[StepSecurity] Apply security best practices

Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
2025-04-16 18:45:10 +00:00
parent 3e24dc6d8c
commit f65896d403
14 changed files with 222 additions and 34 deletions
--- a/.github/workflows/auto-close_stale_issues_and_pull-requests.yml
+++ b/.github/workflows/auto-close_stale_issues_and_pull-requests.yml
@@ -20,9 +20,14 @@ jobs:
  stale:
    runs-on: ubuntu-latest
    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
+        with:
+          egress-policy: audit
+
      - name: '🧹 Tag & close stale unconfirmed bugs'
        id: stale_issues
-        uses: actions/stale@v9.1.0
+        uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9.1.0
        with:
          repo-token: ${{ secrets.GITHUB_TOKEN }}
          days-before-stale: -1
@@ -49,7 +54,7 @@ jobs:

      - name: '🧹 Close stale requested feedback issues'
        id: awaiting_issues
-        uses: actions/stale@v9.1.0
+        uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9.1.0
        with:
          repo-token: ${{ secrets.GITHUB_TOKEN }}
          days-before-stale: -1
@@ -77,7 +82,7 @@ jobs:

      - name: '🧹 Tag & close inactive issues'
        id: inactive_issues
-        uses: actions/stale@v9.1.0
+        uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9.1.0
        with:
          repo-token: ${{ secrets.GITHUB_TOKEN }}
          days-before-stale: -1
@@ -108,7 +113,7 @@ jobs:

      - name: '🧹 Tag & close inactive PRs'
        id: inactive_pr
-        uses: actions/stale@v9.1.0
+        uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9.1.0
        with:
          repo-token: ${{ secrets.GITHUB_TOKEN }}
          days-before-stale: -1