try using harden-runner

.github/workflows/consumer_test.yml

@@ -27,7 +27,14 @@ jobs:
       matrix:
         consumer: ["process_description", "score", "module_template"]
 
+
     steps:
+      - name: 🛡️ Harden Runner
+        if: github.repository_owner == 'eclipse-score'
+        uses: step-security/harden-runner@v2.18.0
+        with:
+          egress-policy: audit
+
       - name: Checkout PR
         uses: actions/checkout@v4.2.2
 

.github/workflows/link_check.yml

@@ -26,6 +26,11 @@ jobs:
   link-check:
     runs-on: ubuntu-latest
     steps:
+      - name: 🛡️ Harden Runner
+        if: github.repository_owner == 'eclipse-score'
+        uses: step-security/harden-runner@v2.18.0
+        with:
+          egress-policy: audit
       - name: Checkout repo
         uses: actions/checkout@v4
 

.github/workflows/lint.yml

@@ -24,6 +24,12 @@ jobs:
     runs-on: ubuntu-latest
     continue-on-error: true
     steps:
+
+      - name: 🛡️ Harden Runner
+        if: github.repository_owner == 'eclipse-score'
+        uses: step-security/harden-runner@v2.18.0
+        with:
+          egress-policy: audit
       - name: Checkout repository
         uses: actions/checkout@v4.2.2
 

.github/workflows/renovate.yml

@@ -22,6 +22,11 @@ jobs:
   renovate:
     runs-on: ubuntu-latest
     steps:
+      - name: 🛡️ Harden Runner
+        if: github.repository_owner == 'eclipse-score'
+        uses: step-security/harden-runner@v2.18.0
+        with:
+          egress-policy: audit
       - name: Checkout repository
         uses: actions/checkout@v4.2.2
 

.github/workflows/test.yml

@@ -20,6 +20,11 @@ jobs:
   code:
     runs-on: ubuntu-latest
     steps:
+      - name: 🛡️ Harden Runner
+        if: github.repository_owner == 'eclipse-score'
+        uses: step-security/harden-runner@v2.18.0
+        with:
+          egress-policy: audit
       - name: Checkout repository (Handle all events)
         uses: actions/checkout@v4.2.2
         with:

.github/workflows/test_links.yml

@@ -21,6 +21,11 @@ jobs:
     outputs:
       should_create_issue: ${{ steps.detect.outputs.issue_needed }}
     steps:
+      - name: 🛡️ Harden Runner
+        if: github.repository_owner == 'eclipse-score'
+        uses: step-security/harden-runner@v2.18.0
+        with:
+          egress-policy: audit
       - name: Checkout repository
         uses: actions/checkout@v4.2.2