harden-runner/.github/workflows/code-review.yml

name: Code Review
on:
  pull_request:
permissions:
  contents: read
jobs:
  code-review:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      pull-requests: read
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
        with:
          disable-sudo: true
          egress-policy: block
          allowed-endpoints: >
            api.github.com:443
            int.api.stepsecurity.io:443

      - name: Code Review
        uses: step-security/ai-codewise@int