Security hardening (microsoft#1383)

mazhelez · web-flow · commit 8bee5a96e87b · 2025-01-09T21:50:46.000Z
- Move security-events to job-level in PSSriptAnalyzer workflow
- Add Harden Runner to RemoveRepositories job
diff --git a/.github/workflows/CleanupTempRepos.yaml b/.github/workflows/CleanupTempRepos.yaml
@@ -60,6 +60,11 @@ jobs:
     runs-on: [ ubuntu-latest ]
     needs: [ Check ]
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Remove Temp Repositories
diff --git a/.github/workflows/powershell.yaml b/.github/workflows/powershell.yaml
@@ -12,12 +12,13 @@ on:
 
 permissions:
   contents: read
-  security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
 
 jobs:
   build:
     name: PSScriptAnalyzer
     runs-on: ubuntu-latest
+    permissions:
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
