harden-runner/.github/workflows/code-review.yml

name: Code Review
on:
  pull_request:
permissions:
  contents: read
jobs:
  code-review:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      pull-requests: read
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
        with:
          disable-sudo: true
          egress-policy: block
          allowed-endpoints: >
            api.github.com:443
            int.api.stepsecurity.io:443

      - name: Code Review
        uses: step-security/ai-codewise@int