Fix running tests on PRs from forks

[andrewnester]

Changes

Fix running tests on PRs from forks

Why

Problem

PRs from forks fail CI entirely. Two root causes:

1. JFrog authentication — Go module resolution uses a JFrog Artifactory proxy authenticated via GitHub OIDC. GitHub does not mint OIDC tokens for forked PR workflows, so the JFrog auth step fails.
2. Protected runner groups — The test jobs run on databricks-protected-runner-group-large and databricks-deco-testing-runner-group, which are inaccessible to fork workflows.

Solution

Pre-warm the Go module download cache from a privileged workflow on main, then restore it in fork PR workflows using Go's file:// proxy in offline mode - no JFrog credentials required.

[github-actions]

Waiting for approval

Based on git history, these people are best suited to review:

• @pietern -- recent work in .github/workflows/, .github/actions/setup-build-environment/

Eligible reviewers: @anton-107, @denik, @renaudhartert-db, @shreyas-goenka, @simonfaltum

_{Suggestions based on git history. See OWNERS for ownership rules.}

[denik]

question - Can we reuse the same jobs as regular bit parametrize runner?

Ideally we would not have to maintain separate jobs, especially given that they are hard to test.

[denik]

single OS

what single OS? why?

[shreyas-goenka]

Does this workflow require an approval from us? Claude flagged that historically there have been arbitary code execution vectors via things like this (e.g. if you use cgo, and then use compile time macros)

[andrewnester]

This is triggered on main barcnh only so can't be executed from PR code

[shreyas-goenka]

maybe can be simplied? Claude recommended:

  env:
    IS_FORK: ${{ github.event.pull_request.head.repo.fork }}
  run: echo "is_fork=${IS_FORK:-false}" >> "$GITHUB_OUTPUT"