Migrate to self-hosted runners (#145)

As part of security hardening, only runners on an allowlist can perform authenticated operations. The "release-pr" and "tag" workflows require authenticated access to the repository for creating PRs and pushing tags, respectively. Migrate those to run on self-hosted runners.
databricks · Jan 9, 2025 · 9f3f7cb · 9f3f7cb
1 parent 487d6b6
commit 9f3f7cb
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 2 deletions.
diff --git a/.github/workflows/release-pr.yml b/.github/workflows/release-pr.yml
@@ -10,7 +10,9 @@ on:
 
 jobs:
   release-pr:
-    runs-on: ubuntu-latest
+    runs-on:
+      group: databricks-protected-runner-group
+      labels: linux-ubuntu-latest
 
     steps:
       - uses: actions/checkout@v4

diff --git a/.github/workflows/tag.yml b/.github/workflows/tag.yml
@@ -11,7 +11,9 @@ on:
 
 jobs:
   tag:
-    runs-on: ubuntu-latest
+    runs-on:
+      group: databricks-protected-runner-group
+      labels: linux-ubuntu-latest
 
     steps:
       - uses: actions/checkout@v4

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -9,6 +9,12 @@ on:
 
   workflow_dispatch:
 
+# Note: all jobs in this workflow run on GitHub-hosted runners.
+# None of them need authenticated (token) access to the repository.
+#
+# If this were to change and they do need authenticated access, make sure to use the
+# self-hosted runners listed on the "Settings" -> "Actions" -> "Runners" page.
+#
 jobs:
   action_with_defaults:
     runs-on: ${{ matrix.os }}