ci(kernel-e2e): route cargo through JFrog + audit cleanups

databricks-protected-runner-group blocks direct egress to
index.crates.io, so the maturin build was failing with SSL EOF on
the cargo metadata step. Extend setup-jfrog with an opt-in
`configure-cargo` input that writes ~/.cargo/config.toml +
credentials.toml against the JFrog db-cargo-remote proxy (recipe
borrowed verbatim from databricks-odbc's setup-jfrog action) and
forward it through setup-poetry so the kernel-e2e workflow can
enable it without bypassing the wrapper.

Bundled cleanups from a workflow audit:

- Drop the redundant `Set up Python 3.10` step — setup-poetry runs
  actions/setup-python internally at the matching version.
- Smoke-check now uses `$CONNECTOR_VENV_PY` (same interpreter we
  built the wheel with), so a wheel installed into the wrong venv
  would surface here rather than be masked by `poetry run python`
  re-resolving.
- Post `Kernel E2E` check on the labelled-PR path as well as the
  merge-queue path; previously the PR would still show the
  synthetic-success check forever even after a real labelled run
  failed.
- Add a comment to fetch-depth: 0 explaining why we keep it.

Co-authored-by: Isaac
Signed-off-by: Vikrant Puppala <vikrant.puppala@databricks.com>

Author: vikrantpuppala

.github/actions/setup-jfrog/action.yml

@@ -1,5 +1,15 @@
 name: Setup JFrog OIDC
-description: Obtain a JFrog access token via GitHub OIDC and configure pip to use JFrog PyPI proxy
+description: Obtain a JFrog access token via GitHub OIDC and configure pip / cargo to use JFrog package proxies
+
+inputs:
+  configure-cargo:
+    description: |
+      Write ~/.cargo/config.toml + credentials.toml pointing at the
+      Databricks JFrog Cargo proxy. Required for any job that runs
+      `cargo` on `databricks-protected-runner-group`, where direct
+      access to index.crates.io is blocked. Off by default because
+      most jobs in this repo are Python-only.
+    default: "false"
 
 runs:
   using: composite
@@ -30,3 +40,34 @@ runs:
         set -euo pipefail
         echo "PIP_INDEX_URL=https://gha-service-account:${JFROG_ACCESS_TOKEN}@databricks.jfrog.io/artifactory/api/pypi/db-pypi/simple" >> "$GITHUB_ENV"
         echo "pip configured to use JFrog registry"
+
+    - name: Configure Cargo
+      if: inputs.configure-cargo == 'true'
+      shell: bash
+      # databricks-protected-runner-group blocks direct egress to
+      # index.crates.io, so cargo must route through JFrog's
+      # db-cargo-remote proxy. Mirrors the recipe used in
+      # databricks-odbc's setup-jfrog action.
+      #
+      # Note: JFrog's Cargo proxy quarantines crates released within
+      # the last 7 days. If a fresh dependency version isn't yet
+      # mirrored, the build will fail until JFrog ingests it — bump
+      # Cargo.lock to an older version or wait it out.
+      run: |
+        set -euo pipefail
+        mkdir -p ~/.cargo
+        cat > ~/.cargo/config.toml << 'EOF'
+        [source.crates-io]
+        replace-with = "jfrog"
+        [source.jfrog]
+        registry = "sparse+https://databricks.jfrog.io/artifactory/api/cargo/db-cargo-remote/index/"
+        [registries.jfrog]
+        index = "sparse+https://databricks.jfrog.io/artifactory/api/cargo/db-cargo-remote/index/"
+        credential-provider = ["cargo:token"]
+        EOF
+        cat > ~/.cargo/credentials.toml << EOF
+        [registries.jfrog]
+        token = "Bearer ${JFROG_ACCESS_TOKEN}"
+        EOF
+        echo "CARGO_REGISTRIES_JFROG_TOKEN=Bearer ${JFROG_ACCESS_TOKEN}" >> "$GITHUB_ENV"
+        echo "Cargo configured to use JFrog registry"

