ci: Harden GitHub Actions [StepSecurity] (#13318)

2025-12-19 02:02:32 +01:00 · 2025-09-19 08:30:10 -07:00 · 2025-09-19 08:30:10 -07:00 · 7f3d8a34e2
commit 7f3d8a34e2
parent c87eb79140
4 changed files with 32 additions and 7 deletions
--- a/.github/workflows/project.yml
+++ b/.github/workflows/project.yml
@ -16,9 +16,14 @@ jobs:
    runs-on: ubuntu-latest
    if: github.repository == 'ohmyzsh/ohmyzsh'
    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+        with:
+          egress-policy: audit
+
      - name: Authenticate as @ohmyzsh
        id: generate-token
-        uses: actions/create-github-app-token@v2
+        uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2.1.4
        with:
          app-id: ${{ secrets.OHMYZSH_APP_ID }}
          private-key: ${{ secrets.OHMYZSH_APP_PRIVATE_KEY }}