Add runner hardening to all jobs in our workflows

This aligns with what was done to the `lint` job of the build.yml
workflow that was inherited from cisagov/skeleton-generic.

Author: mcdonnnj

.github/workflows/build.yml

@@ -150,6 +150,11 @@ jobs:
           - default
     runs-on: ubuntu-latest
     steps:
+      - id: harden-runner
+        name: Harden the runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
       - uses: actions/checkout@v4
       - id: setup-python
         uses: actions/setup-python@v4

.github/workflows/codeql-analysis.yml

@@ -37,6 +37,12 @@ jobs:
         # https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#overriding-automatic-language-detection
 
     steps:
+      - id: harden-runner
+        name: Harden the runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - name: Checkout repository
         uses: actions/checkout@v4