[StepSecurity] Apply security best practices

stepsecurity-app[bot] · web-flow · commit d70e285853b7 · 2025-10-10T14:26:42.000Z
Signed-off-by: StepSecurity Bot &lt;bot@stepsecurity.io&gt;
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -12,6 +12,11 @@ jobs:
       matrix:
         python-version: ["3.8", "3.9", "3.10", "3.11", "3.12"]
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+        with:
+          egress-policy: audit
+
       - name: Checkout
         uses: actions/checkout@v4
 
diff --git a/.github/workflows/check_pr_title.yml b/.github/workflows/check_pr_title.yml
@@ -10,5 +10,10 @@ jobs:
     name: Check PR title
     runs-on: [self-hosted, Linux, X64]
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+        with:
+          egress-policy: audit
+
       - name: Check PR title
         uses: rudderlabs/github-action-check-pr-title@v1.0.11
diff --git a/.github/workflows/housekeeping.yaml b/.github/workflows/housekeeping.yaml
@@ -14,6 +14,11 @@ jobs:
       pull-requests: write
 
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+        with:
+          egress-policy: audit
+
       - uses: actions/stale@v9
         with:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
@@ -27,6 +32,11 @@ jobs:
     name: Clean up stale branches
     runs-on: [self-hosted, Linux, X64]
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+        with:
+          egress-policy: audit
+
       - name: Checkout repository
         uses: actions/checkout@v4
 
diff --git a/.github/workflows/slack-notify.yml b/.github/workflows/slack-notify.yml
@@ -9,6 +9,11 @@ jobs:
     name: Notify Slack
     runs-on: ubuntu-latest
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+        with:
+          egress-policy: audit
+
       - name: Send message to Slack channel
         id: slack
         uses: slackapi/slack-github-action@v1.23.0
