Add StepSecurity Harden Runner to workflows

[chirag-goel-sonarsource]

Adds step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 (v2.19.0) as the first step in every job across all workflow files, using egress-policy: audit to monitor outbound network traffic without blocking.

Workflows updated: build.yml, pre-commit.yml, pr-cleanup.yml, slack_notify.yml, unified-dogfooding.yml, PullRequestClosed.yml, PullRequestCreated.yml, RequestReview.yml, SubmitReview.yml

release.yml is excluded as its job uses a reusable workflow call (uses:) and does not support injecting steps.

[sonar-review-alpha]

Summary

This PR adds network security monitoring to GitHub Actions workflows by injecting the StepSecurity Harden Runner action as the first step in every job across 9 workflow files. The action is configured with egress-policy: audit to monitor outbound traffic without blocking, providing visibility into network activity without disrupting CI/CD. All references are pinned to a specific commit hash (v2.19.0), following security best practices.

What reviewers should know

What changed:

• 9 workflows updated: build.yml, pre-commit.yml, pr-cleanup.yml, slack_notify.yml, unified-dogfooding.yml, PullRequestClosed.yml, PullRequestCreated.yml, RequestReview.yml, SubmitReview.yml
• Each receives 3 lines (action reference + egress-policy config) as the first step in each job
• In build.yml, both the build and promote jobs get the step added

Key decisions:

• Audit mode (non-blocking) is safe for initial deployment—no risk of breaking CI/CD while the team observes network behavior
• Placement as the first step (before checkout) ensures comprehensive coverage of all activity
• Commit hash pinning prevents surprise updates

Out of scope:

• release.yml intentionally excluded—it uses a reusable workflow (uses:) which doesn't support injecting additional steps

To review: Check that all job steps across the workflow files have the harden-runner action properly positioned as the first step.

---

• Generate Walkthrough
• Generate Diagram

🗣️ Give feedback

[Copilot]

Pull request overview

This PR strengthens CI supply-chain security posture by adding StepSecurity Harden Runner to each workflow job as the first step, configured in non-blocking egress-policy: audit mode to observe outbound network activity.

Changes:

• Added step-security/harden-runner@8d3c67d... (v2.19.0) as the first step of each job in the updated workflows.
• Configured Harden Runner with egress-policy: audit consistently across all updated jobs.

Reviewed changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
.github/workflows/unified-dogfooding.yml	Adds Harden Runner audit step to the scheduled dogfooding build job.
.github/workflows/slack_notify.yml	Adds Harden Runner audit step before Slack notification action runs.
.github/workflows/pre-commit.yml	Adds Harden Runner audit step to the pre-commit job.
.github/workflows/pr-cleanup.yml	Adds Harden Runner audit step to PR cleanup job.
.github/workflows/build.yml	Adds Harden Runner audit step to both build and promote jobs.
.github/workflows/SubmitReview.yml	Adds Harden Runner audit step before vault + backlog automation.
.github/workflows/RequestReview.yml	Adds Harden Runner audit step before vault + backlog automation.
.github/workflows/PullRequestCreated.yml	Adds Harden Runner audit step before vault + backlog automation.
.github/workflows/PullRequestClosed.yml	Adds Harden Runner audit step before vault + backlog automation.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[sonar-review-alpha]

LGTM! ✅

Clean, uniform implementation with no issues found. All 10 jobs across 9 workflow files are covered consistently, the action is pinned to the same commit hash in every file, and release.yml is correctly excluded due to its reusable-workflow job structure.

🗣️ Give feedback

[chirag-goel-sonarsource]

Closing fork PR — recreating from an internal branch to resolve fork PR CI limitations.