From 34e674ea12d39539973577e5a0ee89c5cb15a01f Mon Sep 17 00:00:00 2001
From: "stepsecurity-app[bot]"
 <188008098+stepsecurity-app[bot]@users.noreply.github.com>
Date: Thu, 28 Aug 2025 22:16:30 +0000
Subject: [PATCH] [StepSecurity] Apply security best practices

Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
---
 .github/workflows/lint-pr-title-preview-all.yml | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/lint-pr-title-preview-all.yml b/.github/workflows/lint-pr-title-preview-all.yml
index 1e1a34d..735aeb4 100644
--- a/.github/workflows/lint-pr-title-preview-all.yml
+++ b/.github/workflows/lint-pr-title-preview-all.yml
@@ -6,14 +6,21 @@ on:
       - edited
       - synchronize
 
+permissions: {}
+
 jobs:
   main:
     runs-on: ubuntu-latest
     permissions:
       pull-requests: read
     steps:
-      - uses: actions/checkout@v5
-      - uses: actions/setup-node@v4
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
           node-version: 24
       - run: yarn install