From 631898ba9fb19020c0a568a4207343477e224ef5 Mon Sep 17 00:00:00 2001
From: "stepsecurity-app[bot]"
 <188008098+stepsecurity-app[bot]@users.noreply.github.com>
Date: Wed, 1 Apr 2026 03:56:38 +0000
Subject: [PATCH] [StepSecurity] Apply security best practices

Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
---
 .github/workflows/build.yml           | 9 +++++++--
 .github/workflows/docs.yml            | 9 +++++++--
 .github/workflows/on_pull_request.yml | 9 +++++++--
 3 files changed, 21 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index bbf4af0..058196b 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -7,12 +7,17 @@ jobs:
       id-token: write  # needed for trusted publishing step
       contents: read
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
       - name: Install Build Tools
         run: |
           curl -sSL https://install.python-poetry.org | python
           echo $HOME/.poetry/bin >> $GITHUB_PATH
-      - uses: actions/checkout@v6
-      - uses: actions/setup-python@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
           python-version: "3.10"
       - name: Install Python Requirements
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
index d0eee76..00ae1c2 100644
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -9,12 +9,17 @@ jobs:
     permissions:
         contents: write
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
       - name: Install Build Tools
         run: |
           curl -sSL https://install.python-poetry.org | python
           echo $HOME/.poetry/bin >> $GITHUB_PATH
-      - uses: actions/checkout@v6
-      - uses: actions/setup-python@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
           python-version: "3.10"
       - name: Install Python Requirements
diff --git a/.github/workflows/on_pull_request.yml b/.github/workflows/on_pull_request.yml
index dd9f9e9..33909ff 100644
--- a/.github/workflows/on_pull_request.yml
+++ b/.github/workflows/on_pull_request.yml
@@ -8,6 +8,11 @@ jobs:
     permissions:
         contents: read
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
       - name: Install Build Tools
         run: |
           mkdir -p $HOME/bin
@@ -15,8 +20,8 @@ jobs:
           echo $HOME/bin >> $GITHUB_PATH
           curl -sSL https://install.python-poetry.org | python
           echo $HOME/.poetry/bin >> $GITHUB_PATH
-      - uses: actions/checkout@v6
-      - uses: actions/setup-python@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
           python-version: "3.10"
       - name: Install Python Requirements