From 35404783f2a5dd36fa68b53e531f3a701354d8b8 Mon Sep 17 00:00:00 2001
From: "stepsecurity-app[bot]"
 <188008098+stepsecurity-app[bot]@users.noreply.github.com>
Date: Tue, 4 Nov 2025 18:43:18 +0000
Subject: [PATCH 1/7] [StepSecurity] Apply security best practices

Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
---
 .github/workflows/commit-lint.yml         | 12 ++++++++++--
 .github/workflows/npm-publish.yml         | 22 ++++++++++++++++------
 .github/workflows/pull_request_checks.yml |  9 +++++++--
 3 files changed, 33 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/commit-lint.yml b/.github/workflows/commit-lint.yml
index c17dec1..25c363e 100644
--- a/.github/workflows/commit-lint.yml
+++ b/.github/workflows/commit-lint.yml
@@ -4,15 +4,23 @@ on:
   pull_request:
     branches: [master]
 
+permissions:
+  contents: read
+
 jobs:
   commit_lint:
     name: "Lint commit messages"
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
         with:
           fetch-depth: 0
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
           node-version: 16
       - run: yarn install --frozen-lockfile
diff --git a/.github/workflows/npm-publish.yml b/.github/workflows/npm-publish.yml
index c947caa..743ae6f 100644
--- a/.github/workflows/npm-publish.yml
+++ b/.github/workflows/npm-publish.yml
@@ -13,8 +13,13 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
           node-version: 16
       - run: yarn install --frozen-lockfile
@@ -24,8 +29,13 @@ jobs:
     needs: build
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
           node-version: 16
           registry-url: https://registry.npmjs.com/
@@ -33,13 +43,13 @@ jobs:
       - run: yarn run build
 
       - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@v4
+        uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1
         with:
           aws-region: us-east-1
           role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID_PAY }}:role/github-actions-service-role
 
       - name: Read secrets from AWS Secrets Manager into environment variables
-        uses: aws-actions/aws-secretsmanager-get-secrets@v2.0.5
+        uses: aws-actions/aws-secretsmanager-get-secrets@98c2d6bf1dd67c2575fa2bb14294aa64103d426c # v2.0.5
         with:
           secret-ids: |
             /prod/circle-nodejs-sdk/npm/automation-token
diff --git a/.github/workflows/pull_request_checks.yml b/.github/workflows/pull_request_checks.yml
index f886c33..2ceabd4 100644
--- a/.github/workflows/pull_request_checks.yml
+++ b/.github/workflows/pull_request_checks.yml
@@ -9,8 +9,13 @@ jobs:
     name: "Lint, Build and Test"
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
       - name: Installing dependencies
         run: yarn install --frozen-lockfile
       - name: Prettier check

From 0757a6319c9924ed8bf3449cefbadbba886a524c Mon Sep 17 00:00:00 2001
From: ali-kafel <ali.kafel@circle.com>
Date: Tue, 4 Nov 2025 14:51:23 -0500
Subject: [PATCH 2/7] Update harden-runner: egress-policy to block and add
 id-token permission

---
 .github/workflows/commit-lint.yml | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/commit-lint.yml b/.github/workflows/commit-lint.yml
index 25c363e..41b53b3 100644
--- a/.github/workflows/commit-lint.yml
+++ b/.github/workflows/commit-lint.yml
@@ -11,11 +11,15 @@ jobs:
   commit_lint:
     name: "Lint commit messages"
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+
     steps:
-      - name: Harden the runner (Audit all outbound calls)
+      - name: Harden the runner
         uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
         with:
-          egress-policy: audit
+          egress-policy: block
+          policy: global-allowed-endpoints-policy
 
       - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
         with:

From 6086b4c550d6d125f1d55deb7aee9878cc5916ad Mon Sep 17 00:00:00 2001
From: ali-kafel <ali.kafel@circle.com>
Date: Tue, 4 Nov 2025 14:51:24 -0500
Subject: [PATCH 3/7] Update harden-runner: egress-policy to block and add
 id-token permission

---
 .github/workflows/npm-publish.yml | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/npm-publish.yml b/.github/workflows/npm-publish.yml
index 743ae6f..7fe92d3 100644
--- a/.github/workflows/npm-publish.yml
+++ b/.github/workflows/npm-publish.yml
@@ -12,11 +12,15 @@ permissions:
 jobs:
   build:
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+
     steps:
-      - name: Harden the runner (Audit all outbound calls)
+      - name: Harden the runner
         uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
         with:
-          egress-policy: audit
+          egress-policy: block
+          policy: global-allowed-endpoints-policy
 
       - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
       - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
@@ -28,11 +32,15 @@ jobs:
   publish-npm:
     needs: build
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+
     steps:
-      - name: Harden the runner (Audit all outbound calls)
+      - name: Harden the runner
         uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
         with:
-          egress-policy: audit
+          egress-policy: block
+          policy: global-allowed-endpoints-policy
 
       - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
       - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0

From 89535013e5a46f5955c46fc7476d0562b686009c Mon Sep 17 00:00:00 2001
From: ali-kafel <ali.kafel@circle.com>
Date: Tue, 4 Nov 2025 14:51:26 -0500
Subject: [PATCH 4/7] Update harden-runner: egress-policy to block and add
 id-token permission

---
 .github/workflows/pull_request_checks.yml | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/pull_request_checks.yml b/.github/workflows/pull_request_checks.yml
index 2ceabd4..9277b05 100644
--- a/.github/workflows/pull_request_checks.yml
+++ b/.github/workflows/pull_request_checks.yml
@@ -8,11 +8,15 @@ jobs:
   lint:
     name: "Lint, Build and Test"
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+
     steps:
-      - name: Harden the runner (Audit all outbound calls)
+      - name: Harden the runner
         uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
         with:
-          egress-policy: audit
+          egress-policy: block
+          policy: global-allowed-endpoints-policy
 
       - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
       - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0

From 73edc280cc6cd80e2ecd0ddee0d6ba809c99f6b3 Mon Sep 17 00:00:00 2001
From: ali-kafel <ali.kafel@circle.com>
Date: Wed, 5 Nov 2025 11:48:06 -0500
Subject: [PATCH 5/7] Update harden-runner to v2.13.2: egress-policy to block
 and add id-token permission

---
 .github/workflows/commit-lint.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/commit-lint.yml b/.github/workflows/commit-lint.yml
index 41b53b3..a8f11e3 100644
--- a/.github/workflows/commit-lint.yml
+++ b/.github/workflows/commit-lint.yml
@@ -16,7 +16,7 @@ jobs:
 
     steps:
       - name: Harden the runner
-        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+        uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
         with:
           egress-policy: block
           policy: global-allowed-endpoints-policy

From 2951fb3c059790c93f9875f8d787f915bb3e2b13 Mon Sep 17 00:00:00 2001
From: ali-kafel <ali.kafel@circle.com>
Date: Wed, 5 Nov 2025 11:48:08 -0500
Subject: [PATCH 6/7] Update harden-runner to v2.13.2: egress-policy to block
 and add id-token permission

---
 .github/workflows/npm-publish.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/npm-publish.yml b/.github/workflows/npm-publish.yml
index 7fe92d3..0f1adf4 100644
--- a/.github/workflows/npm-publish.yml
+++ b/.github/workflows/npm-publish.yml
@@ -17,7 +17,7 @@ jobs:
 
     steps:
       - name: Harden the runner
-        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+        uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
         with:
           egress-policy: block
           policy: global-allowed-endpoints-policy
@@ -37,7 +37,7 @@ jobs:
 
     steps:
       - name: Harden the runner
-        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+        uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
         with:
           egress-policy: block
           policy: global-allowed-endpoints-policy

From 3f5a1ac583aa42c63c76a69bb8fb3a7fbb6cd45d Mon Sep 17 00:00:00 2001
From: ali-kafel <ali.kafel@circle.com>
Date: Wed, 5 Nov 2025 11:48:10 -0500
Subject: [PATCH 7/7] Update harden-runner to v2.13.2: egress-policy to block
 and add id-token permission

---
 .github/workflows/pull_request_checks.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/pull_request_checks.yml b/.github/workflows/pull_request_checks.yml
index 9277b05..a5d7f76 100644
--- a/.github/workflows/pull_request_checks.yml
+++ b/.github/workflows/pull_request_checks.yml
@@ -13,7 +13,7 @@ jobs:
 
     steps:
       - name: Harden the runner
-        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+        uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
         with:
           egress-policy: block
           policy: global-allowed-endpoints-policy