From 8bee5a96e87b404c3c8ed451a8b75a2446856813 Mon Sep 17 00:00:00 2001
From: Maria Zhelezova <43066499+mazhelez@users.noreply.github.com>
Date: Thu, 9 Jan 2025 22:50:46 +0100
Subject: [PATCH] Security hardening (#1383)

- Move security-events to job-level in PSSriptAnalyzer workflow
- Add Harden Runner to RemoveRepositories job
---
 .github/workflows/CleanupTempRepos.yaml | 5 +++++
 .github/workflows/powershell.yaml       | 3 ++-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/CleanupTempRepos.yaml b/.github/workflows/CleanupTempRepos.yaml
index 62f8087d7..ca647c6ec 100644
--- a/.github/workflows/CleanupTempRepos.yaml
+++ b/.github/workflows/CleanupTempRepos.yaml
@@ -60,6 +60,11 @@ jobs:
     runs-on: [ ubuntu-latest ]
     needs: [ Check ]
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Remove Temp Repositories
diff --git a/.github/workflows/powershell.yaml b/.github/workflows/powershell.yaml
index db6f4685b..58201b699 100644
--- a/.github/workflows/powershell.yaml
+++ b/.github/workflows/powershell.yaml
@@ -12,12 +12,13 @@ on:
 
 permissions:
   contents: read
-  security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
 
 jobs:
   build:
     name: PSScriptAnalyzer
     runs-on: ubuntu-latest
+    permissions:
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2