From d8a5f385bf76ad21cb8942412a370bee3e7b8ce6 Mon Sep 17 00:00:00 2001
From: StepSecurity Bot <bot@stepsecurity.io>
Date: Sat, 29 Oct 2022 12:16:32 +0000
Subject: [StepSecurity] ci: Harden GitHub Actions Signed-off-by: StepSecurity
 Bot <bot@stepsecurity.io>

---
 .github/workflows/build.yml | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to '.github/workflows/build.yml')

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 74f4375c9..e383c9ef2 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -24,10 +24,18 @@ on:
       - RELNOTES
       - SECURITY.md
 
+permissions:  # added using https://github.com/step-security/secure-workflows
+  contents: read
+
 jobs:
   build_and_test:
     runs-on: ubuntu-22.04
     steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@2e205a28d0e1da00c5f53b161f4067b052c61f34
+      with:
+        egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+
     - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
     - name: update package information
       run: sudo apt-get update
-- 
cgit v1.2.3-70-g09d2