From 5f88c1a1ea79a572af7c7e9924dd846952a6c74c Mon Sep 17 00:00:00 2001
From: "stepsecurity-app[bot]"
 <188008098+stepsecurity-app[bot]@users.noreply.github.com>
Date: Wed, 18 Jun 2025 17:05:40 +0000
Subject: [PATCH] [StepSecurity] Apply security best practices

Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
---
 .github/workflows/empty-commiter.yml | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/empty-commiter.yml b/.github/workflows/empty-commiter.yml
index 5fa8b554..c00605ee 100644
--- a/.github/workflows/empty-commiter.yml
+++ b/.github/workflows/empty-commiter.yml
@@ -1,15 +1,25 @@
 name: empty-commiter
 on:
   push:
+permissions:
+  contents: read
+
 jobs:
   commit:
+    permissions:
+      contents: write  # for Git to git push
     runs-on: ubuntu-latest
     env:
       COMMIT_AUTHOR: ${{ github.event.head_commit.author.username }}
     if: github.repository_owner == 'LazerTechnologies'
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1
+        with:
+          egress-policy: audit
+
       - name: checkout
-        uses: actions/checkout@v2.3.1
+        uses: actions/checkout@28c7f3d2b5162b5ddd3dfd9a45aa55eaf396478b # v2.3.1
         with:
           submodules: recursive
           fetch-depth: 0