From be86930b6f9d84e166fb89cb3217112db73d313e Mon Sep 17 00:00:00 2001
From: "stepsecurity-app[bot]"
 <188008098+stepsecurity-app[bot]@users.noreply.github.com>
Date: Fri, 31 Oct 2025 12:19:41 +0000
Subject: [PATCH] chore: [StepSecurity] Apply security best
 practicesSigned-off-by: StepSecurity Bot <bot@stepsecurity.io>

---
 .github/workflows/ats.publish.yml | 5 +++++
 .github/workflows/mp.publish.yml  | 5 +++++
 2 files changed, 10 insertions(+)

diff --git a/.github/workflows/ats.publish.yml b/.github/workflows/ats.publish.yml
index 411f30b0f..faf929855 100644
--- a/.github/workflows/ats.publish.yml
+++ b/.github/workflows/ats.publish.yml
@@ -146,6 +146,11 @@ jobs:
       - sdk
     if: ${{ always() }}
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+        with:
+          egress-policy: audit
+
       - name: Report Results
         run: |
           echo "## ATS Publish Results" >> "${GITHUB_STEP_SUMMARY}"
diff --git a/.github/workflows/mp.publish.yml b/.github/workflows/mp.publish.yml
index 941880a8f..bbda2fc8d 100644
--- a/.github/workflows/mp.publish.yml
+++ b/.github/workflows/mp.publish.yml
@@ -103,6 +103,11 @@ jobs:
       - mass-payout
     if: ${{ always() }}
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+        with:
+          egress-policy: audit
+
       - name: Report Results
         run: |
           echo "## Mass Payout Publish Results" >> "${GITHUB_STEP_SUMMARY}"