVATE_KEY }}
+          owner: ${{ secrets.ORG_NAME }}
+          repositories: ${{secrets.REPO_NAME}}
+
+      - name: Trigger Workflow in Another Repo
+        env:
+          GH_TOKEN: ${{ steps.generate-token.outputs.token }}
+        run: |
+          gh workflow run cli-isolated-nightly.yml -R ${{ secrets.ORG_NAME }}/${{secrets.REPO_NAME}} \
+          --ref main \
+          -f commit_sha=${{ github.event.after }}

.github/workflows/integration-pr.yml

@@ -0,0 +1,56 @@
+name: integration-pr
+
+on:
+  pull_request:
+    types: [opened, synchronize]
+
+jobs:
+  check-token:
+    runs-on: ubuntu-latest
+    environment: "test-trigger-is"
+
+    outputs:
+      has_token: ${{ steps.set-token-status.outputs.has_token }}
+
+    steps:
+      - name: Check if DECO_WORKFLOW_TRIGGER_APP_ID is set
+        id: set-token-status
+        run: |
+          if [ -z "${{ secrets.DECO_WORKFLOW_TRIGGER_APP_ID }}" ]; then
+            echo "DECO_WORKFLOW_TRIGGER_APP_ID is empty. User has no access to secrets."
+            echo "::set-output name=has_token::false"
+          else
+            echo "DECO_WORKFLOW_TRIGGER_APP_ID is set. User has access to secrets."
+            echo "::set-output name=has_token::true"
+          fi
+
+  # Trigger for pull requests.
+  #
+  # This workflow triggers the integration test workflow in a different repository.
+  # It requires secrets from the "test-trigger-is" environment, which are only available to authorized users.
+  # It depends on the "check-token" workflow to confirm access to this environment to avoid failures.
+  trigger:
+    runs-on: ubuntu-latest
+    environment: "test-trigger-is"
+
+    if: needs.check-token.outputs.has_token == 'true'
+    needs: check-token
+
+    steps:
+      - name: Generate GitHub App Token
+        id: generate-token
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ secrets.DECO_WORKFLOW_TRIGGER_APP_ID }}
+          private-key: ${{ secrets.DECO_WORKFLOW_TRIGGER_PRIVATE_KEY }}
+          owner: ${{ secrets.ORG_NAME }}
+          repositories: ${{secrets.REPO_NAME}}
+
+      - name: Trigger Workflow in Another Repo
+        env:
+          GH_TOKEN: ${{ steps.generate-token.outputs.token }}
+        run: |
+          gh workflow run cli-isolated-pr.yml -R ${{ secrets.ORG_NAME }}/${{secrets.REPO_NAME}} \
+          --ref main \
+          -f pull_request_number=${{ github.event.pull_request.number }} \
+          -f commit_sha=${{ github.event.pull_request.head.sha }}

.github/workflows/push.yml

@@ -44,51 +44,36 @@ jobs:
         run: |
           echo "GOPATH=$(go env GOPATH)" >> $GITHUB_ENV
           echo "$(go env GOPATH)/bin" >> $GITHUB_PATH
-          go install gotest.tools/gotestsum@latest
-          go install honnef.co/go/tools/cmd/staticcheck@latest
+          go install gotest.tools/[email protected]
 
       - name: Pull external libraries
         run: |
           make vendor
           pip3 install wheel
 
       - name: Run tests
-        run: make test
+        run: make testonly
 
-      - name: Publish test coverage
-        uses: codecov/codecov-action@v4
-
-  fmt:
+  golangci:
+    name: lint
     runs-on: ubuntu-latest
-
     steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-
-      - name: Setup Go
-        uses: actions/setup-go@v5
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
         with:
           go-version: 1.23.2
-
-          # No need to download cached dependencies when running gofmt.
-          cache: false
-
-      - name: Install goimports
-        run: |
-          go install golang.org/x/tools/cmd/goimports@latest
-
-      - name: Run make fmt
-        run: |
-          make fmt
-
       - name: Run go mod tidy
         run: |
           go mod tidy
-
       - name: Fail on differences
         run: |
           # Exit with status code 1 if there are differences (i.e. unformatted files)
           git diff --exit-code
+      - name: golangci-lint
+        uses: golangci/golangci-lint-action@v6
+        with:
+          version: v1.62.2
+          args: --timeout=15m
 
   validate-bundle-schema:
     runs-on: ubuntu-latest
@@ -111,14 +96,19 @@ jobs:
       # By default the ajv-cli runs in strict mode which will fail if the schema
       # itself is not valid. Strict mode is more strict than the JSON schema
       # specification. See for details: https://ajv.js.org/options.html#strict-mode-options
+      # The ajv-cli is configured to use the markdownDescription keyword which is not part of the JSON schema specification,
+      # but is used in editors like VSCode to render markdown in the description field
       - name: Validate bundle schema
         run: |
           go run main.go bundle schema > schema.json
 
+          # Add markdownDescription keyword to ajv
+          echo "module.exports=function(a){a.addKeyword('markdownDescription')}" >> keywords.js
+
           for file in ./bundle/internal/schema/testdata/pass/*.yml; do
-            ajv test -s schema.json -d $file --valid
+            ajv test -s schema.json -d $file --valid -c=./keywords.js
           done
 
           for file in ./bundle/internal/schema/testdata/fail/*.yml; do
-            ajv test -s schema.json -d $file --invalid
+            ajv test -s schema.json -d $file --invalid -c=./keywords.js
           done

.github/workflows/release-snapshot.yml

@@ -5,6 +5,7 @@ on:
     branches:
       - "main"
       - "demo-*"
+      - "bugbash-*"
 
   # Confirm that snapshot builds work if this file is modified.
   pull_request:

.golangci.yaml

@@ -0,0 +1,38 @@
+linters:
+  disable-all: true
+  enable:
+    - bodyclose
+    - errcheck
+    - gosimple
+    - govet
+    - ineffassign
+    - staticcheck
+    - unused
+    - gofmt
+    - gofumpt
+    - goimports
+linters-settings:
+  govet:
+    enable-all: true
+    disable:
+      - fieldalignment
+      - shadow
+  gofmt:
+    rewrite-rules:
+      - pattern: 'a[b:len(a)]'
+        replacement: 'a[b:]'
+      - pattern: 'interface{}'
+        replacement: 'any'
+  errcheck:
+    exclude-functions:
+      - (*github.com/spf13/cobra.Command).RegisterFlagCompletionFunc
+      - (*github.com/spf13/cobra.Command).MarkFlagRequired
+      - (*github.com/spf13/pflag.FlagSet).MarkDeprecated
+      - (*github.com/spf13/pflag.FlagSet).MarkHidden
+  gofumpt:
+    module-path: github.com/databricks/cli
+    extra-rules: true
+  #goimports:
+  #  local-prefixes: github.com/databricks/cli
+issues:
+  exclude-dirs-use-default: false  # recommended by docs https://golangci-lint.run/usage/false-positives/