From 83a1e827d06fb241004279dd93d8000a3f2245b3 Mon Sep 17 00:00:00 2001
From: "stepsecurity-app[bot]"
 <188008098+stepsecurity-app[bot]@users.noreply.github.com>
Date: Mon, 17 Nov 2025 11:20:40 +0000
Subject: [PATCH] [StepSecurity] Apply security best practices

Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
---
 .github/workflows/check-upgrades.yml | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/check-upgrades.yml b/.github/workflows/check-upgrades.yml
index 6e9906d4..76c1e9b4 100644
--- a/.github/workflows/check-upgrades.yml
+++ b/.github/workflows/check-upgrades.yml
@@ -6,8 +6,12 @@ on:
       python-version:
         required: true
         type: string
+permissions: {}
+
 jobs:
   check:
+    permissions:
+      contents: read  # for actions/checkout to fetch code
     name: Check (Python ${{ matrix.python-version }})
     runs-on: ubuntu-latest
     strategy:
@@ -16,10 +20,15 @@ jobs:
         python-version: ${{ fromJson(inputs.python-version) }}
 
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
+        with:
+          egress-policy: audit
+
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
       - name: Setup Python
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
         with:
           python-version: ${{ matrix.python-version }}
       - name: Check for dependency updates