From c83b094de8c3c131abb3fd5bfc25a85fe071fc80 Mon Sep 17 00:00:00 2001
From: "stepsecurity-int[bot]"
 <185740846+stepsecurity-int[bot]@users.noreply.github.com>
Date: Thu, 5 Jun 2025 15:24:20 +0000
Subject: [PATCH] Apply security best practicesSigned-off-by: StepSecurity Bot
 <bot@stepsecurity.io>

---
 .github/workflows/canary.yml              | 4 ++--
 .github/workflows/code-review.yml         | 2 +-
 .github/workflows/recurring-int-tests.yml | 4 ++--
 .github/workflows/release.yml             | 2 +-
 .github/workflows/runs-on.yml             | 8 ++++----
 5 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/canary.yml b/.github/workflows/canary.yml
index 1307ee80..f366cb55 100644
--- a/.github/workflows/canary.yml
+++ b/.github/workflows/canary.yml
@@ -37,13 +37,13 @@ jobs:
         rc: true
 
     - name: Canary test
-      uses: docker://ghcr.io/step-security/integration-test/int:latest
+      uses: docker://ghcr.io/step-security/integration-test/int:latest@sha256:63d9fc09c6cb655d046e7e89d3d6ef1117e103713f540c6bc4bc1b822be54333
       env:
         PAT: ${{ secrets.PAT }}
         canary: true
 
     - name: Canary TLS test
-      uses: docker://ghcr.io/step-security/integration-test/int:latest
+      uses: docker://ghcr.io/step-security/integration-test/int:latest@sha256:63d9fc09c6cb655d046e7e89d3d6ef1117e103713f540c6bc4bc1b822be54333
       env:
         PAT: ${{ secrets.PAT }}
         canary-tls: true
diff --git a/.github/workflows/code-review.yml b/.github/workflows/code-review.yml
index 0518582d..fb0f5b24 100644
--- a/.github/workflows/code-review.yml
+++ b/.github/workflows/code-review.yml
@@ -20,4 +20,4 @@ jobs:
             int.api.stepsecurity.io:443
 
       - name: Code Review
-        uses: step-security/ai-codewise@int
+        uses: step-security/ai-codewise@ab9fe138367d6094b2df7f8469ddc2c5a79c9cf4 # int
diff --git a/.github/workflows/recurring-int-tests.yml b/.github/workflows/recurring-int-tests.yml
index 20fc63ab..4b7adc8c 100644
--- a/.github/workflows/recurring-int-tests.yml
+++ b/.github/workflows/recurring-int-tests.yml
@@ -18,7 +18,7 @@ jobs:
         egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
 
     - name: Canary test
-      uses: docker://ghcr.io/step-security/integration-test/int:latest
+      uses: docker://ghcr.io/step-security/integration-test/int:latest@sha256:63d9fc09c6cb655d046e7e89d3d6ef1117e103713f540c6bc4bc1b822be54333
       env:
         PAT: ${{ secrets.PAT }}
         canary: true
@@ -33,7 +33,7 @@ jobs:
         egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
 
     - name: Canary test
-      uses: docker://ghcr.io/step-security/integration-test/int:latest
+      uses: docker://ghcr.io/step-security/integration-test/int:latest@sha256:63d9fc09c6cb655d046e7e89d3d6ef1117e103713f540c6bc4bc1b822be54333
       env:
         PAT: ${{ secrets.PAT }}
         canary-tls: true
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index e27ded9e..a2b4dbc3 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -40,7 +40,7 @@ jobs:
         rc: true
 
     - name: Canary test
-      uses: docker://ghcr.io/step-security/integration-test/int:latest
+      uses: docker://ghcr.io/step-security/integration-test/int:latest@sha256:63d9fc09c6cb655d046e7e89d3d6ef1117e103713f540c6bc4bc1b822be54333
       env:
         PAT: ${{ secrets.PAT }}
         canary: true
diff --git a/.github/workflows/runs-on.yml b/.github/workflows/runs-on.yml
index a233b749..3e715041 100644
--- a/.github/workflows/runs-on.yml
+++ b/.github/workflows/runs-on.yml
@@ -14,7 +14,7 @@ jobs:
       - image=ubuntu24-stepsecurity-x64
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@rc
+        uses: step-security/harden-runner@fa70c45ca9a73bcef023a3e6afac49ffa3007480 # rc
         with:
           egress-policy: audit
           allowed-endpoints: >
@@ -43,7 +43,7 @@ jobs:
       - image=ubuntu24-stepsecurity-x64
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@rc
+        uses: step-security/harden-runner@fa70c45ca9a73bcef023a3e6afac49ffa3007480 # rc
         with:
           egress-policy: block
           allowed-endpoints: >
@@ -89,7 +89,7 @@ jobs:
       - image=ubuntu24-stepsecurity-x64
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@rc
+        uses: step-security/harden-runner@fa70c45ca9a73bcef023a3e6afac49ffa3007480 # rc
         with:
           egress-policy: audit
           allowed-endpoints: >
@@ -137,7 +137,7 @@ jobs:
       - image=ubuntu24-stepsecurity-x64
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@rc
+        uses: step-security/harden-runner@fa70c45ca9a73bcef023a3e6afac49ffa3007480 # rc
         with:
           egress-policy: block
           allowed-endpoints: >