.github/actions/setup-poetry/action.yml

@@ -17,12 +17,21 @@ inputs:
     description: Extra suffix for the cache key to avoid collisions across job variants
     required: false
     default: ""
+  configure-cargo:
+    description: |
+      Forwarded to setup-jfrog. Set to "true" for jobs that also need
+      Cargo configured against the JFrog crates proxy (e.g. anything
+      that builds a Rust extension via maturin).
+    required: false
+    default: "false"
 
 runs:
   using: composite
   steps:
     - name: Setup JFrog
       uses: ./.github/actions/setup-jfrog
+      with:
+        configure-cargo: ${{ inputs.configure-cargo }}
 
     - name: Set up python ${{ inputs.python-version }}
       id: setup-python

.github/workflows/kernel-e2e.yml

@@ -163,6 +163,9 @@ jobs:
         uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
           ref: ${{ steps.refs.outputs.head_sha }}
+          # Full history so `git diff BASE_SHA HEAD_SHA` resolves both
+          # commits regardless of how far base has diverged. The repo
+          # is small enough that depth 0 costs only a few seconds.
           fetch-depth: 0
 
       - name: Detect kernel-relevant changes
@@ -245,11 +248,10 @@ jobs:
           token: ${{ steps.app-token.outputs.token }}
           path: databricks-sql-kernel
 
-      - name: Set up Python 3.10
-        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
-        with:
-          python-version: "3.10"
-
+      # `setup-poetry` below runs `actions/setup-python` internally
+      # with the matching version, so we don't repeat it here. We do
+      # set up the Rust toolchain + cargo cache before maturin so they
+      # are on PATH when the kernel build step runs.
       - name: Set up Rust toolchain
         uses: actions-rust-lang/setup-rust-toolchain@1780873c7b576612439a134613cc4cc74ce5538c # v1.15.2
 
@@ -266,12 +268,16 @@ jobs:
           sudo apt-get update
           sudo apt-get install -y libkrb5-dev
 
-      - name: Setup Poetry + connector deps
+      - name: Setup Poetry + connector deps (and Cargo via JFrog)
         uses: ./.github/actions/setup-poetry
         with:
           python-version: "3.10"
           install-args: "--all-extras"
           cache-suffix: "kernel-e2e-"
+          # databricks-protected-runner-group blocks index.crates.io;
+          # route cargo through the JFrog db-cargo-remote proxy so
+          # maturin's cargo invocation below can resolve deps.
+          configure-cargo: "true"
 
       - name: Install maturin into the connector venv
         # The connector's poetry venv is in-project (.venv at repo
@@ -298,14 +304,23 @@ jobs:
         run: $CONNECTOR_VENV_PY -m maturin develop --release
 
       - name: Smoke-check kernel import
+        # Use the same interpreter we built the wheel with, so a wheel
+        # accidentally installed into the wrong venv would be visible
+        # here rather than masked by `poetry run python` re-resolving.
         run: |
-          poetry run python -c "import databricks_sql_kernel as k; assert k.__file__, 'kernel module has no __file__ — wheel install failed'; print('kernel ok:', k.__file__)"
+          $CONNECTOR_VENV_PY -c "import databricks_sql_kernel as k; assert k.__file__, 'kernel module has no __file__ — wheel install failed'; print('kernel ok:', k.__file__)"
 
       - name: Run kernel e2e tests
         run: poetry run pytest tests/e2e/test_kernel_backend.py -v
 
+      # Post a Kernel E2E check on both the labeled-PR and merge-queue
+      # paths so the named check on the PR reflects the latest real
+      # run (overwriting the synthetic-success check that
+      # skip-kernel-e2e-pr posted on the initial open). Without this
+      # the PR would still show synthetic-success even after a real
+      # labeled run failed.
       - name: Post Kernel E2E check (success)
-        if: success() && github.event_name == 'merge_group'
+        if: success()
         uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7.1.0
         with:
           github-token: ${{ github.token }}
@@ -325,7 +340,7 @@ jobs:
             });
 
       - name: Post Kernel E2E check (failure)
-        if: failure() && github.event_name == 'merge_group'
+        if: failure()
         uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7.1.0
         with:
           github-token: ${{ github.token }}