ci: migrate to hardened runners, disable publish during freeze

Switch all 7 workflow jobs from `ubuntu-latest` to the
`databricks-protected-runner-group` hardened runner group per
go/hardened-gha step 3.

Disable the release publish job during the release freeze per
go/hardened-gha step 7. The build job remains active for validation.
A clear comment marks when and how to re-enable.

Fix `.npmrc` from `package-lock=false` to `package-lock=true` so local
dev keeps the lockfile in sync with `npm ci` in CI.

Co-authored-by: Isaac

Author: shivam2680

.github/workflows/dco-check.yml

@@ -8,7 +8,9 @@ permissions:
 
 jobs:
   check:
-    runs-on: ubuntu-latest
+    runs-on:
+      group: databricks-protected-runner-group
+      labels: linux-ubuntu-latest
     steps:
       - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:

.github/workflows/main.yml

@@ -13,7 +13,9 @@ permissions:
 
 jobs:
   lint:
-    runs-on: ubuntu-latest
+    runs-on:
+      group: databricks-protected-runner-group
+      labels: linux-ubuntu-latest
     steps:
       - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
       - name: Cache node modules
@@ -34,7 +36,9 @@ jobs:
           npm run lint
 
   unit-test:
-    runs-on: ubuntu-latest
+    runs-on:
+      group: databricks-protected-runner-group
+      labels: linux-ubuntu-latest
     strategy:
       matrix:
         # only LTS versions starting from the lowest we support
@@ -75,7 +79,9 @@ jobs:
           retention-days: 1
 
   e2e-test:
-    runs-on: ubuntu-latest
+    runs-on:
+      group: databricks-protected-runner-group
+      labels: linux-ubuntu-latest
     environment: azure-prod
     env:
       E2E_HOST: ${{ secrets.DATABRICKS_HOST }}
@@ -113,7 +119,9 @@ jobs:
 
   coverage:
     needs: [unit-test, e2e-test]
-    runs-on: ubuntu-latest
+    runs-on:
+      group: databricks-protected-runner-group
+      labels: linux-ubuntu-latest
     env:
       cache-name: cache-node-modules
 

.github/workflows/release.yml

@@ -6,7 +6,9 @@ on:
 
 jobs:
   build:
-    runs-on: ubuntu-latest
+    runs-on:
+      group: databricks-protected-runner-group
+      labels: linux-ubuntu-latest
     permissions:
       contents: read
     steps:
@@ -22,21 +24,25 @@ jobs:
           path: "*.tgz"
           retention-days: 1
 
-  publish:
-    needs: [build]
-    runs-on: ubuntu-latest
-    environment: npm-publish
-    permissions:
-      contents: read
-      id-token: write
-    steps:
-      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
-        with:
-          node-version: 22
-          registry-url: https://registry.npmjs.org/
-      - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
-        with:
-          name: package-tarball
-      - run: npm publish --provenance --access public *.tgz
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+  # NOTE: Publish job disabled during release freeze per go/hardened-gha step 7.
+  # Re-enable after completing NPM Release SOP and #unblock-releases-public approval.
+  # publish:
+  #   needs: [build]
+  #   runs-on:
+  #     group: databricks-protected-runner-group
+  #     labels: linux-ubuntu-latest
+  #   environment: npm-publish
+  #   permissions:
+  #     contents: read
+  #     id-token: write
+  #   steps:
+  #     - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
+  #       with:
+  #         node-version: 22
+  #         registry-url: https://registry.npmjs.org/
+  #     - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
+  #       with:
+  #         name: package-tarball
+  #     - run: npm publish --provenance --access public *.tgz
+  #       env:
+  #         NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

.npmrc

@@ -1 +1 @@
-package-lock=false
+package-lock=true