From 8e5a3b8e11ade61d34697853f3260ffdd7e81f6c Mon Sep 17 00:00:00 2001 From: "stepsecurity-app[bot]" <188008098+stepsecurity-app[bot]@users.noreply.github.com> Date: Thu, 30 Oct 2025 18:04:22 +0000 Subject: [PATCH 1/2] [StepSecurity] Apply security best practices Signed-off-by: StepSecurity Bot --- .github/workflows/ci.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 6fea3bb..4d594f6 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -7,8 +7,13 @@ jobs: lint-and-test: runs-on: ubuntu-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 + with: + egress-policy: audit + - name: Check out repository code - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 scan: needs: lint-and-test From d9660afaa0c446f152e9f8ff3b5862a2944de29f Mon Sep 17 00:00:00 2001 From: Ali Kafel Date: Thu, 6 Nov 2025 10:27:27 -0500 Subject: [PATCH 2/2] add --- .github/workflows/ci.yml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 4d594f6..859c3c4 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -6,11 +6,14 @@ on: jobs: lint-and-test: runs-on: ubuntu-latest + permissions: + id-token: write steps: - - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 + - name: Harden the runner + uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 with: - egress-policy: audit + egress-policy: block + policy: global-allowed-endpoints-policy - name: Check out repository code uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0