Isolate unsafe code in build.yml

[c0rv4x]

Description
I have introduced isolation for self-hosted runner, so it is not possible for malicious attacker to persist in the self-hosted runner. Otherwise it might lead to backdoors.

Alternative(s) considered
Probably we could use VMs or github-hosted runners, but this solution seems more trivial.

Type
Choose one: Other

Screenshots (if applicable)

Checklist

• I have read and acknowledged the Code of conduct.
• I have read the Contributing page.
• I have signed the Google Individual CLA, or I am covered by my company's Corporate CLA.
• I have discussed my proposed solution with code owners in the linked issue(s) and we have agreed upon the general approach.
• I have run ./gradlew spotlessApply and ./gradlew spotlessCheck to check my code follows the style guide of this project.
• I have run ./gradlew check and ./gradlew connectedCheck to test my changes locally.
• I have built and run the demo app(s) to verify my change fixes the issue and/or does not break the demo app(s).

[google-cla]

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

[c0rv4x]

I have just signed the CLA. Would be great if you could rerun the flow