[StepSecurity] Apply security best practices

stepsecurity-app[bot] · web-flow · commit fa51be0f0bfa · 2026-02-20T18:24:42.000Z
Signed-off-by: StepSecurity Bot &lt;bot@stepsecurity.io&gt;
diff --git a/.github/workflows/on-comment.yaml b/.github/workflows/on-comment.yaml
@@ -48,6 +48,11 @@ jobs:
 
     steps:
       # Hardens the runner and checks out the default branch (not the PR branch)
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+        with:
+          egress-policy: audit
+
       - name: Setup Bot Environment
         uses: ./.github/actions/setup-bot
 
diff --git a/.github/workflows/on-commit.yaml b/.github/workflows/on-commit.yaml
@@ -23,6 +23,11 @@ jobs:
       cancel-in-progress: false
 
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+        with:
+          egress-policy: audit
+
       - name: Setup Bot Environment
         uses: ./.github/actions/setup-bot
 
diff --git a/.github/workflows/on-pr.yaml b/.github/workflows/on-pr.yaml
@@ -26,6 +26,11 @@ jobs:
       cancel-in-progress: false
 
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+        with:
+          egress-policy: audit
+
       - name: Setup Bot Environment
         uses: ./.github/actions/setup-bot
 
