diff --git a/.github/workflows/backend.yml b/.github/workflows/backend.yml
index 7a990cc63c..d7d7c31b6d 100644
--- a/.github/workflows/backend.yml
+++ b/.github/workflows/backend.yml
@@ -28,7 +28,6 @@ jobs:
             aka.ms:443
             api.github.com:443
             api.nuget.org:443
-            codecov.io:443
             dc.services.visualstudio.com:443
             deb.debian.org:80
             dotnetbuilds.azureedge.net:443
@@ -37,7 +36,6 @@ jobs:
             md-hdd-t032zjxllntc.z26.blob.storage.azure.net:443
             objects.githubusercontent.com:443
             storage.googleapis.com:443
-            uploader.codecov.io:443
       - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
       - name: Setup dotnet
         uses: actions/setup-dotnet@3447fd6a9f9e57506b15f895c5b76d3b197dc7c2 # v3.2.0
@@ -72,12 +70,27 @@ jobs:
     needs: test_build
     runs-on: ubuntu-latest
     steps:
+      # See https://docs.stepsecurity.io/harden-runner/getting-started/ for instructions on
+      # configuring harden-runner and identifying allowed endpoints.
+      - name: Harden Runner
+        uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1
+        with:
+          disable-sudo: true
+          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+          allowed-endpoints: >
+            *.actions.githubusercontent.com:443
+            api.github.com:443
+            codecov.io:443
+            github.com:443
+            uploader.codecov.io:443
+      - name: Checkout repository
+        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
       - name: Download coverage artifact
         uses: actions/download-artifact@v3
         with:
           name: coverage
       - name: Remove the BOM
-        run: pwd; ls ../..; ls ..; ls ../*; sed -i '1s/^\xEF\xBB\xBF//' coverage.cobertura.xml
+        run: sed -i '1s/^\xEF\xBB\xBF//' coverage.cobertura.xml
       - name: Upload coverage report
         uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d # v3.1.4
         with:
diff --git a/.github/workflows/frontend.yml b/.github/workflows/frontend.yml
index a57c253092..89f2a5ab3b 100644
--- a/.github/workflows/frontend.yml
+++ b/.github/workflows/frontend.yml
@@ -26,11 +26,9 @@ jobs:
           allowed-endpoints: >
             *.actions.githubusercontent.com:443
             api.github.com:443
-            codecov.io:443
             github.com:443
             registry.npmjs.org:443
             storage.googleapis.com:443
-            uploader.codecov.io:443
       - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
       - name: Use Node.js ${{ matrix.node-version }}
         uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1
@@ -59,12 +57,25 @@ jobs:
     needs: lint_test_build
     runs-on: ubuntu-latest
     steps:
+      # See https://docs.stepsecurity.io/harden-runner/getting-started/ for instructions on
+      # configuring harden-runner and identifying allowed endpoints.
+      - name: Harden Runner
+        uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1
+        with:
+          disable-sudo: true
+          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+          allowed-endpoints: >
+            *.actions.githubusercontent.com:443
+            api.github.com:443
+            codecov.io:443
+            github.com:443
+            uploader.codecov.io:443
+      - name: Checkout repository
+        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
       - name: Download coverage artifact
         uses: actions/download-artifact@v3
         with:
           name: coverage
-      - name: Remove the BOM
-        run: sed -i -e '$a\' clover.xml; sed -i '1s/^\xEF\xBB\xBF//' clover.xml
       - name: Upload coverage report
         uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d # v3.1.4
         with: