[StepSecurity] ci: Harden GitHub Actions

Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
2025-08-28 19:23:16 +08:00 · 2025-08-08 02:08:01 +00:00 · 2025-08-08 02:08:01 +00:00 · 7c05d175f3
commit 7c05d175f3
parent 9d0281942d
1 changed files with 6 additions and 1 deletions
--- a/.github/workflows/pre-release.yml
+++ b/.github/workflows/pre-release.yml
@ -12,6 +12,11 @@ jobs:
    runs-on: ubuntu-latest

    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
+        with:
+          egress-policy: audit
+
      - name: Checkout main branch
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
@ -23,7 +28,7 @@ jobs:
          git reset --hard develop

      - name: Create PR from develop to main
-        uses: peter-evans/create-pull-request@v7
+        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          title: "Merge develop into main"