kenmuse/Deploy-Databricks.yml

## Deploy-Databricks.yml
# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json

####
# Secrets from a service principal with permissions for push
#  AZURE_APPLICATION_ID - The application (client) ID for the Azure AD application that is providing the service credentials.
#  AZURE_APPLICATION_SECRET - The secret associated with the application/service principal. Not required when OIDC is used.
#  AZURE_SUBSCRIPTION_ID - the subscription with the Databricks resources.
#  AZURE_TENANT_ID - the AAD tenant containing the service principal.
#  AZURE_DBR_GITHUB_PAT - the GitHub PAT to associate with the service principal to give it access to the GitHub repo.
####
name: Push repo

on:
  workflow_dispatch:
    inputs:
      repo_path:
        type: string
        default: '/Repos/MyFolder/MyRepo'
      repo_branch:
        type: string
        default: 'main'
      databricks_host:
        description: The URL to the Azure Databricks instance to be updated.
        type: string
        default: 'https://adb-6015055348970863.3.azuredatabricks.net'

permissions:
  id-token: write
  contents: read

jobs:

  push-repo:
    runs-on: ubuntu-latest

    steps:
      # Install the Databricks CLI
      - run: pip install databricks-cli

      # Unless the service principal has been provided a Databricks Token, you'll need
      # to authenticate using the Azure credentials and an AAD token. These next steps handle
      # that process. If you have a token, configure the Databricks CLI to use that token
      # and skip these steps.

      # Use either Login with Secret or Login with OIDC
      - name: Login with Secret
        uses: azure/login@v1
        with:
          creds: '{"clientId":"${{ secrets.AZURE_APPLICATION_ID }}","clientSecret":"${{ secrets.AZURE_APPLICATION_SECRET }}","subscriptionId":"${{ secrets.AZURE_SUBSCRIPTION_ID }}","tenantId":"${{ secrets.AZURE_TENANT_ID }}"}'

      - name: Login with OIDC
        uses: azure/login@v1
        with:
          client-id: ${{ secrets.AZURE_APPLICATION_ID }}
          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}

      # Retrieve a token for Databricks from AAD using a well-known resource ID. Bless the value
      # dynamically into a secret and push it into the environment variables for all tasks after
      # this one.
      - name: Get secure token
        run: |-
          DATABRICKS_AAD_TOKEN=$(az account get-access-token --resource 2ff814a6-3304-4ab8-85cb-cd0e6f879c1d | jq .accessToken --raw-output)
          echo "::add-mask::$DATABRICKS_AAD_TOKEN"
          echo DATABRICKS_AAD_TOKEN=$DATABRICKS_AAD_TOKEN >> $GITHUB_ENV

      # This is a one-time step and does not need to be in the workflow. It just needs to happen one time
      # to associate a GitHub PAT with the service principal. Why one time? After that, we would need to
      # query Databricks for the ID associated with the stored credential, then make a PATCH request to
      # update the value. The first time the credential is configured, you can just use POST! Instead of
      # the current Actions user ("ACTOR"), you may also specify a specific GitHub user name.
      # run: curl -X POST ${{ inputs.databricks_host }}/api/2.0/git-credentials --header "Authorization: Bearer $DATABRICKS_AAD_TOKEN" -d '{"personal_access_token": "${{ secrets.AZURE_DBR_GITHUB_PAT }}", "git_username": "${{ GITHUB.ACTOR }}", "git_provider": "gitHub" }'

      # Assign a token to the provided URL for requests. The --aad-token command configures
      # the CLI using the environment variable "DATABRICKS_AAD_TOKEN". Then, request Databricks
      # update the folder from the assigned repo and specified branch.
      - run: |-
          databricks configure --aad-token --host ${{ inputs.databricks_host }}
          databricks repos update --path ${{inputs.repo_path}} --branch ${{inputs.repo_branch}}
	# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json

	####
	# Secrets from a service principal with permissions for push
	# AZURE_APPLICATION_ID - The application (client) ID for the Azure AD application that is providing the service credentials.
	# AZURE_APPLICATION_SECRET - The secret associated with the application/service principal. Not required when OIDC is used.
	# AZURE_SUBSCRIPTION_ID - the subscription with the Databricks resources.
	# AZURE_TENANT_ID - the AAD tenant containing the service principal.
	# AZURE_DBR_GITHUB_PAT - the GitHub PAT to associate with the service principal to give it access to the GitHub repo.
	####
	name: Push repo

	on:
	workflow_dispatch:
	inputs:
	repo_path:
	type: string
	default: '/Repos/MyFolder/MyRepo'
	repo_branch:
	type: string
	default: 'main'
	databricks_host:
	description: The URL to the Azure Databricks instance to be updated.
	type: string
	default: 'https://adb-6015055348970863.3.azuredatabricks.net'

	permissions:
	id-token: write
	contents: read

	jobs:

	push-repo:
	runs-on: ubuntu-latest

	steps:
	# Install the Databricks CLI
	- run: pip install databricks-cli

	# Unless the service principal has been provided a Databricks Token, you'll need
	# to authenticate using the Azure credentials and an AAD token. These next steps handle
	# that process. If you have a token, configure the Databricks CLI to use that token
	# and skip these steps.

	# Use either Login with Secret or Login with OIDC
	- name: Login with Secret
	uses: azure/login@v1
	with:
	creds: '{"clientId":"${{ secrets.AZURE_APPLICATION_ID }}","clientSecret":"${{ secrets.AZURE_APPLICATION_SECRET }}","subscriptionId":"${{ secrets.AZURE_SUBSCRIPTION_ID }}","tenantId":"${{ secrets.AZURE_TENANT_ID }}"}'

	- name: Login with OIDC
	uses: azure/login@v1
	with:
	client-id: ${{ secrets.AZURE_APPLICATION_ID }}
	tenant-id: ${{ secrets.AZURE_TENANT_ID }}
	subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}

	# Retrieve a token for Databricks from AAD using a well-known resource ID. Bless the value
	# dynamically into a secret and push it into the environment variables for all tasks after
	# this one.
	- name: Get secure token
	run: \|-
	DATABRICKS_AAD_TOKEN=$(az account get-access-token --resource 2ff814a6-3304-4ab8-85cb-cd0e6f879c1d \| jq .accessToken --raw-output)
	echo "::add-mask::$DATABRICKS_AAD_TOKEN"
	echo DATABRICKS_AAD_TOKEN=$DATABRICKS_AAD_TOKEN >> $GITHUB_ENV

	# This is a one-time step and does not need to be in the workflow. It just needs to happen one time
	# to associate a GitHub PAT with the service principal. Why one time? After that, we would need to
	# query Databricks for the ID associated with the stored credential, then make a PATCH request to
	# update the value. The first time the credential is configured, you can just use POST! Instead of
	# the current Actions user ("ACTOR"), you may also specify a specific GitHub user name.
	# run: curl -X POST ${{ inputs.databricks_host }}/api/2.0/git-credentials --header "Authorization: Bearer $DATABRICKS_AAD_TOKEN" -d '{"personal_access_token": "${{ secrets.AZURE_DBR_GITHUB_PAT }}", "git_username": "${{ GITHUB.ACTOR }}", "git_provider": "gitHub" }'

	# Assign a token to the provided URL for requests. The --aad-token command configures
	# the CLI using the environment variable "DATABRICKS_AAD_TOKEN". Then, request Databricks
	# update the folder from the assigned repo and specified branch.
	- run: \|-
	databricks configure --aad-token --host ${{ inputs.databricks_host }}
	databricks repos update --path ${{inputs.repo_path}} --branch ${{inputs.repo_branch}}