From c262b30ef4a28685ef5e52c9d4985d0fe0591382 Mon Sep 17 00:00:00 2001
From: Pieter Noordhuis <pieter.noordhuis@databricks.com>
Date: Mon, 6 Jan 2025 16:34:42 +0100
Subject: [PATCH] Migrate workflows that need write access to use hosted
 runners (#2077)

## Changes

Migrate workflows to Databricks-hosted GitHub Actions runners.

The GitHub-hosted runners can no longer be used because of security
hardening.
---
 .github/workflows/close-stale-issues.yml  | 8 ++++++--
 .github/workflows/external-message.yml    | 5 ++++-
 .github/workflows/integration-approve.yml | 4 +++-
 .github/workflows/integration-main.yml    | 5 ++++-
 .github/workflows/integration-pr.yml      | 5 ++++-
 .github/workflows/release-snapshot.yml    | 5 ++++-
 .github/workflows/release.yml             | 6 +++++-
 7 files changed, 30 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/close-stale-issues.yml b/.github/workflows/close-stale-issues.yml
index ffe550132..273b89a9c 100644
--- a/.github/workflows/close-stale-issues.yml
+++ b/.github/workflows/close-stale-issues.yml
@@ -7,12 +7,16 @@ on:
 
 jobs:
   cleanup:
+    name: Stale issue job
+    runs-on:
+      group: databricks-deco-testing-runner-group
+      labels: ubuntu-latest-deco
+
     permissions:
       issues: write
       contents: read
       pull-requests: write
-    runs-on: ubuntu-latest
-    name: Stale issue job
+
     steps:
       - uses: actions/stale@v9
         with:
diff --git a/.github/workflows/external-message.yml b/.github/workflows/external-message.yml
index 9c91242a7..eb68a36e4 100644
--- a/.github/workflows/external-message.yml
+++ b/.github/workflows/external-message.yml
@@ -17,7 +17,10 @@ on:
 
 jobs:
   comment-on-pr:
-    runs-on: ubuntu-latest
+    runs-on:
+      group: databricks-deco-testing-runner-group
+      labels: ubuntu-latest-deco
+
     permissions:
       pull-requests: write
 
diff --git a/.github/workflows/integration-approve.yml b/.github/workflows/integration-approve.yml
index 265574bb5..0f6b209cb 100644
--- a/.github/workflows/integration-approve.yml
+++ b/.github/workflows/integration-approve.yml
@@ -21,7 +21,9 @@ jobs:
   #   * Avoid running integration tests twice, since it was already run at the tip of the branch before squashing.
   #
   trigger:
-    runs-on: ubuntu-latest
+    runs-on:
+      group: databricks-deco-testing-runner-group
+      labels: ubuntu-latest-deco
 
     steps:
       - name: Auto-approve squashed commit
diff --git a/.github/workflows/integration-main.yml b/.github/workflows/integration-main.yml
index 55fc98ae4..5a78d4fd8 100644
--- a/.github/workflows/integration-main.yml
+++ b/.github/workflows/integration-main.yml
@@ -15,7 +15,10 @@ jobs:
   # This workflow triggers the integration test workflow in a different repository.
   # It requires secrets from the "test-trigger-is" environment, which are only available to authorized users.
   trigger:
-    runs-on: ubuntu-latest
+    runs-on:
+      group: databricks-deco-testing-runner-group
+      labels: ubuntu-latest-deco
+
     environment: "test-trigger-is"
 
     steps:
diff --git a/.github/workflows/integration-pr.yml b/.github/workflows/integration-pr.yml
index 965d74fbe..fd170f77e 100644
--- a/.github/workflows/integration-pr.yml
+++ b/.github/workflows/integration-pr.yml
@@ -14,7 +14,10 @@ jobs:
   # This workflow triggers the integration test workflow in a different repository.
   # It requires secrets from the "test-trigger-is" environment, which are only available to authorized users.
   trigger:
-    runs-on: ubuntu-latest
+    runs-on:
+      group: databricks-deco-testing-runner-group
+      labels: ubuntu-latest-deco
+
     environment: "test-trigger-is"
 
     # Only run this job for PRs from branches on the main repository and not from forks.
diff --git a/.github/workflows/release-snapshot.yml b/.github/workflows/release-snapshot.yml
index 7ef8b43c9..5c56a294e 100644
--- a/.github/workflows/release-snapshot.yml
+++ b/.github/workflows/release-snapshot.yml
@@ -20,7 +20,10 @@ on:
 
 jobs:
   goreleaser:
-    runs-on: ubuntu-latest
+    runs-on:
+      group: databricks-deco-testing-runner-group
+      labels: ubuntu-latest-deco
+
     steps:
       - name: Checkout repository and submodules
         uses: actions/checkout@v4
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index e4a253531..88e338a8c 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -9,9 +9,13 @@ on:
 
 jobs:
   goreleaser:
+    runs-on:
+      group: databricks-deco-testing-runner-group
+      labels: ubuntu-latest-deco
+
     outputs:
       artifacts: ${{ steps.releaser.outputs.artifacts }}
-    runs-on: ubuntu-latest
+
     steps:
       - name: Checkout repository and submodules
         uses: actions/checkout@v4