Migrate dco-check and vulnerabilityCatcher to Databricks runners (#1327)

gopalldb · web-flow · commit 4f934ed84b4d · 2026-03-27T00:02:08.000+05:30
## Summary
- Migrate `dco-check.yml` and `vulnerabilityCatcher.yml` from public
`ubuntu-latest` runners to `databricks-protected-runner-group`
- These were the only 2 workflows (out of 22) still using public
GitHub-hosted runners
- Ensures consistent runner security posture across all CI workflows

NO_CHANGELOG=true

## Test plan
- [ ] Verify DCO check workflow triggers correctly on a PR
- [ ] Verify weekly security scan workflow runs on the protected runner
group

This pull request was AI-assisted by Isaac.

Signed-off-by: Gopal Lal &lt;gopal.lal@databricks.com&gt;
diff --git a/.github/workflows/dco-check.yml b/.github/workflows/dco-check.yml
@@ -7,7 +7,9 @@ on:
 
 jobs:
   dco-check:
-    runs-on: ubuntu-latest
+    runs-on:
+      group: databricks-protected-runner-group
+      labels: linux-ubuntu-latest
     name: Check DCO Sign-off
     steps:
       - name: Checkout
diff --git a/.github/workflows/vulnerabilityCatcher.yml b/.github/workflows/vulnerabilityCatcher.yml
@@ -7,7 +7,9 @@ on:
 
 jobs:
   security-scan:
-    runs-on: ubuntu-latest
+    runs-on:
+      group: databricks-protected-runner-group
+      labels: linux-ubuntu-latest
 
     steps:
       - name: Checkout repository
