Apply security best practicesSigned-off-by: StepSecurity Bot <bot@stepsecurity.io>

2026-06-05 18:48:19 +00:00 · 2025-08-10 18:46:29 +00:00
5 changed files with 10 additions and 10 deletions
--- a/.github/workflows/canary.yml
+++ b/.github/workflows/canary.yml
@ -37,13 +37,13 @@ jobs:
        rc: true

    - name: Canary test
-      uses: docker://ghcr.io/step-security/integration-test/int:latest
+      uses: docker://ghcr.io/step-security/integration-test/int:latest@sha256:75bdc1c208f62a44394a2d7c2bf0104f97095e2aecb92af0ded573f4d40113c0
      env:
        PAT: ${{ secrets.PAT }}
        canary: true

    - name: Canary TLS test
-      uses: docker://ghcr.io/step-security/integration-test/int:latest
+      uses: docker://ghcr.io/step-security/integration-test/int:latest@sha256:75bdc1c208f62a44394a2d7c2bf0104f97095e2aecb92af0ded573f4d40113c0
      env:
        PAT: ${{ secrets.PAT }}
        canary-tls: true
--- a/.github/workflows/code-review.yml
+++ b/.github/workflows/code-review.yml
@ -20,4 +20,4 @@ jobs:
            int.api.stepsecurity.io:443

      - name: Code Review
-        uses: step-security/ai-codewise@int
+        uses: step-security/ai-codewise@ab9fe138367d6094b2df7f8469ddc2c5a79c9cf4 # int
--- a/.github/workflows/recurring-int-tests.yml
+++ b/.github/workflows/recurring-int-tests.yml
@ -18,7 +18,7 @@ jobs:
        egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs

    - name: Canary test
-      uses: docker://ghcr.io/step-security/integration-test/int:latest
+      uses: docker://ghcr.io/step-security/integration-test/int:latest@sha256:75bdc1c208f62a44394a2d7c2bf0104f97095e2aecb92af0ded573f4d40113c0
      env:
        PAT: ${{ secrets.PAT }}
        canary: true
@ -33,7 +33,7 @@ jobs:
        egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs

    - name: Canary test
-      uses: docker://ghcr.io/step-security/integration-test/int:latest
+      uses: docker://ghcr.io/step-security/integration-test/int:latest@sha256:75bdc1c208f62a44394a2d7c2bf0104f97095e2aecb92af0ded573f4d40113c0
      env:
        PAT: ${{ secrets.PAT }}
        canary-tls: true
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -40,7 +40,7 @@ jobs:
        rc: true

    - name: Canary test
-      uses: docker://ghcr.io/step-security/integration-test/int:latest
+      uses: docker://ghcr.io/step-security/integration-test/int:latest@sha256:75bdc1c208f62a44394a2d7c2bf0104f97095e2aecb92af0ded573f4d40113c0
      env:
        PAT: ${{ secrets.PAT }}
        canary: true
--- a/.github/workflows/runs-on.yml
+++ b/.github/workflows/runs-on.yml
@ -14,7 +14,7 @@ jobs:
      - image=ubuntu24-stepsecurity-x64
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@rc
+        uses: step-security/harden-runner@97bbed2426f3310cf21ffa4c69621c6307aa8a4e # rc
        with:
          egress-policy: audit
          allowed-endpoints: >
@ -43,7 +43,7 @@ jobs:
      - image=ubuntu24-stepsecurity-x64
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@rc
+        uses: step-security/harden-runner@97bbed2426f3310cf21ffa4c69621c6307aa8a4e # rc
        with:
          egress-policy: block
          allowed-endpoints: >
@ -89,7 +89,7 @@ jobs:
      - image=ubuntu24-stepsecurity-x64
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@rc
+        uses: step-security/harden-runner@97bbed2426f3310cf21ffa4c69621c6307aa8a4e # rc
        with:
          egress-policy: audit
          allowed-endpoints: >
@ -137,7 +137,7 @@ jobs:
      - image=ubuntu24-stepsecurity-x64
    steps:
      - name: Harden Runner
-        uses: step-security/harden-runner@rc
+        uses: step-security/harden-runner@97bbed2426f3310cf21ffa4c69621c6307aa8a4e # rc
        with:
          egress-policy: block
          allowed-endpoints: >