Merge pull request #330 from step-security-bot/chore/GHA-110959-stepsecurity-remediation

tolgaozen · web-flow · commit 783a8ba0daad · 2025-11-11T12:59:20.000+03:00
[StepSecurity] ci: Harden GitHub Actions
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -10,15 +10,20 @@ jobs:
     name: Publish to NPM
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       
-      - uses: actions/setup-node@v6
+      - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
         with:
           cache-dependency-path: ./yarn.lock
           cache: "yarn"
           node-version: 20
       
-      - uses: bahmutov/npm-install@v1
+      - uses: bahmutov/npm-install@3e063b974f0d209807684aa23e534b3dde517fd9 # v1.11.2
         with:
           useLockFile: false
       
@@ -33,7 +38,7 @@ jobs:
       
       - run: "npm version ${VERSION} --no-git-tag-version"
       
-      - uses: JS-DevTools/npm-publish@v4
+      - uses: JS-DevTools/npm-publish@7f8fe47b3bea1be0c3aec2b717c5ec1f3e03410b # v4.1.1
         with:
           token: ${{ secrets.NPM_TOKEN }}
           access: public
