harden label_on_approval.yml

.github/workflows/label_on_approval.yml

@@ -10,18 +10,20 @@ on:
       - review_requested
 
 permissions:
-  checks: write
   contents: read
-  pull-requests: write
 
 jobs:
   label_approved:
     name: Label on Approval
+    runs-on: ubuntu-latest
     if: |
       (!contains(github.event.pull_request.labels.*.name, 'approved')) &&
       (github.event.review.state == 'approved') &&
       (github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name)
-    runs-on: ubuntu-latest
+    permissions:
+      checks: write
+      contents: read
+      pull-requests: write
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
@@ -40,11 +42,19 @@ jobs:
 
   comment_approved:
     name: Comment Concerning Approved Tag
+    runs-on: ubuntu-latest
     if: |
       (github.event_name == 'pull_request_target') &&
       (github.event.pull_request.head.repo.full_name != github.event.pull_request.base.repo.full_name)
-    runs-on: ubuntu-latest
+    permissions:
+      checks: write
+      contents: read
+      pull-requests: write
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
+        with:
+          egress-policy: audit
       - name: Find comment
         uses: peter-evans/[email protected]
         id: fc