ci: add harden-runner to all workflows (#106)

## Summary

- Add
[step-security/harden-runner](https://github.com/step-security/harden-runner)
v2.16.0 as the first step in all workflow jobs
- Pinned to SHA `fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594`
- Using `egress-policy: audit` to monitor network activity before
switching to block mode

## Test plan

- [ ] Verify PR quality check workflow still passes
- [ ] Trigger a test run of update-cli-docs workflow

Author: dangrondahl

.github/workflows/pr-quality.yml

@@ -15,6 +15,11 @@ jobs:
     permissions:
       pull-requests: read
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
       - name: Check PR title follows Conventional Commit format
         uses: amannn/action-semantic-pull-request@v6
         env:

.github/workflows/update-cli-docs.yml

@@ -17,6 +17,11 @@ jobs:
   update-docs:
     runs-on: ubuntu-latest
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
       - name: Determine CLI tag
         id: tag
         run: |