fix(ci): inline step-security/harden-runner in all 14 workflows

Replace local composite action wrappers (./.github/actions/harden-runner/*)
with direct calls to step-security/harden-runner@SHA in every job step.

Root cause: GitHub composite actions do not propagate pre:/post: hooks
to nested actions. harden-runner's eBPF network monitoring is set up in
its pre: hook, which was silently skipped when called via a composite
action wrapper. This caused:
  - Warning: pre execution is not supported for local action
  - Error: ENOENT /home/agent/post_event.json (post step crash)

Each workflow now calls step-security/harden-runner directly with its
inline egress profile. The four profiles and their endpoint sets are:

  minimal  (8 files): api.github.com, github.com, *.githubusercontent.com,
                      mise.run, *.mise.jdx.dev

  audit    (2 files): minimal + ghcr.io, docker registries,
                      osv/trivy/sigstore/scorecard scanners

  standard (3 files): minimal + OS pkg managers, npm/pypi/cargo/go/
                      maven/gems/terraform/gradle registries

  full     (5 steps): standard + gcr/ecr/acr/quay registries,
                      osv/trivy/sigstore scanners

Files changed: 14 workflow files

Signed-off-by: snowdream <snowdream@users.noreply.github.com>

Author: snowdream

.github/workflows/cache.yml

@@ -37,13 +37,16 @@ jobs:
       contents: read # Required for repository metadata access
     timeout-minutes: 40 # 10m is more than enough for cache list/delete operations
     steps:
-      - name: "📥 Bootstrap Local Actions"
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          sparse-checkout: .github/actions
-          persist-credentials: false
       - name: "🔒 Harden Runner (Minimal)"
-        uses: ./.github/actions/harden-runner/minimal
+        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.10.2
+        with:
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            github.com:443
+            *.githubusercontent.com:443
+            mise.run:443
+            *.mise.jdx.dev:443
       - name: "🧹 Prune Inactive GitHub Caches"
         shell: sh # POSIX compliant shell for better portability
         run: |

.github/workflows/cd.yml

@@ -43,13 +43,62 @@ jobs:
     env:
       PYTHONUTF8: 1
     steps:
-      - name: "📥 Bootstrap Local Actions"
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          sparse-checkout: .github/actions
-          persist-credentials: false
       - name: "🔒 Harden Runner (Full)"
-        uses: ./.github/actions/harden-runner/full
+        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.10.2
+        with:
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            github.com:443
+            *.githubusercontent.com:443
+            mise.run:443
+            *.mise.jdx.dev:443
+            packages.microsoft.com:443
+            *.ubuntu.com:80
+            *.ubuntu.com:443
+            *.debian.org:80
+            *.debian.org:443
+            *.rockylinux.org:443
+            *.centos.org:443
+            *.redhat.com:443
+            dl-cdn.alpinelinux.org:443
+            registry.npmjs.org:443
+            registry.yarnpkg.com:443
+            pypi.org:443
+            files.pythonhosted.org:443
+            proxy.golang.org:443
+            sum.golang.org:443
+            index.crates.io:443
+            static.rust-lang.org:443
+            packagist.org:443
+            repo.maven.apache.org:443
+            rubygems.org:443
+            registry.terraform.io:443
+            formulae.brew.sh:443
+            repo.yarnpkg.com:443
+            nodejs.org:443
+            deno.land:443
+            cdn.deno.land:443
+            downloads.gradle.org:443
+            services.gradle.org:443
+            downloads.gradle-dn.com:443
+            ghcr.io:443
+            pkg-containers.githubusercontent.com:443
+            public.ecr.aws:443
+            production.cloudflare.docker.com:443
+            registry-1.docker.io:443
+            auth.docker.io:443
+            index.docker.io:443
+            *.gcr.io:443
+            *.pkg.dev:443
+            *.quay.io:443
+            *.dkr.ecr.*.amazonaws.com:443
+            *.azurecr.io:443
+            osv-vulnerabilities.storage.googleapis.com:443
+            api.osv.dev:443
+            get.trivy.dev:443
+            *.aquasecurity.github.io:443
+            *.sigstore.dev:443
       - name: "📂 Checkout Repository Code"
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:

