Skip to content

bundle deploy fails in CI — terraform download fails with expired PGP key #5018

@t2tea-niranjan

Description

@t2tea-niranjan

Problem

databricks bundle deploy fails in GitHub Actions during terraform provisioning. The CLI's built-in terraform download fails with an expired PGP key error during checksum verification.

Environment

  • Databricks CLI: v0.297.1 (installed via databricks/setup-cli@main)
  • Runner: ubuntu-latest (GitHub Actions)
  • Auth: Service principal (OAuth M2M)

Steps to reproduce

steps:
  - uses: actions/checkout@v6
  - uses: databricks/setup-cli@main
  - run: |
      databricks bundle validate --target staging
      databricks bundle deploy --target staging
    env:
      DATABRICKS_HOST: ${{ secrets.DATABRICKS_HOST }}
      DATABRICKS_CLIENT_ID: ${{ secrets.DATABRICKS_CLIENT_ID }}
      DATABRICKS_CLIENT_SECRET: ${{ secrets.DATABRICKS_CLIENT_SECRET }}

Error

Validation succeeds, but deploy fails when the CLI tries to download terraform:

Uploading bundle files to /Workspace/Users/***/.bundle/<bundle_name>/staging/files...
Error: error downloading Terraform: unable to verify checksums signature: openpgp: key expired

Expected behavior

The CLI should be able to download and verify terraform without PGP key issues, or databricks/setup-cli should bundle a compatible terraform binary.

Workaround

Install terraform explicitly before deploy, bypassing the CLI's built-in download:

- uses: hashicorp/setup-terraform@v3
  with:
    terraform_version: 1.5.5
    terraform_wrapper: false

- run: |
    export DATABRICKS_TF_EXEC_PATH=$(which terraform)
    databricks bundle deploy --target staging

The version must be pinned to 1.5.5 — the CLI rejects other versions unless DATABRICKS_TF_VERSION is also set.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions