Update step-security/harden-runner configuration

[Stephan202]

Based on this report.

Suggested commit message:

Update `step-security/harden-runner` configuration (#1246)

While apparently the build doesn't fail without this, it is reasonable
for SonarCloud analysis to access the `api.sonarcloud.io` domain.

[github-actions]

Looks good. No mutations were possible for these changes.
Mutation testing report by Pitest. Review any surviving mutants by inspecting the line comments under Files changed.

[mohamedsamehsalah]

🔒

[github-actions]

Looks good. No mutations were possible for these changes.
Mutation testing report by Pitest. Review any surviving mutants by inspecting the line comments under Files changed.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

[varunsh-coder]

Stumbed upon this PR today.
I looked up https://docs.sonarsource.com/sonarcloud/administering-sonarcloud/advanced-administration/#domain-whitelists and the one you added is listed there
it also mentions analysis-sensorcache-eu-central-1-prod.s3.amazonaws.com

BTW harden-runner allows use of wildcards as well, so you can also use *.sonarcloud.io if you want.

[Stephan202]

Hey @varunsh-coder! Great timing; I received an email about this a few days ago, and had just started work on #1271 😄 The wildcard is a good idea; will consider 💪

[Stephan202]

Ah, question then: I suppose that *.sonarcloud.io won't capture sonarcloud.io, right? (And similarly for *.github.com and github.com.)

[varunsh-coder]

Right. You will need to specify both *.sonarcloud.io and sonarcloud.io if you want to allow api.sonarcloud.io (and similar subdomains) and sonarcloud.io.