Drop harden-runner (#1115)

Sadly, the host names aren't entirely predictable and we're getting spurious failures & warnings.

Author: hynek

.github/workflows/build-docset.yml

@@ -10,24 +10,19 @@ env:
   PIP_DISABLE_PIP_VERSION_CHECK: 1
   PIP_NO_PYTHON_VERSION_WARNING: 1
 
-permissions:  # added using https://github.com/step-security/secure-workflows
+permissions:
   contents: read
 
 jobs:
   docset:
     runs-on: ubuntu-latest
     steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@v2
-        with:
-          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
-
       - uses: actions/checkout@v3
         with:
-          fetch-depth: 0  # get correct version once we switch to hatch-vcs
+          fetch-depth: 0
       - uses: actions/setup-python@v4
         with:
-          python-version: "3.11"
+          python-version: "3.x"
 
       - run: pip install tox
 

.github/workflows/ci.yml

@@ -44,16 +44,6 @@ jobs:
       ${{ contains(matrix.python-version, '~') && true || false }}
 
     steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@v2
-        with:
-          egress-policy: block
-          allowed-endpoints: >
-            api.github.com:443
-            files.pythonhosted.org:443
-            github.com:443
-            objects.githubusercontent.com:443
-            pypi.org:443
       - uses: actions/checkout@v3
       - uses: actions/setup-python@v4
         with:
@@ -90,16 +80,6 @@ jobs:
     needs: tests
 
     steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@v2
-        with:
-          egress-policy: block
-          allowed-endpoints: >
-            files.pythonhosted.org:443
-            github.com:443
-            pypi.org:443
-            api.github.com:443
-
       - uses: actions/checkout@v3
       - uses: actions/setup-python@v4
         with:
@@ -130,16 +110,6 @@ jobs:
     name: Build docs & run doctests
     runs-on: ubuntu-latest
     steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@v2
-        with:
-          egress-policy: block
-          allowed-endpoints: >
-            docs.python.org:443
-            files.pythonhosted.org:443
-            github.com:443
-            pypi.org:443
-
       - uses: actions/checkout@v3
       - uses: actions/setup-python@v4
         with:
@@ -175,18 +145,6 @@ jobs:
     name: Check types using pyright
     runs-on: ubuntu-latest
     steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@v2
-        with:
-          egress-policy: block
-          allowed-endpoints: >
-            files.pythonhosted.org:443
-            github.com:443
-            nodejs.org:443
-            pypi.org:443
-            registry.npmjs.org:443
-            api.github.com:443
-
       - uses: actions/checkout@v3
       - uses: actions/setup-python@v4
         with:
@@ -203,16 +161,6 @@ jobs:
         os: [ubuntu-latest, windows-latest]
 
     steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@v2
-        with:
-          disable-sudo: true
-          egress-policy: block
-          allowed-endpoints: >
-            files.pythonhosted.org:443
-            github.com:443
-            pypi.org:443
-            api.github.com:443
       - uses: actions/checkout@v3
       - uses: actions/setup-python@v4
         with:
@@ -235,13 +183,6 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@v2
-        with:
-          disable-sudo: true
-          egress-policy: block
-          allowed-endpoints: >
-            api.github.com:443
       - name: Decide whether the needed jobs succeeded or failed
         uses: re-actors/alls-green@release/v1
         with:

.github/workflows/codeql-analysis.yml

@@ -27,18 +27,6 @@ jobs:
         language: ["python"]
 
     steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@v2
-        with:
-          egress-policy: block
-          allowed-endpoints: >
-            api.github.com:443
-            bootstrap.pypa.io:443
-            files.pythonhosted.org:443
-            github.com:443
-            pypi.org:443
-            uploads.github.com:443
-
       - name: Checkout repository
         uses: actions/checkout@v3
 

.github/workflows/pypi-package.yml

@@ -22,15 +22,6 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: step-security/harden-runner@v2
-        with:
-          disable-sudo: true
-          egress-policy: block
-          allowed-endpoints: >
-            files.pythonhosted.org:443
-            github.com:443
-            pypi.org:443
-
       - uses: actions/checkout@v3
         with:
           fetch-depth: 0
@@ -46,13 +37,6 @@ jobs:
     needs: build-package
 
     steps:
-      - uses: step-security/harden-runner@v2
-        with:
-          disable-sudo: true
-          egress-policy: block
-          allowed-endpoints: >
-            test.pypi.org:443
-
       - name: Download packages built by build-and-inspect-python-package
         uses: actions/download-artifact@v3
         with:
@@ -74,13 +58,6 @@ jobs:
     needs: build-package
 
     steps:
-      - uses: step-security/harden-runner@v2
-        with:
-          disable-sudo: true
-          egress-policy: block
-          allowed-endpoints: >
-            upload.pypi.org:443
-
       - name: Download packages built by build-and-inspect-python-package
         uses: actions/download-artifact@v3
         with: