Harden workflows #1685

	name: SonarCloud Analysis

	on:
	push:
	branches:
	- master
	pull_request:
	branches:
	- master
	workflow_dispatch:

	permissions:
	contents: read

	jobs:
	build:
	name: SonarCloud Scan
	runs-on: ubuntu-latest
	if: \|
	github.event_name != 'pull_request' \|\|
	github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name
	steps:
	- name: Harden Runner
	uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
	with:
	disable-sudo: true
	egress-policy: block
	allowed-endpoints: >
	api.github.com:443
	github.com:443
	npm.pkg.github.com:443
	objects.githubusercontent.com:443
	registry.npmjs.org:443
	api.sonarcloud.io:443
	analysis-sensorcache-eu-central-1-prod.s3.amazonaws.com:443
	sc-cleancode-sensorcache-eu-central-1-prod.s3.amazonaws.com:443
	scanner.sonarcloud.io:443
	sonarcloud.io:443

	- name: Run SonarCloud analysis
	uses: myrotvorets/composite-actions/node-sonarscan@master
	with:
	sonar-token: ${{ secrets.SONAR_TOKEN }}
	test-script: 'test:sonarqube'

Provide feedback