From b2ce53f611f77f93a77f4b3f764d7193aa68aa73 Mon Sep 17 00:00:00 2001
From: "stepsecurity-app[bot]"
 <188008098+stepsecurity-app[bot]@users.noreply.github.com>
Date: Thu, 29 May 2025 14:58:18 +0000
Subject: [PATCH] chore: [StepSecurity] Apply security best
 practicesSigned-off-by: StepSecurity Bot <bot@stepsecurity.io>

---
 .github/workflows/create-release-pr.yaml         |  8 ++++++++
 .github/workflows/create-release.yaml            | 10 +++++++++-
 .github/workflows/pr-integration-tests.yaml      |  5 +++++
 .github/workflows/pr-linting-and-unit-tests.yaml |  5 +++++
 .github/workflows/publish-docs.yml               |  5 +++++
 5 files changed, 32 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/create-release-pr.yaml b/.github/workflows/create-release-pr.yaml
index 89ce975a1..808939a52 100644
--- a/.github/workflows/create-release-pr.yaml
+++ b/.github/workflows/create-release-pr.yaml
@@ -12,6 +12,9 @@ on:
     - cron: "0 0 * * *"
 
 
+permissions:
+  contents: read
+
 jobs:
   checks:
     name: "Create Release PR"
@@ -38,6 +41,11 @@ jobs:
       #----------------------------------------------
       #       Check out repo
       #----------------------------------------------
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       #----------------------------------------------
       #       Setup python
diff --git a/.github/workflows/create-release.yaml b/.github/workflows/create-release.yaml
index a568a09ff..384f42920 100644
--- a/.github/workflows/create-release.yaml
+++ b/.github/workflows/create-release.yaml
@@ -5,6 +5,9 @@ on:
     branches: ['main']
     paths: ['*/poetry.lock']
 
+permissions:
+  contents: read
+
 jobs:
   checks:
     name: "Create Release"
@@ -21,6 +24,11 @@ jobs:
       run:
         working-directory: .
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
@@ -146,7 +154,7 @@ jobs:
       # ----------------------------------------------
       - name: Create Release
         if: steps.should_create_release.outputs.should_create_release == 'true'  
-        uses: softprops/action-gh-release@c95fe1489396fe8a9eb87c0abf8aa5b2ef267fda # v2.2.1
+        uses: step-security/action-gh-release@868edcd064bf35267c4b218913c3d36d547086b4 # v2.2.2
         with:
           token: ${{ secrets.BOT_PR_PAT }}
           name: ${{ steps.prepare_release.outputs.tag }}
diff --git a/.github/workflows/pr-integration-tests.yaml b/.github/workflows/pr-integration-tests.yaml
index 0015a1fbd..7c0b53ef9 100644
--- a/.github/workflows/pr-integration-tests.yaml
+++ b/.github/workflows/pr-integration-tests.yaml
@@ -18,6 +18,11 @@ jobs:
       #----------------------------------------------
       #       Check out repo
       #----------------------------------------------
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
+        with:
+          egress-policy: audit
+
       - name: Check out repository
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       #----------------------------------------------
diff --git a/.github/workflows/pr-linting-and-unit-tests.yaml b/.github/workflows/pr-linting-and-unit-tests.yaml
index 0f9f7a1e4..efd258854 100644
--- a/.github/workflows/pr-linting-and-unit-tests.yaml
+++ b/.github/workflows/pr-linting-and-unit-tests.yaml
@@ -19,6 +19,11 @@ jobs:
       #----------------------------------------------
       #       Check out repo
       #----------------------------------------------
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
+        with:
+          egress-policy: audit
+
       - name: Check out repository
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       #----------------------------------------------
diff --git a/.github/workflows/publish-docs.yml b/.github/workflows/publish-docs.yml
index 65724f5cb..9af8a76f5 100644
--- a/.github/workflows/publish-docs.yml
+++ b/.github/workflows/publish-docs.yml
@@ -14,6 +14,11 @@ jobs:
     runs-on: ubuntu-latest
     if: github.repository == 'openwallet-foundation/acapy-plugins'
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0 # fetch all commits/branches