Bump databricks-sdk-go to v0.132.0 (#5237)

## Why

Pulls in four releases of the Go SDK (v0.129 through v0.132). It picks
up new APIs (disaster recovery, secrets UC, supervisor agents, ingestion
connectors), removes the file-backed OAuth token cache from the SDK (now
owned by the CLI), and renames a handful of vector search fields. The
Terraform provider already moved to this SDK in v1.115, so this also
keeps the CLI close to the version Terraform users are running.

## Changes

**Before:** CLI pinned `databricks-sdk-go` at `v0.128.0` and OpenAPI
spec at SHA `11ae6f9d`.
**Now:** Pinned at `v0.132.0` / OpenAPI SHA `a499dda0`.

Most of the diff is regenerated output from `./task generate` (CLI
command stubs, JSON schema, bundle docs, Python bindings, direct-engine
YAML, acceptance goldens). The refreshed OpenAPI spec carries more
launch-stage metadata, so generated commands now include Beta / Private
Preview / GA warning text in help output, and the acceptance goldens
update accordingly.

Hand-written changes:

- **Vector search:** `MinQps` -> `TargetQps` and `RequestedMinQps` ->
`RequestedTargetQps` in
`bundle/direct/dresources/vector_search_endpoint.go`,
`libs/testserver/vector_search_endpoints.go`, and the
`vector_search_endpoints/{update,drift}/min_qps` acceptance tests
(renamed to `target_qps`). Added a Notable Changes entry to
`NEXT_CHANGELOG.md` calling this out for DABs config and the
`vector-search-endpoints` commands.
- **Postgres:** `Create{Branch,Endpoint}Request` gained
`ReplaceExisting`, `DeleteProjectRequest` gained `Purge`, and `Project`
gained `DeleteTime`/`PurgeTime`. Added explicit zero values where
exhaustruct demands them.
- **Auth:** SDK v0.130 removed the host-key fallback in
`PersistentAuth.loadToken`. Deleted the `cmd/auth/token_test` case that
exercised it. Open question on the thread: users who haven't logged in
since CLI v0.290.0 (2026-02-26) have host-keyed-only cache entries and
will need to re-login.
- **Deprecated `serving.AutoCaptureConfig{Input,Output}`:** narrow
`//nolint:staticcheck` annotations until the migration to AI Gateway
inference tables.
- **Schema annotations:** regenerated `annotations_openapi.yml` so the
new `compute.ConfidentialComputeType` enum has descriptions; dropped the
stale `min_qps` placeholder from `annotations.yml`.
- **Release tooling:** genkit also regenerated
`.github/workflows/tagging.yml` and `internal/genkit/tagging.py`. This
is generated output, but it changes release workflow behavior (protected
runner group, `ref: main` to force re-resolution on workflow_dispatch
re-runs, package-scoped dispatch input, created-tags artifact). Inline
reviewer notes on both files.

Merged `origin/main` to pick up #5240, which unsets the AI-agent env
vars in acceptance instead of leaving them empty. Without that, the SDK
v0.132 user-agent detector stamps `agent/multiple` onto every recorded
request; with it merged in, the stamping stops and the goldens go back
to their pre-bump state.

## Test plan

- [x] `./task lint` clean
- [x] `./task checks` clean (tidy, whitespace, links, deadcode)
- [x] `go test ./internal/build ./bundle/internal/schema
./bundle/direct/dresources ./bundle/config/resources`
- [x] `./task test-update` and `go test ./acceptance` clean after
regeneration
- [x] `./task pydabs-codegen` succeeds
- [x] After review feedback, re-ran affected acceptance tests
(`user_agent`, `auth/credentials`, `cmd/api`, `bundle/migrate`,
`bundle/state`, `bundle/templates/telemetry`, `telemetry`,
`workspace/jobs`) to confirm goldens match
- [ ] CI on this PR

This pull request and its description were written by Isaac.

Author: simonfaltum

.codegen/_openapi_sha

@@ -1 +1 @@
-11ae6f9d98f0d0838a5e53c27032f178fecc4ee0
+a499dda0f7802e37868d3f3076f62639165475d8

.gitattributes

@@ -8,6 +8,7 @@ cmd/account/credentials/credentials.go linguist-generated=true
 cmd/account/csp-enablement-account/csp-enablement-account.go linguist-generated=true
 cmd/account/custom-app-integration/custom-app-integration.go linguist-generated=true
 cmd/account/disable-legacy-features/disable-legacy-features.go linguist-generated=true
+cmd/account/disaster-recovery/disaster-recovery.go linguist-generated=true
 cmd/account/enable-ip-access-lists/enable-ip-access-lists.go linguist-generated=true
 cmd/account/encryption-keys/encryption-keys.go linguist-generated=true
 cmd/account/endpoints/endpoints.go linguist-generated=true
@@ -151,6 +152,7 @@ cmd/workspace/resource-quotas/resource-quotas.go linguist-generated=true
 cmd/workspace/restrict-workspace-admins/restrict-workspace-admins.go linguist-generated=true
 cmd/workspace/rfa/rfa.go linguist-generated=true
 cmd/workspace/schemas/schemas.go linguist-generated=true
+cmd/workspace/secrets-uc/secrets-uc.go linguist-generated=true
 cmd/workspace/secrets/secrets.go linguist-generated=true
 cmd/workspace/service-principal-secrets-proxy/service-principal-secrets-proxy.go linguist-generated=true
 cmd/workspace/service-principals-v2/service-principals-v2.go linguist-generated=true
@@ -159,12 +161,14 @@ cmd/workspace/settings/settings.go linguist-generated=true
 cmd/workspace/shares/shares.go linguist-generated=true
 cmd/workspace/sql-results-download/sql-results-download.go linguist-generated=true
 cmd/workspace/storage-credentials/storage-credentials.go linguist-generated=true
+cmd/workspace/supervisor-agents/supervisor-agents.go linguist-generated=true
 cmd/workspace/system-schemas/system-schemas.go linguist-generated=true
 cmd/workspace/table-constraints/table-constraints.go linguist-generated=true
 cmd/workspace/tables/tables.go linguist-generated=true
 cmd/workspace/tag-policies/tag-policies.go linguist-generated=true
 cmd/workspace/temporary-path-credentials/temporary-path-credentials.go linguist-generated=true
 cmd/workspace/temporary-table-credentials/temporary-table-credentials.go linguist-generated=true
+cmd/workspace/temporary-volume-credentials/temporary-volume-credentials.go linguist-generated=true
 cmd/workspace/token-management/token-management.go linguist-generated=true
 cmd/workspace/tokens/tokens.go linguist-generated=true
 cmd/workspace/users-v2/users-v2.go linguist-generated=true

.github/workflows/tagging.yml

@@ -4,7 +4,12 @@ name: tagging
 on:
   # Manual dispatch.
   workflow_dispatch:
-  # No inputs are required for the manual dispatch.
+    inputs:
+      packages:
+        description: 'Comma-separated list of packages to tag (e.g. "pkg1,pkg2"). Leave empty to tag all packages with pending releases.'
+        required: false
+        type: string
+        default: ''
 
   # NOTE: Temporarily disable automated releases.
   #
@@ -31,8 +36,8 @@ jobs:
       github.repository == 'databricks/databricks-sdk-java'
     environment: "release-is"
     runs-on:
-      group: databricks-deco-testing-runner-group
-      labels: ubuntu-latest-deco
+      group: databricks-protected-runner-group
+      labels: linux-ubuntu-latest
     steps:
       - name: Generate GitHub App Token
         id: generate-token
@@ -44,6 +49,12 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
+          # Force re-resolution of ``main`` at step time. Without
+          # ``ref:``, checkout pins to ``github.sha`` — the SHA frozen
+          # at workflow_dispatch time — which means re-running a stale
+          # dispatch checks out an older main even when newer commits
+          # exist.
+          ref: main
           fetch-depth: 0
           token: ${{ steps.generate-token.outputs.token }}
 
@@ -60,4 +71,18 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
           GITHUB_REPOSITORY: ${{ github.repository }}
-        run: uv run --locked internal/genkit/tagging.py
+          PACKAGES: ${{ inputs.packages }}
+        run: |
+          if [ -n "$PACKAGES" ]; then
+            uv run --locked internal/genkit/tagging.py --package "$PACKAGES"
+          else
+            uv run --locked internal/genkit/tagging.py
+          fi
+
+      - name: Upload created tags artifact
+        if: always()
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        with:
+          name: created-tags
+          path: created_tags.json
+          if-no-files-found: ignore

NEXT_CHANGELOG.md

@@ -2,6 +2,9 @@
 
 ## Release v0.299.2
 
+### Notable Changes
+* Breaking change: `vector_search_endpoints` renamed `min_qps` to `target_qps` in DABs configuration and the `vector-search-endpoints` commands, following the SDK rename in v0.131.0. Update any `databricks.yml` using `min_qps:` to `target_qps:` and any CLI invocations using `--min-qps` to `--target-qps`.
+
 ### CLI
 
 * `auth login` no longer falls back to plaintext when the OS keyring is reachable but locked. The unlock prompt shown by the probe now runs in parallel with the OAuth flow, and the token is stored in the keyring once the user has typed their password.
@@ -20,3 +23,4 @@
 ### Dependency updates
 
 * Bump Go toolchain to 1.25.10 ([#5213](https://github.com/databricks/cli/pull/5213)).
+* Bump `github.com/databricks/databricks-sdk-go` from v0.128.0 to v0.132.0.