chore: apply security best practices from step security (#274)

stepsecurity-app[bot] · web-flow · commit b6b0f016ab13 · 2025-11-06T19:59:40.000+01:00
Signed-off-by: StepSecurity Bot &lt;bot@stepsecurity.io&gt;
Co-authored-by: stepsecurity-app[bot] &lt;188008098+stepsecurity-app[bot]@users.noreply.github.com&gt;
diff --git a/.github/workflows/build-and-quality-checks.yml b/.github/workflows/build-and-quality-checks.yml
@@ -12,6 +12,11 @@ jobs:
     if: startsWith(github.event.pull_request.head.ref, 'release/') != true
 
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+        with:
+          egress-policy: audit
+
       - name: Checkout
         uses: actions/checkout@v4
 
diff --git a/.github/workflows/check_pr_title.yml b/.github/workflows/check_pr_title.yml
@@ -11,6 +11,11 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+        with:
+          egress-policy: audit
+
       - name: Checkout source branch
         uses: actions/checkout@v4
 
diff --git a/.github/workflows/create-hotfix-branch.yml b/.github/workflows/create-hotfix-branch.yml
@@ -13,6 +13,11 @@ jobs:
     runs-on: ubuntu-latest
     if: github.ref == 'refs/heads/main'
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+        with:
+          egress-policy: audit
+
       - name: Checkout source code
         uses: actions/checkout@v4
         with:
diff --git a/.github/workflows/deploy-pubdev.yml b/.github/workflows/deploy-pubdev.yml
@@ -18,6 +18,11 @@ jobs:
     if: startsWith(github.ref, 'refs/tags/v') || startsWith(github.ref, 'refs/heads/main') || github.event.workflow_run.conclusion == 'success'
 
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+        with:
+          egress-policy: audit
+
       - name: Checkout
         uses: actions/checkout@v4
         with:
diff --git a/.github/workflows/draft-new-release.yml b/.github/workflows/draft-new-release.yml
@@ -9,6 +9,11 @@ jobs:
     runs-on: ubuntu-latest
     if: startsWith(github.ref, 'refs/heads/develop') || startsWith(github.ref, 'refs/heads/hotfix/')
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+        with:
+          egress-policy: audit
+
       - name: Checkout source branch
         uses: actions/checkout@v4
         with:
diff --git a/.github/workflows/housekeeping.yaml b/.github/workflows/housekeeping.yaml
@@ -14,6 +14,11 @@ jobs:
       pull-requests: write
 
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+        with:
+          egress-policy: audit
+
       - uses: actions/stale@v9
         with:
           repo-token: ${{ github.token }}
@@ -27,6 +32,11 @@ jobs:
     name: Cleanup old branches
     runs-on: ubuntu-latest
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+        with:
+          egress-policy: audit
+
       - name: Checkout repository
         uses: actions/checkout@v4
         with:
diff --git a/.github/workflows/publish-new-release.yml b/.github/workflows/publish-new-release.yml
@@ -13,6 +13,11 @@ jobs:
     runs-on: ubuntu-latest
     if: (startsWith(github.event.pull_request.head.ref, 'release/') || startsWith(github.event.pull_request.head.ref, 'hotfix-release/')) && github.event.pull_request.merged == true # only merged pull requests must trigger this job
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+        with:
+          egress-policy: audit
+
       - name: Extract version from branch name (for release branches)
         id: extract-version
         run: |
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -15,6 +15,11 @@ jobs:
     if: startsWith(github.event.pull_request.head.ref, 'release/') != true
 
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+        with:
+          egress-policy: audit
+
       - name: Checkout
         uses: actions/checkout@v4
         with:
