From 747aeb06d13a4512656364dcf64a24fd2247cde2 Mon Sep 17 00:00:00 2001
From: "stepsecurity-app[bot]"
 <188008098+stepsecurity-app[bot]@users.noreply.github.com>
Date: Thu, 2 Apr 2026 21:18:43 +0000
Subject: [PATCH] [StepSecurity] Apply security best practices

Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
---
 .github/workflows/debug-workflow.yml | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/debug-workflow.yml b/.github/workflows/debug-workflow.yml
index 6c3c03c6f6..b3e02a8963 100644
--- a/.github/workflows/debug-workflow.yml
+++ b/.github/workflows/debug-workflow.yml
@@ -20,11 +20,19 @@ on:
   # Manual trigger for testing
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   test-local:
     runs-on: [small, default-config]
     steps:
-      - uses: actions/checkout@v4
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
 
       # Test the published action
       # - name: New CDS Action