[StepSecurity] Apply security best practices (#85)

stepsecurity-app[bot] · web-flow · commit e457e594fd78 · 2025-06-06T12:26:14.000-06:00
Signed-off-by: StepSecurity Bot &lt;bot@stepsecurity.io&gt;
Co-authored-by: stepsecurity-app[bot] &lt;188008098+stepsecurity-app[bot]@users.noreply.github.com&gt;
diff --git a/.github/workflows/ci-actions.yaml b/.github/workflows/ci-actions.yaml
@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: ["**"]
 
+permissions:
+  contents: read
+
 jobs:
   zizmor:
     name: zizmor latest via PyPI
@@ -15,6 +18,11 @@ jobs:
       contents: read
       actions: read
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
+        with:
+          egress-policy: audit
+
       - name: Checkout repository
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
         with:
diff --git a/.github/workflows/ci-chart.yaml b/.github/workflows/ci-chart.yaml
@@ -8,10 +8,18 @@ on:
       - charts/**
       - .github/workflows/ci-chart.yaml
 
+permissions:
+  contents: read
+
 jobs:
   lint-test:
     runs-on: ubuntu-latest
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
+        with:
+          egress-policy: audit
+
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
         with:
diff --git a/.github/workflows/ci-code.yaml b/.github/workflows/ci-code.yaml
@@ -9,6 +9,9 @@ on:
       - Cargo.*
       - .github/workflows/ci-code.yaml
 
+permissions:
+  contents: read
+
 jobs:
   rustfmt:
     name: rustfmt
