bundle deploy fails in CI — terraform download fails with expired PGP key

[t2tea-niranjan]

Problem

databricks bundle deploy fails in GitHub Actions during terraform provisioning. The CLI's built-in terraform download fails with an expired PGP key error during checksum verification.

Environment

• Databricks CLI: v0.297.1 (installed via databricks/setup-cli@main)
• Runner: ubuntu-latest (GitHub Actions)
• Auth: Service principal (OAuth M2M)

Steps to reproduce

steps:
  - uses: actions/checkout@v6
  - uses: databricks/setup-cli@main
  - run: |
      databricks bundle validate --target staging
      databricks bundle deploy --target staging
    env:
      DATABRICKS_HOST: ${{ secrets.DATABRICKS_HOST }}
      DATABRICKS_CLIENT_ID: ${{ secrets.DATABRICKS_CLIENT_ID }}
      DATABRICKS_CLIENT_SECRET: ${{ secrets.DATABRICKS_CLIENT_SECRET }}

Error

Validation succeeds, but deploy fails when the CLI tries to download terraform:

Uploading bundle files to /Workspace/Users/***/.bundle/<bundle_name>/staging/files...
Error: error downloading Terraform: unable to verify checksums signature: openpgp: key expired

Expected behavior

The CLI should be able to download and verify terraform without PGP key issues, or databricks/setup-cli should bundle a compatible terraform binary.

Workaround

Install terraform explicitly before deploy, bypassing the CLI's built-in download:

- uses: hashicorp/setup-terraform@v3
  with:
    terraform_version: 1.5.5
    terraform_wrapper: false

- run: |
    export DATABRICKS_TF_EXEC_PATH=$(which terraform)
    databricks bundle deploy --target staging

The version must be pinned to 1.5.5 — the CLI rejects other versions unless DATABRICKS_TF_VERSION is also set.

[pietern]

@t2tea-niranjan Thanks for flagging this issue and including the workaround.

We're actively working on a fix for the latest CLI version as well as a select number of previous releases.

[andrewnester]

The fix has been merged and released in the latest CLI version
https://github.com/databricks/cli/releases/tag/v0.297.2