From c8b66cf36e9e00516fd8cebaf15787ec031f5ae0 Mon Sep 17 00:00:00 2001
From: Niels Lohmann <mail@nlohmann.me>
Date: Mon, 3 Nov 2025 06:33:14 +0100
Subject: [PATCH] :lock: harden runners (#4985)

---
 .github/workflows/flawfinder.yml | 5 +++++
 .github/workflows/semgrep.yml    | 5 +++++
 2 files changed, 10 insertions(+)

diff --git a/.github/workflows/flawfinder.yml b/.github/workflows/flawfinder.yml
index af99d8b09..1791b8c75 100644
--- a/.github/workflows/flawfinder.yml
+++ b/.github/workflows/flawfinder.yml
@@ -26,6 +26,11 @@ jobs:
       contents: read
       security-events: write
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+        with:
+          egress-policy: audit
+
       - name: Checkout code
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml
index 74144a017..0559aba97 100644
--- a/.github/workflows/semgrep.yml
+++ b/.github/workflows/semgrep.yml
@@ -31,6 +31,11 @@ jobs:
     name: Scan
     runs-on: ubuntu-latest
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+        with:
+          egress-policy: audit
+
       # Checkout project source
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0