.github/workflows/ci.yml

@@ -32,13 +32,62 @@ jobs:
     permissions:
       contents: read
     steps:
-      - name: "📥 Bootstrap Local Actions"
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          sparse-checkout: .github/actions
-          persist-credentials: false
       - name: "🔒 Harden Runner (Full)"
-        uses: ./.github/actions/harden-runner/full
+        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.10.2
+        with:
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            github.com:443
+            *.githubusercontent.com:443
+            mise.run:443
+            *.mise.jdx.dev:443
+            packages.microsoft.com:443
+            *.ubuntu.com:80
+            *.ubuntu.com:443
+            *.debian.org:80
+            *.debian.org:443
+            *.rockylinux.org:443
+            *.centos.org:443
+            *.redhat.com:443
+            dl-cdn.alpinelinux.org:443
+            registry.npmjs.org:443
+            registry.yarnpkg.com:443
+            pypi.org:443
+            files.pythonhosted.org:443
+            proxy.golang.org:443
+            sum.golang.org:443
+            index.crates.io:443
+            static.rust-lang.org:443
+            packagist.org:443
+            repo.maven.apache.org:443
+            rubygems.org:443
+            registry.terraform.io:443
+            formulae.brew.sh:443
+            repo.yarnpkg.com:443
+            nodejs.org:443
+            deno.land:443
+            cdn.deno.land:443
+            downloads.gradle.org:443
+            services.gradle.org:443
+            downloads.gradle-dn.com:443
+            ghcr.io:443
+            pkg-containers.githubusercontent.com:443
+            public.ecr.aws:443
+            production.cloudflare.docker.com:443
+            registry-1.docker.io:443
+            auth.docker.io:443
+            index.docker.io:443
+            *.gcr.io:443
+            *.pkg.dev:443
+            *.quay.io:443
+            *.dkr.ecr.*.amazonaws.com:443
+            *.azurecr.io:443
+            osv-vulnerabilities.storage.googleapis.com:443
+            api.osv.dev:443
+            get.trivy.dev:443
+            *.aquasecurity.github.io:443
+            *.sigstore.dev:443
       - name: "📂 Checkout Repository Code"
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
@@ -68,14 +117,63 @@ jobs:
       VENV: ".venv"
       PYTHONUTF8: 1
     steps:
-      - name: "📥 Bootstrap Local Actions"
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          sparse-checkout: .github/actions
-          persist-credentials: false
       - name: "🔒 Harden Runner (Security Egress Audit)"
         if: matrix.os == 'ubuntu-latest'
-        uses: ./.github/actions/harden-runner/full
+        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.10.2
+        with:
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            github.com:443
+            *.githubusercontent.com:443
+            mise.run:443
+            *.mise.jdx.dev:443
+            packages.microsoft.com:443
+            *.ubuntu.com:80
+            *.ubuntu.com:443
+            *.debian.org:80
+            *.debian.org:443
+            *.rockylinux.org:443
+            *.centos.org:443
+            *.redhat.com:443
+            dl-cdn.alpinelinux.org:443
+            registry.npmjs.org:443
+            registry.yarnpkg.com:443
+            pypi.org:443
+            files.pythonhosted.org:443
+            proxy.golang.org:443
+            sum.golang.org:443
+            index.crates.io:443
+            static.rust-lang.org:443
+            packagist.org:443
+            repo.maven.apache.org:443
+            rubygems.org:443
+            registry.terraform.io:443
+            formulae.brew.sh:443
+            repo.yarnpkg.com:443
+            nodejs.org:443
+            deno.land:443
+            cdn.deno.land:443
+            downloads.gradle.org:443
+            services.gradle.org:443
+            downloads.gradle-dn.com:443
+            ghcr.io:443
+            pkg-containers.githubusercontent.com:443
+            public.ecr.aws:443
+            production.cloudflare.docker.com:443
+            registry-1.docker.io:443
+            auth.docker.io:443
+            index.docker.io:443
+            *.gcr.io:443
+            *.pkg.dev:443
+            *.quay.io:443
+            *.dkr.ecr.*.amazonaws.com:443
+            *.azurecr.io:443
+            osv-vulnerabilities.storage.googleapis.com:443
+            api.osv.dev:443
+            get.trivy.dev:443
+            *.aquasecurity.github.io:443
+            *.sigstore.dev:443
       - name: "📂 Checkout Repository Code"
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
