ci: update Testing workflow with harden-runner recommendations

[michaelwknott]

This updates the Testing workflow (testing.yml) using recommendations from Step Security's harden-runner action. Recommendations were taken from the most recent Testing workflow run (6232, see links below) where all jobs ran with only the 'Get Yesterday's cached database if today's is not available' step not running on relevant jobs.

As harden-runner only runs on Ubuntu VMs, a job-level permission was added to the 'Windows long test' job to account for the removal of the top-level workflow permission.

As the Build job has only recently been added, the egress-policy key has been left with the value audit. The harden-runner recommendations suggest changing the value to block after 10+ runs of the job.

@terriko your input on the following would be appreciated:

• Should I remove the 'Harden Runner' step in the 'Windows long test' job as the harden runner action only runs on Ubuntu VMs?
• I believe the permissions are set correctly for each job. I followed the harden-runner recommendations and checked the actions and commands within each job to the best of my knowledge. Are we ok to track the logs to see if the permissions are too restrictive and amend from there or would you prefer another approach? From the test logs it seems the workflow is used from my pull request branch.

Reference issue #4111
Testing workflow run 6232: https://github.com/intel/cve-bin-tool/actions/runs/8976788790/job/24654326627
harden-runner recommendations: https://app.stepsecurity.io/github/intel/cve-bin-tool/actions/runs/8976788790?jobid=24654326273&tab=recommendations

[codecov-commenter]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 81.36%. Comparing base (d6cbe40) to head (ee1fe6e).
Report is 214 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4114      +/-   ##
==========================================
+ Coverage   75.41%   81.36%   +5.94%     
==========================================
  Files         808      820      +12     
  Lines       11983    12533     +550     
  Branches     1598     1941     +343     
==========================================
+ Hits         9037    10197    +1160     
+ Misses       2593     1908     -685     
- Partials      353      428      +75     

Flag	Coverage Δ
longtests	76.44% <ø> (+1.03%)	⬆️
win-longtests	79.52% <ø> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[michaelwknott]

As the 'Build wheel (3.12)' job requires write permissions in the 'id-token' and 'attestations' scopes I'm assuming that the job should fail as the workflow was run from my pull request branch (thereby setting all permissions to a maximum of 'read'.

Permissions for the previous test run and the current test run can be seen below.

[terriko]

Thank you!

And yes, it looks like we're (incorrectly) running the new workflow on pull requests. I'll get that fixed in separate PR.