[StepSecurity] ci: Harden GitHub Actions (#293)

step-security-bot · web-flow · commit 70b9862cb307 · 2025-04-03T17:18:49.000Z
Signed-off-by: StepSecurity Bot &lt;bot@stepsecurity.io&gt;
diff --git a/.github/workflows/pythonpackage.yml b/.github/workflows/pythonpackage.yml
@@ -10,6 +10,9 @@ on:
 
   workflow_dispatch: {}
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
@@ -19,6 +22,11 @@ jobs:
         python-version: ["3.9", "3.10", "3.11", "3.12", "3.13"]
 
     steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@v2
+      with:
+        egress-policy: audit
+
     - uses: actions/checkout@v4
 
     - name: Set up Python ${{ matrix.python-version }}
diff --git a/.github/workflows/semantic-release.yaml b/.github/workflows/semantic-release.yaml
@@ -11,6 +11,11 @@ jobs:
     environment: production
     runs-on: [ ubuntu-latest ]
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@v4
         with:
           token: ${{ secrets.COMMIT_TOKEN }}
