[StepSecurity] ci: Harden GitHub Actions

Signed-off-by: StepSecurity Bot <[email protected]>
intel · May 6, 2024 · dc235bb · dc235bb
1 parent 905f6ff
commit dc235bb
Showing 1 changed file with 9 additions and 1 deletion.
diff --git a/.github/workflows/00_pr_auto_approve.yml b/.github/workflows/00_pr_auto_approve.yml
@@ -2,13 +2,21 @@ name: "00 PR Auto approve"
 
 on: pull_request_target
 
+permissions:
+  contents: read
+
 jobs:
   auto-approve:
     runs-on: ubuntu-latest
     permissions:
       pull-requests: write
     if: contains(fromJson('["dependabot[bot]", "github-actions[bot]", "pdxjohnny"]'), github.actor)
     steps:
-      - uses: hmarr/auto-approve-action@v4
+      - name: Harden Runner
+        uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
+        with:
+          egress-policy: audit
+
+      - uses: hmarr/auto-approve-action@8f929096a962e83ccdfa8afcf855f39f12d4dac7 # v4
         with:
           review-message: "LGTM"