Fix security review findings: runners, DCO, CODEOWNERS, SECURITY.md (#340)

## Summary
Follow-up to #329 — the squash merge lost the second commit with these
fixes.

- Switch all workflows back to `ubuntu-latest` (GitHub-hosted runners)
to avoid executing fork PR code on Databricks infrastructure
- Fix DCO check to not checkout attacker-controlled fork code — uses the
default `pull_request` merge ref (which already contains all PR commits)
instead of explicitly checking out the fork's `head.ref`/`head.repo`
- Move `BASE_SHA`/`HEAD_SHA` to `env:` vars to prevent script injection
via crafted commit SHAs
- Add CODEOWNERS requiring `@databricks/eng-oss-sql-driver` review for
`.github/` changes
- Add SECURITY.md vulnerability disclosure policy

## Security findings addressed
- **High**: Self-hosted runners on public repo allow fork PRs to execute
on org infrastructure → `ubuntu-latest`
- **High**: DCO check explicitly checks out attacker-controlled fork
code on runner → default merge ref
- **Medium**: No CODEOWNERS for `.github/workflows/` → added
- **Medium**: No SECURITY.md → added

## Test plan
- [ ] Verify DCO check passes for signed commits
- [ ] Verify DCO check fails for unsigned commits
- [ ] Verify CI runs on GitHub-hosted runners

This pull request was AI-assisted by Isaac.

Signed-off-by: Vikrant Puppala <vikrant.puppala@databricks.com>

Author: vikrantpuppala

.github/CODEOWNERS

@@ -0,0 +1,2 @@
+# Require review from eng-oss-sql-driver for CI/CD workflow changes
+.github/ @databricks/eng-oss-sql-driver

.github/workflows/dco-check.yml

@@ -10,53 +10,24 @@ permissions:
 
 jobs:
   dco-check:
-    runs-on:
-      group: databricks-protected-runner-group
-      labels: [linux-ubuntu-latest]
+    runs-on: ubuntu-latest
     name: Check DCO Sign-off
     steps:
       - name: Checkout
         uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
           fetch-depth: 0
-          ref: ${{ github.event.pull_request.head.ref }}
-          repository: ${{ github.event.pull_request.head.repo.full_name }}
-
-      - name: Add upstream remote (for forks)
-        run: |
-          if [ "${{ github.event.pull_request.head.repo.full_name }}" != "${{ github.repository }}" ]; then
-            echo "This is a fork, adding upstream remote"
-            git remote add upstream https://github.com/${{ github.repository }}.git
-            git fetch upstream ${{ github.event.pull_request.base.ref }}
-          else
-            echo "This is not a fork, using origin"
-          fi
 
       - name: Check DCO Sign-off
+        env:
+          BASE_SHA: ${{ github.event.pull_request.base.sha }}
+          HEAD_SHA: ${{ github.event.pull_request.head.sha }}
         run: |
           #!/bin/bash
           set -e
 
-          BASE_SHA="${{ github.event.pull_request.base.sha }}"
-          HEAD_SHA="${{ github.event.pull_request.head.sha }}"
-
           echo "Checking commits from $BASE_SHA to $HEAD_SHA"
 
-          if ! git cat-file -e "$BASE_SHA" 2>/dev/null; then
-            echo "Error: Base commit $BASE_SHA not found"
-            echo "Trying to fetch from upstream..."
-            if [ "${{ github.event.pull_request.head.repo.full_name }}" != "${{ github.repository }}" ]; then
-              git fetch upstream ${{ github.event.pull_request.base.ref }}
-            else
-              git fetch origin ${{ github.event.pull_request.base.ref }}
-            fi
-          fi
-
-          if ! git cat-file -e "$HEAD_SHA" 2>/dev/null; then
-            echo "Error: Head commit $HEAD_SHA not found"
-            exit 1
-          fi
-
           COMMITS=$(git rev-list --no-merges "$BASE_SHA..$HEAD_SHA")
 
           if [ -z "$COMMITS" ]; then

.github/workflows/go.yml

@@ -12,9 +12,7 @@ permissions:
 jobs:
   lint:
     name: Lint
-    runs-on:
-      group: databricks-protected-runner-group
-      labels: [linux-ubuntu-latest]
+    runs-on: ubuntu-latest
 
     steps:
       - name: Check out code into the Go module directory
@@ -36,9 +34,7 @@ jobs:
       matrix:
         go-version: [1.20.x]
         os: [ubuntu-latest]
-    runs-on:
-      group: databricks-protected-runner-group
-      labels: [linux-ubuntu-latest]
+    runs-on: ubuntu-latest
 
     steps:
       - name: Check out code into the Go module directory

SECURITY.md

@@ -0,0 +1,20 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+If you discover a security vulnerability in this project, please report it responsibly.
+
+**Do not open a public GitHub issue for security vulnerabilities.**
+
+Instead, please report security issues by emailing [security@databricks.com](mailto:security@databricks.com).
+
+Please include:
+- A description of the vulnerability
+- Steps to reproduce the issue
+- Any potential impact
+
+We will acknowledge receipt within 3 business days and aim to provide a resolution timeline within 10 business days.
+
+## Supported Versions
+
+Security updates are applied to the latest release only.