Harden GitHub Actions workflows (#16)

- Pin actions to full commit SHAs for supply chain security
- Add step-security/harden-runner for runtime security monitoring
- Set minimum GITHUB_TOKEN permissions
- Apply security best practices per StepSecurity recommendations

Author: mraible

.github/workflows/main.yml

@@ -9,9 +9,14 @@ jobs:
     name: Test servicenowToIdpPolicyRulesTransformer
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - name: Harden Runner
+        uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v5
       - name: Setup Python
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a20  # v6
         with:
           python-version: '3.13'
           cache: 'pip'

.github/workflows/pylint.yml

@@ -17,9 +17,14 @@ jobs:
     env:
       PYTHON_VERSION: '3.13'
     steps:
-      - uses: actions/checkout@v5
+      - name: Harden Runner
+        uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v5
       - name: Set up Python
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a20  # v6
         with:
           python-version: ${{ env.PYTHON_VERSION }}
       - name: Install global dependencies