From 701cb66e77bbce1d0f576baeca38d4fd87f968f7 Mon Sep 17 00:00:00 2001 From: "stepsecurity-app[bot]" <188008098+stepsecurity-app[bot]@users.noreply.github.com> Date: Sat, 11 Jul 2026 16:33:55 +0000 Subject: [PATCH] [StepSecurity] Apply security best practices Signed-off-by: StepSecurity Bot --- .github/workflows/changesets.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.github/workflows/changesets.yml b/.github/workflows/changesets.yml index 7e106154..77d20d48 100644 --- a/.github/workflows/changesets.yml +++ b/.github/workflows/changesets.yml @@ -6,6 +6,9 @@ on: env: CI: true +permissions: + contents: read + jobs: version: timeout-minutes: 15 @@ -15,6 +18,11 @@ jobs: contents: write # Required for changesets to push version commit pull-requests: write # Required for changesets to create PRs steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 + with: + egress-policy: audit + - name: Checkout code repository uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: