From 7f3d8a34e2d850b51782f0900151413b435296d4 Mon Sep 17 00:00:00 2001
From: StepSecurity Bot <bot@stepsecurity.io>
Date: Fri, 19 Sep 2025 08:30:10 -0700
Subject: ci: Harden GitHub Actions [StepSecurity] (#13318)

---
 .github/workflows/main.yml | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

(limited to '.github/workflows/main.yml')

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index c49324495..b48a3d32b 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -23,8 +23,13 @@ jobs:
     runs-on: ubuntu-latest
     if: github.repository == 'ohmyzsh/ohmyzsh'
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+        with:
+          egress-policy: audit
+
       - name: Set up git repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       - name: Install zsh
         run: sudo apt-get update; sudo apt-get install zsh
       - name: Check syntax
-- 
cgit v1.2.3-70-g09d2