From 100cc3e03ac1cef53bc9cf65a9371d6e8a89ae64 Mon Sep 17 00:00:00 2001
From: "stepsecurity-app[bot]"
 <188008098+stepsecurity-app[bot]@users.noreply.github.com>
Date: Thu, 12 Jun 2025 00:00:12 +0000
Subject: [PATCH] [StepSecurity] Apply security best practices

Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
---
 .github/workflows/test.yml | 27 +++++++++++++++++++++------
 1 file changed, 21 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index fa405fc..ebe8f8e 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -13,12 +13,17 @@ jobs:
     name: Run Forge Tests and Checks 
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           submodules: recursive
 
       - name: Install Foundry
-        uses: foundry-rs/foundry-toolchain@v1
+        uses: foundry-rs/foundry-toolchain@82dee4ba654bd2146511f85f0d013af94670c4de # v1.4.0
         with:
           version: nightly
 
@@ -42,12 +47,17 @@ jobs:
       name: Run Coverage Reporting
       runs-on: ubuntu-latest
       steps:
-        - uses: actions/checkout@v3
+        - name: Harden the runner (Audit all outbound calls)
+          uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1
+          with:
+            egress-policy: audit
+
+        - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
           with:
             submodules: recursive
 
         - name: Install Foundry
-          uses: foundry-rs/foundry-toolchain@v1
+          uses: foundry-rs/foundry-toolchain@82dee4ba654bd2146511f85f0d013af94670c4de # v1.4.0
           with:
             version: nightly
 
@@ -68,7 +78,7 @@ jobs:
             lcov --remove ./lcov.info -o ./lcov-filtered.info 'test/*' 'script/*'
 
         - name: Submit coverage to Coveralls
-          uses: coverallsapp/github-action@master
+          uses: coverallsapp/github-action@09b709cf6a16e30b0808ba050c7a6e8a5ef13f8d # master
           with:
             github-token: ${{ secrets.GITHUB_TOKEN }}
             path-to-lcov: ./lcov-filtered.info
@@ -80,7 +90,12 @@ jobs:
     if: ${{ always() }}
     runs-on: ubuntu-latest
     steps:
+    - name: Harden the runner (Audit all outbound calls)
+      uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1
+      with:
+        egress-policy: audit
+
     - name: Coveralls Finished
-      uses: coverallsapp/github-action@v2
+      uses: coverallsapp/github-action@648a8eb78e6d50909eff900e4ec85cab4524a45b # v2.3.6
       with:
         parallel-finished: true