From df701d3d3cc5773261cb549058de5350ae439246 Mon Sep 17 00:00:00 2001
From: Stephan Schroevers <stephan.schroevers@teampicnic.com>
Date: Tue, 12 Mar 2024 08:07:16 +0100
Subject: [PATCH] Have `step-security/harden-runner` audit the OpenSSF
 Scorecard update workflow (#1076)

When executed on `master` this workflow requires additional permissions;
let's find out what they are.
---
 .github/workflows/openssf-scorecard.yml | 8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/openssf-scorecard.yml b/.github/workflows/openssf-scorecard.yml
index f356eed3..6d091574 100644
--- a/.github/workflows/openssf-scorecard.yml
+++ b/.github/workflows/openssf-scorecard.yml
@@ -23,12 +23,8 @@ jobs:
       - name: Install Harden-Runner
         uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
         with:
-          disable-sudo: true
-          egress-policy: block
-          allowed-endpoints: >
-            api.github.com:443
-            api.osv.dev:443
-            github.com:443
+          # XXX: Replace with `block` policy.
+          egress-policy: audit
       - name: Check out code
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with: