Created
November 8, 2022 00:13
-
-
Save kenmuse/b5ee904e65255298625a8f2f07093700 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json | |
#### | |
# Secrets from a service principal with permissions for push | |
# AZURE_APPLICATION_ID - The application (client) ID for the Azure AD application that is providing the service credentials. | |
# AZURE_APPLICATION_SECRET - The secret associated with the application/service principal. Not required when OIDC is used. | |
# AZURE_SUBSCRIPTION_ID - the subscription with the Databricks resources. | |
# AZURE_TENANT_ID - the AAD tenant containing the service principal. | |
# AZURE_DBR_GITHUB_PAT - the GitHub PAT to associate with the service principal to give it access to the GitHub repo. | |
#### | |
name: Push repo | |
on: | |
workflow_dispatch: | |
inputs: | |
repo_path: | |
type: string | |
default: '/Repos/MyFolder/MyRepo' | |
repo_branch: | |
type: string | |
default: 'main' | |
databricks_host: | |
description: The URL to the Azure Databricks instance to be updated. | |
type: string | |
default: 'https://adb-6015055348970863.3.azuredatabricks.net' | |
permissions: | |
id-token: write | |
contents: read | |
jobs: | |
push-repo: | |
runs-on: ubuntu-latest | |
steps: | |
# Install the Databricks CLI | |
- run: pip install databricks-cli | |
# Unless the service principal has been provided a Databricks Token, you'll need | |
# to authenticate using the Azure credentials and an AAD token. These next steps handle | |
# that process. If you have a token, configure the Databricks CLI to use that token | |
# and skip these steps. | |
# Use either Login with Secret or Login with OIDC | |
- name: Login with Secret | |
uses: azure/login@v1 | |
with: | |
creds: '{"clientId":"${{ secrets.AZURE_APPLICATION_ID }}","clientSecret":"${{ secrets.AZURE_APPLICATION_SECRET }}","subscriptionId":"${{ secrets.AZURE_SUBSCRIPTION_ID }}","tenantId":"${{ secrets.AZURE_TENANT_ID }}"}' | |
- name: Login with OIDC | |
uses: azure/login@v1 | |
with: | |
client-id: ${{ secrets.AZURE_APPLICATION_ID }} | |
tenant-id: ${{ secrets.AZURE_TENANT_ID }} | |
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} | |
# Retrieve a token for Databricks from AAD using a well-known resource ID. Bless the value | |
# dynamically into a secret and push it into the environment variables for all tasks after | |
# this one. | |
- name: Get secure token | |
run: |- | |
DATABRICKS_AAD_TOKEN=$(az account get-access-token --resource 2ff814a6-3304-4ab8-85cb-cd0e6f879c1d | jq .accessToken --raw-output) | |
echo "::add-mask::$DATABRICKS_AAD_TOKEN" | |
echo DATABRICKS_AAD_TOKEN=$DATABRICKS_AAD_TOKEN >> $GITHUB_ENV | |
# This is a one-time step and does not need to be in the workflow. It just needs to happen one time | |
# to associate a GitHub PAT with the service principal. Why one time? After that, we would need to | |
# query Databricks for the ID associated with the stored credential, then make a PATCH request to | |
# update the value. The first time the credential is configured, you can just use POST! Instead of | |
# the current Actions user ("ACTOR"), you may also specify a specific GitHub user name. | |
# run: curl -X POST ${{ inputs.databricks_host }}/api/2.0/git-credentials --header "Authorization: Bearer $DATABRICKS_AAD_TOKEN" -d '{"personal_access_token": "${{ secrets.AZURE_DBR_GITHUB_PAT }}", "git_username": "${{ GITHUB.ACTOR }}", "git_provider": "gitHub" }' | |
# Assign a token to the provided URL for requests. The --aad-token command configures | |
# the CLI using the environment variable "DATABRICKS_AAD_TOKEN". Then, request Databricks | |
# update the folder from the assigned repo and specified branch. | |
- run: |- | |
databricks configure --aad-token --host ${{ inputs.databricks_host }} | |
databricks repos update --path ${{inputs.repo_path}} --branch ${{inputs.repo_branch}} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment