[StepSecurity] Apply security best practices

stepsecurity-app[bot] · web-flow · commit 69f5a06e3d04 · 2025-05-15T16:01:52.000Z
Signed-off-by: StepSecurity Bot &lt;bot@stepsecurity.io&gt;
diff --git a/.github/workflows/ghaudit.yaml b/.github/workflows/ghaudit.yaml
@@ -6,6 +6,9 @@ on:
 
 name: GitHub Audit
 
+permissions:
+  contents: read
+
 jobs:
   ghaudit:
     runs-on: ubuntu-latest
@@ -14,30 +17,35 @@ jobs:
       id-token: write # To federate with Octo STS
 
     steps:
+    - name: Harden the runner (Audit all outbound calls)
+      uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
+      with:
+        egress-policy: audit
+
     - uses: octo-sts/action@6177b4481c00308b3839969c3eca88c96a91775f # v1.0.0
       id: octo-sts
       with:
         scope: ${{ github.repository_owner }}
         identity: ghaudit
 
     - name: Deploy Keys
-      uses: wolfi-dev/wolfi-act@main
+      uses: wolfi-dev/wolfi-act@d78f3659c50c4520e222df428f4903a1c4b0c6ee # main
       env:
         GH_TOKEN: ${{ steps.octo-sts.outputs.token }}
       with:
         packages: ghaudit
         command: ghaudit org -o ${{ github.repository_owner }} deploy-keys
 
     - name: Branch Protections
-      uses: wolfi-dev/wolfi-act@main
+      uses: wolfi-dev/wolfi-act@d78f3659c50c4520e222df428f4903a1c4b0c6ee # main
       env:
         GH_TOKEN: ${{ steps.octo-sts.outputs.token }}
       with:
         packages: ghaudit
         command: ghaudit org -o ${{ github.repository_owner }} branch-protections
 
     - name: Default Permissions
-      uses: wolfi-dev/wolfi-act@main
+      uses: wolfi-dev/wolfi-act@d78f3659c50c4520e222df428f4903a1c4b0c6ee # main
       env:
         GH_TOKEN: ${{ steps.octo-sts.outputs.token }}
       with:
