chore: apply recommended harden runner egress policies (#199)

Author: Kenneth Rosario

.github/workflows/codeql.yml

@@ -30,8 +30,16 @@ jobs:
     - name: Harden Runner
       uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 # v2.4.0
       with:
-        egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
-
+        disable-sudo: true
+        egress-policy: block
+        allowed-endpoints: >
+          api.github.com:443
+          github.com:443
+          objects.githubusercontent.com:443
+          proxy.golang.org:443
+          repo.maven.apache.org:443
+          storage.googleapis.com:443
+          
     - name: Checkout repository
       uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
 

.github/workflows/conformance.yaml

@@ -22,7 +22,15 @@ jobs:
     - name: Harden Runner
       uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 # v2.4.0
       with:
-        egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+        disable-sudo: true
+        egress-policy: block
+        allowed-endpoints: >
+          api.github.com:443
+          github.com:443
+          objects.githubusercontent.com:443
+          proxy.golang.org:443
+          repo.maven.apache.org:443
+          storage.googleapis.com:443
 
     - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
 

.github/workflows/lint.yaml

@@ -15,8 +15,11 @@ jobs:
     - name: Harden Runner
       uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 # v2.4.0
       with:
-        egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
-
+        disable-sudo: true
+        egress-policy: block
+        allowed-endpoints: >
+          github.com:443
+          repo.maven.apache.org:443
     - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
     - name: Set up JDK
       uses: actions/setup-java@5ffc13f4174014e2d4d4572b3d74c3fa61aeb2c2 # v3.11.0

.github/workflows/scorecard.yml

@@ -9,6 +9,7 @@ on:
     - cron: '0 */12 * * *'
   push:
     branches: [ "master" ]
+  workflow_dispatch:
 
 # Declare default permissions as read only.
 permissions: read-all
@@ -24,11 +25,24 @@ jobs:
       id-token: write
 
     steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 # v2.4.0
-        with:
-          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
-
+    - name: Harden Runner
+      uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 # v2.4.0
+      with:
+        disable-sudo: true
+        egress-policy: block
+        allowed-endpoints: >
+          api.github.com:443
+          api.osv.dev:443
+          api.securityscorecards.dev:443
+          auth.docker.io:443
+          bestpractices.coreinfrastructure.org:443
+          fulcio.sigstore.dev:443
+          github.com:443
+          index.docker.io:443
+          oss-fuzz-build-logs.storage.googleapis.com:443
+          sigstore-tuf-root.storage.googleapis.com:443
+          rekor.sigstore.dev:443
+          
       - name: "Checkout code"
         uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
         with:

.github/workflows/unit.yaml

@@ -20,8 +20,11 @@ jobs:
     - name: Harden Runner
       uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 # v2.4.0
       with:
-        egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
-
+        disable-sudo: true
+        egress-policy: block
+        allowed-endpoints: >
+          github.com:443
+          repo.maven.apache.org:443
     - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
     - name: Set up JDK ${{ matrix.java }}
       uses: actions/setup-java@5ffc13f4174014e2d4d4572b3d74c3fa61aeb2c2 # v3.11.0