Migrate workflows that need write access to use hosted runners (#2077)

## Changes

Migrate workflows to Databricks-hosted GitHub Actions runners.

The GitHub-hosted runners can no longer be used because of security
hardening.

.github/workflows/close-stale-issues.yml

@@ -7,12 +7,16 @@ on:
 
 jobs:
   cleanup:
+    name: Stale issue job
+    runs-on:
+      group: databricks-deco-testing-runner-group
+      labels: ubuntu-latest-deco
+
     permissions:
       issues: write
       contents: read
       pull-requests: write
-    runs-on: ubuntu-latest
+
-    name: Stale issue job
     steps:
       - uses: actions/stale@v9
         with:

.github/workflows/external-message.yml

@@ -17,7 +17,10 @@ on:
 
 jobs:
   comment-on-pr:
-    runs-on: ubuntu-latest
+    runs-on:
+      group: databricks-deco-testing-runner-group
+      labels: ubuntu-latest-deco
+
     permissions:
       pull-requests: write
 

.github/workflows/integration-approve.yml

@@ -21,7 +21,9 @@ jobs:
   #   * Avoid running integration tests twice, since it was already run at the tip of the branch before squashing.
   #
   trigger:
-    runs-on: ubuntu-latest
+    runs-on:
+      group: databricks-deco-testing-runner-group
+      labels: ubuntu-latest-deco
 
     steps:
       - name: Auto-approve squashed commit

.github/workflows/integration-main.yml

@@ -15,7 +15,10 @@ jobs:
   # This workflow triggers the integration test workflow in a different repository.
   # It requires secrets from the "test-trigger-is" environment, which are only available to authorized users.
   trigger:
-    runs-on: ubuntu-latest
+    runs-on:
+      group: databricks-deco-testing-runner-group
+      labels: ubuntu-latest-deco
+
     environment: "test-trigger-is"
 
     steps:

.github/workflows/integration-pr.yml

@@ -14,7 +14,10 @@ jobs:
   # This workflow triggers the integration test workflow in a different repository.
   # It requires secrets from the "test-trigger-is" environment, which are only available to authorized users.
   trigger:
-    runs-on: ubuntu-latest
+    runs-on:
+      group: databricks-deco-testing-runner-group
+      labels: ubuntu-latest-deco
+
     environment: "test-trigger-is"
 
     # Only run this job for PRs from branches on the main repository and not from forks.

.github/workflows/release-snapshot.yml

@@ -20,7 +20,10 @@ on:
 
 jobs:
   goreleaser:
-    runs-on: ubuntu-latest
+    runs-on:
+      group: databricks-deco-testing-runner-group
+      labels: ubuntu-latest-deco
+
     steps:
       - name: Checkout repository and submodules
         uses: actions/checkout@v4

.github/workflows/release.yml

@@ -9,9 +9,13 @@ on:
 
 jobs:
   goreleaser:
+    runs-on:
+      group: databricks-deco-testing-runner-group
+      labels: ubuntu-latest-deco
+
     outputs:
       artifacts: ${{ steps.releaser.outputs.artifacts }}
-    runs-on: ubuntu-latest
+
     steps:
       - name: Checkout repository and submodules
         uses: actions/checkout@v4