circlefin · stepsecurity-app · Oct 30, 2025 · Nov 4, 2025 · Nov 4, 2025 · Nov 4, 2025
diff --git a/.github/workflows/actions-lint.yaml b/.github/workflows/actions-lint.yaml
@@ -22,7 +22,16 @@ on:
 jobs:
   lint_validate_actions:
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+
     steps:
+      - name: Harden the runner
+        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+        with:
+          egress-policy: block
+          policy: global-allowed-endpoints-policy
+
       - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
 
       - name: Checkout Actoinlint Configs

diff --git a/.github/workflows/attach-release-assets.yaml b/.github/workflows/attach-release-assets.yaml
@@ -64,7 +64,16 @@ jobs:
   release_attach_assets:
     runs-on: ubuntu-latest
     if: github.event_name == 'push' && format('refs/heads/{0}', github.event.repository.default_branch) == github.ref
+    permissions:
+      id-token: write
+
     steps:
+      - name: Harden the runner
+        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+        with:
+          egress-policy: block
+          policy: global-allowed-endpoints-policy
+
       - name: Download all build artifacts
         uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
         if: inputs.artifact_file_globs != ''

diff --git a/.github/workflows/conventional-commit-release.yaml b/.github/workflows/conventional-commit-release.yaml
@@ -109,7 +109,16 @@ jobs:
     name: PR Title and Commits Lint
     if: github.event_name == 'pull_request'
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+
     steps:
+      - name: Harden the runner
+        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+        with:
+          egress-policy: block
+          policy: global-allowed-endpoints-policy
+
       - name: Calculate Fetch Depth
         if: inputs.lint_commits
         id: fetch-depth
@@ -194,7 +203,16 @@ jobs:
       additional_tags: ${{ steps.additional_tags.outputs.tags }}
       major_minor_tag: ${{ steps.additional_tags.outputs.major_minor_tag }}
       major_tag: ${{ steps.additional_tags.outputs.major_tag }}
+    permissions:
+      id-token: write
+
     steps:
+      - name: Harden the runner
+        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+        with:
+          egress-policy: block
+          policy: global-allowed-endpoints-policy
+
       - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
 
       - name: Merge default and user input changelog types

diff --git a/.github/workflows/pr-scan.yaml b/.github/workflows/pr-scan.yaml
@@ -43,7 +43,16 @@ on:
 jobs:
   scan:
     runs-on: ${{ inputs.runs-on }}
+    permissions:
+      id-token: write
+
     steps:
+      - name: Harden the runner
+        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+        with:
+          egress-policy: block
+          policy: global-allowed-endpoints-policy
+
       - name: Setup
         shell: bash
         run: |-