ci: add JFrog OIDC proxy for npm registry access

.github/workflows/pr.yml

@@ -7,6 +7,7 @@ on:
 
 permissions:
   contents: read
+  id-token: write
 
 jobs:
   lint-and-build:
@@ -19,6 +20,18 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+      - name: Setup JFrog CLI with OIDC
+        id: setup-jfrog
+        uses: jfrog/setup-jfrog-cli@279b1f629f43dd5bc658d8361ac4802a7ef8d2d5 # v4.9.1
+        env:
+          JF_URL: https://databricks.jfrog.io
+        with:
+          oidc-provider-name: github-actions
+      - name: Configure npm registry for JFrog
+        run: |
+          printf 'save-exact=true\nregistry=https://databricks.jfrog.io/artifactory/api/npm/db-npm/\n' > .npmrc
+          echo "//databricks.jfrog.io/artifactory/api/npm/db-npm/:_authToken=${{ steps.setup-jfrog.outputs.oidc-token }}" >> .npmrc
+          printf '[install]\nregistry = "https://databricks.jfrog.io/artifactory/api/npm/db-npm/"\n' > bunfig.toml
       - name: Setup Node
         uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
         with:
@@ -35,7 +48,9 @@ jobs:
           restore-keys: |
             bun-${{ runner.os }}-
       - name: Install dependencies
-        run: bun install --frozen-lockfile
+        run: |
+          rm -f bun.lock
+          bun install
       - name: Validate server.json version sync
         run: |
           node -e "const fs=require('fs'); const pkg=JSON.parse(fs.readFileSync('package.json','utf8')); const server=JSON.parse(fs.readFileSync('../server.json','utf8')); if (pkg.version !== server.version) { console.error('Version mismatch: landing/package.json=' + pkg.version + ' server.json=' + server.version); process.exit(1); }"

landing/.gitignore

@@ -47,3 +47,6 @@ tools.json
 .env.e2e
 test-results/
 playwright-report/
+
+# local registry config (generated by bin/setup-registry.sh)
+bunfig.toml

landing/bin/setup-registry.sh

@@ -0,0 +1,35 @@
+#!/usr/bin/env bash
+# Generates bunfig.toml so bun uses an npm registry proxy.
+# Checks multiple sources: BUN_CONFIG_REGISTRY env var, npm config, defaults.
+# CI runners generate their own bunfig.toml (see .github/workflows/pr.yml).
+
+set -euo pipefail
+cd "$(dirname "$0")/.."
+
+if [ -f bunfig.toml ]; then
+  exit 0
+fi
+
+# Check sources in priority order
+if [ -n "${BUN_CONFIG_REGISTRY:-}" ]; then
+  REGISTRY="$BUN_CONFIG_REGISTRY"
+elif command -v npm &>/dev/null; then
+  REGISTRY=$(npm config get registry 2>/dev/null || echo "https://registry.npmjs.org/")
+else
+  REGISTRY="https://registry.npmjs.org/"
+fi
+
+if echo "$REGISTRY" | grep -q "registry.npmjs.org"; then
+  echo "Error: bun install requires an npm registry proxy on this network." >&2
+  echo "" >&2
+  echo "Fix with one of:" >&2
+  echo "  1. Set globally:      echo 'registry=https://your-proxy.example.com/' >> ~/.npmrc" >&2
+  echo "  2. Set for session:   BUN_CONFIG_REGISTRY=https://your-proxy.example.com/ bun install" >&2
+  echo "  3. Create manually:   echo '[install]' > bunfig.toml && echo 'registry = \"https://your-proxy.example.com/\"' >> bunfig.toml" >&2
+  exit 1
+fi
+
+cat > bunfig.toml << EOF
+[install]
+registry = "$REGISTRY"
+EOF