From 7673679d5345e24ad1e8a746755540c4fc2bbac5 Mon Sep 17 00:00:00 2001
From: Jothi Prakash <jothi.prakash@databricks.com>
Date: Mon, 6 Apr 2026 16:46:10 +0530
Subject: [PATCH] Migrate all CI workflows to databricks-protected-runner-group

Replace `ubuntu-latest` GitHub-hosted runners with the
`databricks-protected-runner-group` runner group across all workflow
jobs to improve CI security posture.

Co-authored-by: Isaac
---
 .github/workflows/code-quality-checks.yml | 8 ++++++--
 .github/workflows/dco-check.yml           | 4 +++-
 .github/workflows/integration.yml         | 4 +++-
 3 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/code-quality-checks.yml b/.github/workflows/code-quality-checks.yml
index 923a3c1..e46f65d 100644
--- a/.github/workflows/code-quality-checks.yml
+++ b/.github/workflows/code-quality-checks.yml
@@ -13,7 +13,9 @@ permissions:
 
 jobs:
     check-linting:
-        runs-on: ubuntu-latest
+        runs-on:
+            group: databricks-protected-runner-group
+            labels: linux-ubuntu-latest
         strategy:
             matrix:
                 python-version: [3.9, "3.10", "3.11", "3.12"]
@@ -66,7 +68,9 @@ jobs:
               run: poetry run black --check src
 
     check-types:
-        runs-on: ubuntu-latest
+        runs-on:
+            group: databricks-protected-runner-group
+            labels: linux-ubuntu-latest
         strategy:
             matrix:
                 python-version: [3.9, "3.10", "3.11", "3.12"]
diff --git a/.github/workflows/dco-check.yml b/.github/workflows/dco-check.yml
index 5cb19c2..e86bad1 100644
--- a/.github/workflows/dco-check.yml
+++ b/.github/workflows/dco-check.yml
@@ -8,7 +8,9 @@ permissions:
 
 jobs:
     check:
-        runs-on: ubuntu-latest
+        runs-on:
+            group: databricks-protected-runner-group
+            labels: linux-ubuntu-latest
         steps:
             - name: Check for DCO
               id: dco-check
diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml
index 3f7d2d9..a13aa0e 100644
--- a/.github/workflows/integration.yml
+++ b/.github/workflows/integration.yml
@@ -12,7 +12,9 @@ permissions:
 
 jobs:
     run-e2e-tests:
-        runs-on: ubuntu-latest
+        runs-on:
+            group: databricks-protected-runner-group
+            labels: linux-ubuntu-latest
         environment: azure-prod
         env:
             DATABRICKS_SERVER_HOSTNAME: ${{ secrets.DATABRICKS_HOST }}