First stage of implementing harden runner

[Kenny-Vilella]

Description

Added harden-runner for three simple CI jobs:

• minimal-import-test
• check-lockfile
• check-licenses

If it works well will add to more job.

Checklist

• New or existing tests cover these changes
• The documentation is up to date with these changes
• CHANGELOG.md has been updated (if user-facing change)

Test plan

Tested on my fork, StepSecurity mention that it is stable over the last 1XX runs, so we should not expect any issue.

Summary by CodeRabbit

• Chores
  • Strengthened security hardening across automated testing and deployment workflows by implementing stricter outbound network traffic controls. Updated GitHub Actions runner configurations to transition from monitoring mode to actively blocking unauthorized external connections, with allowlists preserving access to essential trusted services for package management and deployment.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

Run ID: be006fa0-62a7-4b1c-b47a-b16c513a2406

📥 Commits

Reviewing files that changed from the base of the PR and between c1acd46 and de09e92.

📒 Files selected for processing (3)

• .github/workflows/ci.yml
• .github/workflows/pr.yml
• .github/workflows/pr_license_check.yml

---

📝 Walkthrough

Walkthrough

This PR updates GitHub Actions runner hardening configurations across three workflow files, changing egress policies from audit mode to block mode and adding allowlists of specific endpoints for outbound network traffic.

Changes

Cohort / File(s)	Summary
Runner Hardening Configuration .github/workflows/ci.yml, .github/workflows/pr.yml, .github/workflows/pr_license_check.yml	Changed egress-policy from audit to block and added allowed-endpoints allowlists restricting outbound traffic to specific hosts on port 443 (PyTorch, PyPI, GitHub, Astral, and related endpoints). Updated step display names from "Harden the runner (Audit all outbound calls)" to "Harden Runner".

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Possibly related PRs

• Add harden-runner to our CI #2068: Introduced the initial harden-runner steps in audit mode across workflows that this PR now strengthens by switching to block mode.
• Update GitHub action SHA to be compatiable with Node24 change #2161: Updates harden-runner action pins and versions in the same workflow files affected by this PR.

Suggested reviewers

• shi-eric

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'First stage of implementing harden runner' directly aligns with the PR's main objective of adding harden-runner to three CI jobs as an initial integration step.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ All tests successful. No failed tests found.

📢 Thoughts on this report? Let us know!