From 363278531a55f20474a8ebfa8881de601fe6fbe0 Mon Sep 17 00:00:00 2001
From: StepSecurity Bot <bot@stepsecurity.io>
Date: Sat, 5 Oct 2024 12:01:35 +0000
Subject: [PATCH] [StepSecurity] ci: Harden GitHub Actions

Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
---
 .github/workflows/on_new_pr.yml | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/.github/workflows/on_new_pr.yml b/.github/workflows/on_new_pr.yml
index 4debb332..088bbac7 100644
--- a/.github/workflows/on_new_pr.yml
+++ b/.github/workflows/on_new_pr.yml
@@ -26,6 +26,11 @@ jobs:
     # Specifically check that dependabot (or another trusted party) created this pull-request, and that it has been labelled correctly.
     if: contains(github.event.pull_request.labels.*.name, 'dependencies')
     steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@v2
+      with:
+        egress-policy: audit
+
     - uses: alexwilson/enable-github-automerge-action@2.0.0
       with:
         github-token: ${{secrets.SOURCE_PUSH_TOKEN}}
@@ -40,6 +45,11 @@ jobs:
 
     if: contains(github.event.pull_request.labels.*.name, 'dependencies')
     steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@v2
+      with:
+        egress-policy: audit
+
     - uses: hmarr/auto-approve-action@v4
       with:
         github-token: ${{secrets.SOURCE_PUSH_TOKEN}}