From fb7cccedb7e09d44ba7d4465cfc40b6816a1e339 Mon Sep 17 00:00:00 2001
From: "stepsecurity-int[bot]"
 <185740846+stepsecurity-int[bot]@users.noreply.github.com>
Date: Thu, 17 Apr 2025 12:16:08 +0000
Subject: [PATCH] Apply security best practicesSigned-off-by: StepSecurity Bot
 <bot@stepsecurity.io>

---
 .github/workflows/canary.yml              | 4 ++--
 .github/workflows/code-review.yml         | 2 +-
 .github/workflows/recurring-int-tests.yml | 4 ++--
 .github/workflows/release.yml             | 2 +-
 .github/workflows/runs-on.yml             | 8 ++++----
 5 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/canary.yml b/.github/workflows/canary.yml
index 1307ee80..c1addaee 100644
--- a/.github/workflows/canary.yml
+++ b/.github/workflows/canary.yml
@@ -37,13 +37,13 @@ jobs:
         rc: true
 
     - name: Canary test
-      uses: docker://ghcr.io/step-security/integration-test/int:latest
+      uses: docker://ghcr.io/step-security/integration-test/int:latest@sha256:e21fc4db56cb2953202c27ce8056cfb550322fde4f1dd4711c96e7ab2ff7f170
       env:
         PAT: ${{ secrets.PAT }}
         canary: true
 
     - name: Canary TLS test
-      uses: docker://ghcr.io/step-security/integration-test/int:latest
+      uses: docker://ghcr.io/step-security/integration-test/int:latest@sha256:e21fc4db56cb2953202c27ce8056cfb550322fde4f1dd4711c96e7ab2ff7f170
       env:
         PAT: ${{ secrets.PAT }}
         canary-tls: true
diff --git a/.github/workflows/code-review.yml b/.github/workflows/code-review.yml
index 0518582d..fb0f5b24 100644
--- a/.github/workflows/code-review.yml
+++ b/.github/workflows/code-review.yml
@@ -20,4 +20,4 @@ jobs:
             int.api.stepsecurity.io:443
 
       - name: Code Review
-        uses: step-security/ai-codewise@int
+        uses: step-security/ai-codewise@ab9fe138367d6094b2df7f8469ddc2c5a79c9cf4 # int
diff --git a/.github/workflows/recurring-int-tests.yml b/.github/workflows/recurring-int-tests.yml
index 20fc63ab..32207a2b 100644
--- a/.github/workflows/recurring-int-tests.yml
+++ b/.github/workflows/recurring-int-tests.yml
@@ -18,7 +18,7 @@ jobs:
         egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
 
     - name: Canary test
-      uses: docker://ghcr.io/step-security/integration-test/int:latest
+      uses: docker://ghcr.io/step-security/integration-test/int:latest@sha256:e21fc4db56cb2953202c27ce8056cfb550322fde4f1dd4711c96e7ab2ff7f170
       env:
         PAT: ${{ secrets.PAT }}
         canary: true
@@ -33,7 +33,7 @@ jobs:
         egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
 
     - name: Canary test
-      uses: docker://ghcr.io/step-security/integration-test/int:latest
+      uses: docker://ghcr.io/step-security/integration-test/int:latest@sha256:e21fc4db56cb2953202c27ce8056cfb550322fde4f1dd4711c96e7ab2ff7f170
       env:
         PAT: ${{ secrets.PAT }}
         canary-tls: true
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index e27ded9e..010a4462 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -40,7 +40,7 @@ jobs:
         rc: true
 
     - name: Canary test
-      uses: docker://ghcr.io/step-security/integration-test/int:latest
+      uses: docker://ghcr.io/step-security/integration-test/int:latest@sha256:e21fc4db56cb2953202c27ce8056cfb550322fde4f1dd4711c96e7ab2ff7f170
       env:
         PAT: ${{ secrets.PAT }}
         canary: true
diff --git a/.github/workflows/runs-on.yml b/.github/workflows/runs-on.yml
index a233b749..87313c62 100644
--- a/.github/workflows/runs-on.yml
+++ b/.github/workflows/runs-on.yml
@@ -14,7 +14,7 @@ jobs:
       - image=ubuntu24-stepsecurity-x64
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@rc
+        uses: step-security/harden-runner@4c8582f45544ce2dafb2cfae82cfbebf0f41bde2 # rc
         with:
           egress-policy: audit
           allowed-endpoints: >
@@ -43,7 +43,7 @@ jobs:
       - image=ubuntu24-stepsecurity-x64
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@rc
+        uses: step-security/harden-runner@4c8582f45544ce2dafb2cfae82cfbebf0f41bde2 # rc
         with:
           egress-policy: block
           allowed-endpoints: >
@@ -89,7 +89,7 @@ jobs:
       - image=ubuntu24-stepsecurity-x64
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@rc
+        uses: step-security/harden-runner@4c8582f45544ce2dafb2cfae82cfbebf0f41bde2 # rc
         with:
           egress-policy: audit
           allowed-endpoints: >
@@ -137,7 +137,7 @@ jobs:
       - image=ubuntu24-stepsecurity-x64
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@rc
+        uses: step-security/harden-runner@4c8582f45544ce2dafb2cfae82cfbebf0f41bde2 # rc
         with:
           egress-policy: block
           allowed-endpoints: >