diff --git a/.github/workflows/cicd.yml b/.github/workflows/cicd.yml
index 9f32c2def..4a35e0631 100644
--- a/.github/workflows/cicd.yml
+++ b/.github/workflows/cicd.yml
@@ -333,6 +333,7 @@ jobs:
           egress-policy: block
           allowed-endpoints: >
             api.github.com:443
+            cli.codecov.io:443
             codecov.io:443
             files.pythonhosted.org:443
             github.com:443
@@ -543,7 +544,7 @@ jobs:
       - name: Harden CI
         uses: step-security/harden-runner@v2.6.1
         with:
-          egress-policy: audit
+          egress-policy: block
 
       - name: Checkout source code
         uses: actions/checkout@v4
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index 4654fad3f..7ce2f0b58 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -17,7 +17,7 @@ jobs:
       - name: Harden CI
         uses: step-security/harden-runner@v2.6.1
         with:
-          egress-policy: audit
+          egress-policy: block
 
       - name: Check user
         if: ${{ ! contains('["wsanchez", "mikeburg", "plapsley"]', github.actor) }}
@@ -72,7 +72,7 @@ jobs:
       - name: Harden CI
         uses: step-security/harden-runner@v2.6.1
         with:
-          egress-policy: audit
+          egress-policy: block
 
       - name: Check user
         if: ${{ ! contains('["wsanchez", "mikeburg", "plapsley"]', github.actor) }}