databricks/cli v1.0.0

on GitHub

The Databricks CLI is now generally available with version v1.0.0 as the first major release 🚀.

From this version on, the CLI follows semantic versioning (see README).

This change does not impact DABs or other existing commands beyond the changes listed below.

The 0.299.x line continues to receive security-critical patches through May 20, 2027; see SECURITY for the support policy.

Notable Changes

• Starting with v1.0.0, the CLI will use immutable release tags to increase security against supply chain attacks.
• Breaking change: OAuth tokens for interactive logins (auth_type = databricks-cli) are now stored in the OS-native secure store by default (Keychain on macOS, Credential Manager on Windows, Secret Service on Linux) instead of ~/.databricks/token-cache.json. After upgrading, run databricks auth login once per profile to re-authenticate; cached tokens from older versions are not migrated. To keep the previous file-backed storage, set DATABRICKS_AUTH_STORAGE=plaintext or add auth_storage = plaintext under [__settings__] in ~/.databrickscfg (the env var takes precedence over the config setting), then re-run databricks auth login. On systems where the OS keyring is not reachable (e.g. Linux containers without a D-Bus session bus), the CLI transparently falls back to the file cache when reading tokens so legacy token-cache.json entries remain accessible without manual configuration.

CLI

• Added databricks aitools command group for installing Databricks skills into your coding agents (Claude Code, Cursor, Codex CLI, OpenCode, GitHub Copilot, Antigravity). Skills are fetched from github.com/databricks/databricks-agent-skills and either symlinked into each agent's skills directory or copied into the current project. Use databricks aitools install to set up, update to pull newer versions, list to see what's available, and uninstall to remove them. Pick where they go with --scope=project|global (--scope=both is accepted on update and list).
• [__settings__].default_profile is now consulted as a fallback by databricks api, databricks auth token, and bundle commands when neither --profile nor DATABRICKS_CONFIG_PROFILE is set. databricks auth token continues to give precedence to DATABRICKS_HOST over default_profile. For bundle commands, default_profile only applies when the bundle does not pin its own workspace.host.
• Fixed bug where auth commands did not load the DEFAULT profile properly during auth where type is databricks-cli.
• databricks workspace import-dir now skips .git, .databricks, and node_modules directories during recursive imports. To import one of these directories deliberately, pass it as SOURCE_PATH (#5118).
• databricks postgres create-role --help now documents the --json body shape and rejects the common mistake of wrapping the body in {"role": ...} client-side with a hint pointing at the correct shape (#5111).
• databricks aitools list honors --output json, emitting a structured {release, skills[...], summary{}} document so coding agents and CI can consume the skill/version/installation matrix without scraping the tabular text output (#5233).

Bundles

• Make sure warnings asking for approval are understood by agents (#5239)
• Support replace_existing: true on postgres_branches and postgres_endpoints so bundles can manage the implicitly-created production branch and primary read-write endpoint of a Lakebase project.
• Add postgres_catalogs resource to bind a Unity Catalog catalog to a Postgres database on a Lakebase Autoscaling branch (#5265).
• Add postgres_synced_tables resource to sync a Unity Catalog Delta table into a Postgres table on a Lakebase Autoscaling branch (#5268).
• engine/direct: Changes to state file now persisted to .wal file right away instead of being saved in the end (#5149)