feat(security): Enable block harden runner

[jfagoagas]

Description

• Enable block harden runner
• Set allowed endpoints in env:

License

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[github-actions]

✅ Conflict Markers Resolved

All conflict markers have been successfully resolved in this pull request.

[Copilot]

Pull request overview

This PR tightens GitHub Actions runner egress controls by switching step-security/harden-runner from audit mode to block mode, and introducing per-workflow allowlists for outbound endpoints.

Changes:

• Set egress-policy: block for step-security/harden-runner across multiple workflows.
• Add workflow-level env.step-security-allowed-endpoints allowlists and pass them into allowed-endpoints for hardened jobs.
• Standardize the hardening step name to Harden Runner.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
.github/workflows/zizmor.yml	Adds allowlisted endpoints and switches runner hardening to block mode for Zizmor jobs.
.github/workflows/pull-request.yml	Adds a broader allowlist for Python CI dependencies (PyPI/Safety/Codecov/etc.) and enables block mode.
.github/workflows/pr-conflict-checker.yml	Adds allowlist for GitHub/GitHub API and enables block mode for the conflict checker.
.github/workflows/find-secrets.yml	Adds allowlist for GHCR/container endpoints and enables block mode for TruffleHog.
.github/workflows/conventional-commit.yml	Switches runner hardening to block mode, but does not add an allowlist.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.