Switch CI to hardened runners with JFrog OIDC authentication

Route Maven dependency resolution through JFrog Artifactory on hardened
runners that block direct access to Maven Central. Authenticate via
GitHub Actions OIDC (zero stored secrets).

- Add composite action for JFrog OIDC + Java setup
- Switch fmt, unit-tests (Linux), and check-lock to
  databricks-protected-runner-group
- Add workflow-level id-token: write permission for OIDC
- Keep macOS unit-tests on public runners (not hardened)

NO_CHANGELOG=true

Author: mihaimitrea-db

.github/actions/setup-build-environment/action.yml

@@ -0,0 +1,23 @@
+name: Setup build environment
+description: Set up JDK with JFrog OIDC authentication for hardened runners
+
+inputs:
+  java-version:
+    description: "Java version to install"
+    required: true
+
+runs:
+  using: composite
+  steps:
+    - name: Setup JFrog CLI with OIDC
+      if: runner.os != 'macOS'
+      uses: jfrog/setup-jfrog-cli@279b1f629f43dd5bc658d8361ac4802a7ef8d2d5 # v4.9.1
+      env:
+        JF_URL: https://databricks.jfrog.io
+      with:
+        oidc-provider-name: github-actions
+
+    - name: Set up JDK
+      uses: actions/setup-java@b6e674f4b717d7b0ae3baee0fbe79f498905dfde # v1.4.4
+      with:
+        java-version: ${{ inputs.java-version }}

.github/workflows/push.yml

@@ -6,18 +6,25 @@ on:
   merge_group:
     types: [checks_requested]
 
+permissions:
+  id-token: write
+  contents: read
+
 jobs:
   fmt:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Set up JDK 11
-        uses: actions/setup-java@b6e674f4b717d7b0ae3baee0fbe79f498905dfde # v1.4.4
-        with:
-          java-version: 11
+    runs-on:
+      group: databricks-protected-runner-group
+      labels: linux-ubuntu-latest
 
+    steps:
       - name: Checkout
         uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0
 
+      - name: Setup build environment
+        uses: ./.github/actions/setup-build-environment
+        with:
+          java-version: 11
+
       - name: Cache Maven packages
         uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
         with:
@@ -32,20 +39,27 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        os: [macos-latest, ubuntu-latest]
+        os:
+          - name: linux
+            runner:
+              group: databricks-protected-runner-group
+              labels: linux-ubuntu-latest
+          - name: macos
+            runner: macos-latest
         java-version: [8, 11, 17, 20] # 20 is the latest version as of 2023 and 17 is the latest LTS
 
-    runs-on: ${{ matrix.os }}
+    name: "unit-tests (${{ matrix.os.name }}, java ${{ matrix.java-version }})"
+    runs-on: ${{ matrix.os.runner }}
 
     steps:
-      - name: Set up JDK
-        uses: actions/setup-java@b6e674f4b717d7b0ae3baee0fbe79f498905dfde # v1.4.4
-        with:
-          java-version: ${{ matrix.java-version }}
-
       - name: Checkout
         uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0
 
+      - name: Setup build environment
+        uses: ./.github/actions/setup-build-environment
+        with:
+          java-version: ${{ matrix.java-version }}
+
       - name: Cache Maven packages
         uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
         with:
@@ -57,15 +71,18 @@ jobs:
         run: mvn --errors test
 
   check-lock:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Set up JDK 11
-        uses: actions/setup-java@b6e674f4b717d7b0ae3baee0fbe79f498905dfde # v1.4.4
-        with:
-          java-version: 11
+    runs-on:
+      group: databricks-protected-runner-group
+      labels: linux-ubuntu-latest
 
+    steps:
       - name: Checkout
         uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0
 
+      - name: Setup build environment
+        uses: ./.github/actions/setup-build-environment
+        with:
+          java-version: 11
+
       - name: Validate lockfile
         run: make check-lock