ci: add step-security/harden-runner to security scanners

Audit-mode egress monitoring on codeql, scorecard, and
dependency-review workflows. Non-blocking; reports unexpected
network calls. Covers: ER-27.

Signed-off-by: Sebastian Mendel <info@sebastianmendel.de>

Author: CybotTM

.github/workflows/codeql.yml

@@ -26,6 +26,11 @@ jobs:
       matrix:
         language: [python]
     steps:
+      - name: Harden runner
+        uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0
+        with:
+          egress-policy: audit
+
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 

.github/workflows/dependency-review.yml

@@ -12,6 +12,11 @@ jobs:
     name: Review dependency changes
     runs-on: ubuntu-latest
     steps:
+      - name: Harden runner
+        uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0
+        with:
+          egress-policy: audit
+
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 

.github/workflows/scorecard.yml

@@ -20,6 +20,11 @@ jobs:
       contents: read
       actions: read
     steps:
+      - name: Harden runner
+        uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0
+        with:
+          egress-policy: audit
+
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with: