From 10f88f31b5f20f738bc672c64cb448ed8f02b2a4 Mon Sep 17 00:00:00 2001
From: "stepsecurity-app[bot]"
 <188008098+stepsecurity-app[bot]@users.noreply.github.com>
Date: Tue, 21 Apr 2026 21:25:24 +0000
Subject: [PATCH] [StepSecurity] Apply security best practices

Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
---
 .github/workflows/nix.yml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/.github/workflows/nix.yml b/.github/workflows/nix.yml
index 5cd6cfd..f0fad1b 100644
--- a/.github/workflows/nix.yml
+++ b/.github/workflows/nix.yml
@@ -16,6 +16,11 @@ jobs:
     runs-on: ${{ matrix.os }}
 
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false