@@ -162,14 +260,63 @@ jobs:
       VENV: ".venv"
       PYTHONUTF8: 1
     steps:
-      - name: "📥 Bootstrap Local Actions"
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          sparse-checkout: .github/actions
-          persist-credentials: false
       - name: "🔒 Harden Runner (Security Egress Audit)"
         if: matrix.os == 'ubuntu-latest'
-        uses: ./.github/actions/harden-runner/full
+        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.10.2
+        with:
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            github.com:443
+            *.githubusercontent.com:443
+            mise.run:443
+            *.mise.jdx.dev:443
+            packages.microsoft.com:443
+            *.ubuntu.com:80
+            *.ubuntu.com:443
+            *.debian.org:80
+            *.debian.org:443
+            *.rockylinux.org:443
+            *.centos.org:443
+            *.redhat.com:443
+            dl-cdn.alpinelinux.org:443
+            registry.npmjs.org:443
+            registry.yarnpkg.com:443
+            pypi.org:443
+            files.pythonhosted.org:443
+            proxy.golang.org:443
+            sum.golang.org:443
+            index.crates.io:443
+            static.rust-lang.org:443
+            packagist.org:443
+            repo.maven.apache.org:443
+            rubygems.org:443
+            registry.terraform.io:443
+            formulae.brew.sh:443
+            repo.yarnpkg.com:443
+            nodejs.org:443
+            deno.land:443
+            cdn.deno.land:443
+            downloads.gradle.org:443
+            services.gradle.org:443
+            downloads.gradle-dn.com:443
+            ghcr.io:443
+            pkg-containers.githubusercontent.com:443
+            public.ecr.aws:443
+            production.cloudflare.docker.com:443
+            registry-1.docker.io:443
+            auth.docker.io:443
+            index.docker.io:443
+            *.gcr.io:443
+            *.pkg.dev:443
+            *.quay.io:443
+            *.dkr.ecr.*.amazonaws.com:443
+            *.azurecr.io:443
+            osv-vulnerabilities.storage.googleapis.com:443
+            api.osv.dev:443
+            get.trivy.dev:443
+            *.aquasecurity.github.io:443
+            *.sigstore.dev:443
       - name: "📂 Checkout Repository Code"
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
@@ -251,13 +398,62 @@ jobs:
       VENV: ".venv"
       PYTHONUTF8: 1
     steps:
-      - name: "📥 Bootstrap Local Actions"
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          sparse-checkout: .github/actions
-          persist-credentials: false
       - name: "🔒 Harden Runner (Full)"
-        uses: ./.github/actions/harden-runner/full
+        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.10.2
+        with:
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            github.com:443
+            *.githubusercontent.com:443
+            mise.run:443
+            *.mise.jdx.dev:443
+            packages.microsoft.com:443
+            *.ubuntu.com:80
+            *.ubuntu.com:443
+            *.debian.org:80
+            *.debian.org:443
+            *.rockylinux.org:443
+            *.centos.org:443
+            *.redhat.com:443
+            dl-cdn.alpinelinux.org:443
+            registry.npmjs.org:443
+            registry.yarnpkg.com:443
+            pypi.org:443
+            files.pythonhosted.org:443
+            proxy.golang.org:443
+            sum.golang.org:443
+            index.crates.io:443
+            static.rust-lang.org:443
+            packagist.org:443
+            repo.maven.apache.org:443
+            rubygems.org:443
+            registry.terraform.io:443
+            formulae.brew.sh:443
+            repo.yarnpkg.com:443
+            nodejs.org:443
+            deno.land:443
+            cdn.deno.land:443
+            downloads.gradle.org:443
+            services.gradle.org:443
+            downloads.gradle-dn.com:443
+            ghcr.io:443
+            pkg-containers.githubusercontent.com:443
+            public.ecr.aws:443
+            production.cloudflare.docker.com:443
+            registry-1.docker.io:443
+            auth.docker.io:443
+            index.docker.io:443
+            *.gcr.io:443
+            *.pkg.dev:443
+            *.quay.io:443
+            *.dkr.ecr.*.amazonaws.com:443
+            *.azurecr.io:443
+            osv-vulnerabilities.storage.googleapis.com:443
+            api.osv.dev:443
+            get.trivy.dev:443
+            *.aquasecurity.github.io:443
+            *.sigstore.dev:443
       - name: "📂 Checkout Repository Code"
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with: