ci: add harden-runner to all GitHub Actions workflows

Add step-security/harden-runner v2.16.1 as the first step in every job
across all 14 workflow files to improve supply chain security.

Author: dangrondahl

.github/workflows/binary_provenance.yml

@@ -34,6 +34,11 @@ jobs:
             matrix:
                 artifact: ${{fromJson(inputs.artifacts)}}
         steps:
+        - name: Harden Runner
+          uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
+          with:
+            egress-policy: audit
+
         - uses: actions/checkout@v6
 
         - uses: actions/download-artifact@v8

.github/workflows/claude-pr-review.yml

@@ -26,6 +26,11 @@ jobs:
       contents: read
       pull-requests: write
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
+        with:
+          egress-policy: audit
+
       - name: Checkout
         uses: actions/checkout@v6
         with:
@@ -74,6 +79,11 @@ jobs:
       contents: read
       pull-requests: write
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
+        with:
+          egress-policy: audit
+
       - name: Checkout
         uses: actions/checkout@v6
         with:

.github/workflows/daily-cli-tests.yml

@@ -11,6 +11,11 @@ jobs:
     outputs:
       trail_name: ${{ steps.prep.outputs.trail_name }}
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@v6
 
       - name: Prepare
@@ -61,6 +66,11 @@ jobs:
       ]
     if: ${{ always() && contains(join(needs.*.result, ','), 'failure') && github.ref == 'refs/heads/master' }}
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
+        with:
+          egress-policy: audit
+
       - name: Slack Notification on Failure
         uses: kosli-dev/reusable-actions/.github/actions/send-ci-failure-slack-message@main
         with:

.github/workflows/docker.yml

@@ -58,6 +58,11 @@ jobs:
       packages: write
 
     steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
+      with:
+        egress-policy: audit
+
     - uses: actions/checkout@v6
       with:
         fetch-depth: 3

.github/workflows/helm-chart.yml

@@ -16,6 +16,11 @@ jobs:
       contents: write
       pull-requests: write
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
+        with:
+          egress-policy: audit
+
       - name: Generate token
         id: generate_token
         uses: actions/create-github-app-token@v3

.github/workflows/init_kosli.yml

@@ -39,6 +39,11 @@ jobs:
             pull-requests: read
         steps:
 
+        - name: Harden Runner
+          uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
+          with:
+            egress-policy: audit
+
         - uses: actions/checkout@v6
           with:
             fetch-depth: 0

.github/workflows/install-script-tests.yml

@@ -24,6 +24,11 @@ jobs:
                 os: [ubuntu-latest, macos-latest, windows-latest]
 
         steps:
+        - name: Harden Runner
+          uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
+          with:
+            egress-policy: audit
+
         - name: Checkout repository
           uses: actions/checkout@v6
 
@@ -38,6 +43,11 @@ jobs:
         runs-on: macos-latest
 
         steps:
+        - name: Harden Runner
+          uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
+          with:
+            egress-policy: audit
+
         - name: Checkout repository
           uses: actions/checkout@v6
 

.github/workflows/main.yml

@@ -21,6 +21,11 @@ jobs:
       checkout_ref: ${{ steps.prep.outputs.checkout_ref }}
       report_to_kosli: ${{ steps.prep.outputs.report_to_kosli }}
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@v6
         with:
           ref: ${{ github.event.pull_request.head.sha || github.sha }}
@@ -130,6 +135,11 @@ jobs:
       ]
     if: ${{ always() && contains(join(needs.*.result, ','), 'failure') && github.ref == 'refs/heads/master' }}
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
+        with:
+          egress-policy: audit
+
       - name: Slack Notification on Failure
         uses: kosli-dev/reusable-actions/.github/actions/send-ci-failure-slack-message@main
         with:

.github/workflows/never_alone_trail.yml

@@ -40,6 +40,11 @@ jobs:
             pull-requests: read
         steps:
 
+        - name: Harden Runner
+          uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
+          with:
+            egress-policy: audit
+
         - uses: actions/checkout@v6
           with:
             fetch-depth: 0

.github/workflows/publish_branch_docs.yml

@@ -10,6 +10,11 @@ jobs:
   publish:
     runs-on: ubuntu-latest
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@v6
 
       - name: Generate json