From bf068c320401b36f5f50ce97f9063503eee5b0b8 Mon Sep 17 00:00:00 2001
From: "stepsecurity-app[bot]"
 <188008098+stepsecurity-app[bot]@users.noreply.github.com>
Date: Tue, 21 Apr 2026 04:22:20 +0000
Subject: [PATCH] [StepSecurity] Apply security best practices

Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
---
 .github/workflows/all_green_check.yml | 5 +++++
 .github/workflows/linters.yml         | 9 +++++++--
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/all_green_check.yml b/.github/workflows/all_green_check.yml
index 00871e2..cc746d1 100644
--- a/.github/workflows/all_green_check.yml
+++ b/.github/workflows/all_green_check.yml
@@ -31,6 +31,11 @@ jobs:
       - sanity
     runs-on: ubuntu-latest
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
+        with:
+          egress-policy: audit
+
       - run: >-
           python -c "assert set([
           '${{ needs.linters.result }}',
diff --git a/.github/workflows/linters.yml b/.github/workflows/linters.yml
index b36687c..82052b4 100644
--- a/.github/workflows/linters.yml
+++ b/.github/workflows/linters.yml
@@ -15,10 +15,15 @@ jobs:
   ansible-lint:
     runs-on: ubuntu-latest
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
+        with:
+          egress-policy: audit
+
       - name: Checkout PR branch code
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           ref: ${{ github.event.pull_request.head.sha }}
 
       - name: Run ansible-lint
-        uses: ansible/ansible-lint@v24.2.3
+        uses: ansible/ansible-lint@dfb8fea539b53a0f9615282615f1dca90e7ecb91 # v24.2.3