From 58095422e7a78d1d0d343e49e58f41e6e0ffa2c9 Mon Sep 17 00:00:00 2001 From: "stepsecurity-app[bot]" <188008098+stepsecurity-app[bot]@users.noreply.github.com> Date: Thu, 30 Oct 2025 18:00:09 +0000 Subject: [PATCH 1/2] [StepSecurity] Apply security best practices Signed-off-by: StepSecurity Bot --- .github/workflows/ci.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 9402ffc..adcb052 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -7,8 +7,13 @@ jobs: lint-and-test: runs-on: ubuntu-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 + with: + egress-policy: audit + - name: Check out repository code - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 release-sbom: needs: lint-and-test From b0670c3eed9d13ae1b6a4895659c4e27a48af32d Mon Sep 17 00:00:00 2001 From: Ali Kafel Date: Thu, 6 Nov 2025 11:22:34 -0500 Subject: [PATCH 2/2] add --- .github/workflows/ci.yml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index adcb052..08d68dc 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -6,11 +6,14 @@ on: jobs: lint-and-test: runs-on: ubuntu-latest + permissions: + id-token: write steps: - - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 + - name: Harden the runner + uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 with: - egress-policy: audit + egress-policy: block + policy: global-allowed-endpoints-policy - name: Check out repository code uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0