ci: update Testing workflow with harden-runner recommendations

.github/workflows/testing.yml

@@ -1,5 +1,4 @@
 name: Testing
-permissions: read-all
 
 on:
   push:
@@ -24,6 +23,8 @@ env:
 jobs:
   docs:
     name: Documentation
+    permissions:
+      contents: read
     if: |
       ! github.event.pull_request.user.login == 'github-actions[bot]' ||
       ! (
@@ -38,7 +39,12 @@ jobs:
       - name: Harden Runner
         uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
         with:
-          egress-policy: audit
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            files.pythonhosted.org:443
+            github.com:443
+            pypi.org:443
 
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
@@ -59,6 +65,8 @@ jobs:
 
   tests:
     name: Linux tests
+    permissions:
+      contents: read
     runs-on: ubuntu-22.04
     strategy:
       matrix:
@@ -68,7 +76,34 @@ jobs:
       - name: Harden Runner
         uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
         with:
-          egress-policy: audit
+          egress-policy: block
+          allowed-endpoints: >
+            access.redhat.com:443
+            archives.fedoraproject.org:443
+            azure.archive.ubuntu.com:80
+            curl.se:443
+            epss.cyentia.com:443
+            esm.ubuntu.com:443
+            files.pythonhosted.org:443
+            ftp.fr.debian.org:80
+            github.com:443
+            gitlab.com:443
+            mirror.cveb.in:443
+            mirror.cveb.in:80
+            motd.ubuntu.com:443
+            nvd.nist.gov:443
+            osv-vulnerabilities.storage.googleapis.com:443
+            packages.microsoft.com:443
+            ppa.launchpadcontent.net:443
+            pypi.org:443
+            raw.githubusercontent.com:443
+            release-monitoring.org:443
+            rpmfind.net:443
+            security-tracker.debian.org:443
+            services.nvd.nist.gov:443
+            storage.googleapis.com:443
+            www.cisa.gov:443
+            www.sqlite.org:443
 
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
@@ -149,6 +184,8 @@ jobs:
 
   long_tests:
     name: Long tests on Python 3.10
+    permissions:
+      contents: read
     if: |
       ! github.event.pull_request.user.login == 'github-actions[bot]' ||
       ! (
@@ -166,7 +203,39 @@ jobs:
       - name: Harden Runner
         uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
         with:
-          egress-policy: audit
+          egress-policy: block
+          allowed-endpoints: >
+            access.redhat.com:443
+            api.codecov.io:443
+            api.github.com:443
+            archives.fedoraproject.org:443
+            azure.archive.ubuntu.com:80
+            cli.codecov.io:443
+            codecov.io:443
+            curl.se:443
+            epss.cyentia.com:443
+            esm.ubuntu.com:443
+            files.pythonhosted.org:443
+            ftp.fr.debian.org:80
+            github.com:443
+            gitlab.com:443
+            mirror.cveb.in:443
+            mirror.cveb.in:80
+            motd.ubuntu.com:443
+            nvd.nist.gov:443
+            osv-vulnerabilities.storage.googleapis.com:443
+            packages.microsoft.com:443
+            ppa.launchpadcontent.net:443
+            pypi.org:443
+            raw.githubusercontent.com:443
+            release-monitoring.org:443
+            rpmfind.net:443
+            security-tracker.debian.org:443
+            services.nvd.nist.gov:443
+            storage.googleapis.com:443
+            uploader.codecov.io:443
+            www.cisa.gov:443
+            www.sqlite.org:443
 
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
@@ -277,6 +346,8 @@ jobs:
 
   linux-mayfail:
     name: Tests that may fail due to network or HTML
+    permissions:
+      contents: read
     if: |
       ! github.event.pull_request.user.login == 'github-actions[bot]' ||
       ! (
@@ -294,7 +365,34 @@ jobs:
       - name: Harden Runner
         uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
         with:
-          egress-policy: audit
+          egress-policy: block
+          allowed-endpoints: >
+            access.redhat.com:443
+            api.github.com:443
+            azure.archive.ubuntu.com:80
+            csrc.nist.gov:443
+            curl.se:443
+            epss.cyentia.com:443
+            esm.ubuntu.com:443
+            files.pythonhosted.org:443
+            github.com:443
+            gitlab.com:443
+            mirror.cveb.in:443
+            mirror.cveb.in:80
+            motd.ubuntu.com:443
+            nvd.nist.gov:443
+            osv-vulnerabilities.storage.googleapis.com:443
+            packages.microsoft.com:443
+            playwright.azureedge.net:443
+            ppa.launchpadcontent.net:443
+            pypi.org:443
+            release-monitoring.org:443
+            scap.nist.gov:443
+            security-tracker.debian.org:443
+            services.nvd.nist.gov:443
+            storage.googleapis.com:443
+            www.cisa.gov:443
+            www.sqlite.org:443
 
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
@@ -379,6 +477,8 @@ jobs:
 
   windows_long_tests:
     name: Windows long tests
+    permissions:
+      contents: read
     if: |
       ! github.event.pull_request.user.login == 'github-actions[bot]' ||
       ! (