ci: harden CI

Signed-off-by: Richard Zak <richard.j.zak@gmail.com>

.github/workflows/commisery.yml

@@ -24,7 +24,10 @@ jobs:
       - name: Harden Runner
         uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
         with:
-          egress-policy: audit
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
 
       - name: Run Commisery
         uses: tomtom-international/commisery-action@33eb2d6e7dfc53e6d3d09ea20c639b8858f75021 # v2.19.3

.github/workflows/dco.yml

@@ -9,6 +9,9 @@ jobs:
       - name: Harden Runner
         uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
         with:
-          egress-policy: audit
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
 
       - uses: tisonkun/actions-dco@f1024cd563550b5632e754df11b7d30b73be54a5 # v1.1

.github/workflows/lint.yml

@@ -10,7 +10,13 @@ jobs:
     - name: Harden Runner
       uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
       with:
-        egress-policy: audit
+        disable-sudo: true
+        egress-policy: block
+        allowed-endpoints: >
+          crates.io:443
+          github.com:443
+          index.crates.io:443
+          static.crates.io:443
 
     - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
     - name: Setup Rust toolchain

.github/workflows/test.yml

@@ -10,7 +10,13 @@ jobs:
     - name: Harden Runner
       uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
       with:
-        egress-policy: audit
+        disable-sudo: true
+        egress-policy: block
+        allowed-endpoints: >
+          crates.io:443
+          github.com:443
+          index.crates.io:443
+          static.crates.io:443
 
     - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
     - name: Setup Rust toolchain