vexxhost · stepsecurity-app · Mar 5, 2026 · Mar 6, 2026
diff --git a/.github/workflows/cargo.yml b/.github/workflows/cargo.yml
@@ -12,10 +12,15 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 5
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-      - uses: rui314/setup-mold@v1
+      - uses: rui314/setup-mold@725a8794d15fc7563f59595bd9556495c0564878 # v1
       - uses: mozilla-actions/sccache-action@7d986dd989559c6ecdb630a3fd2557667be217ad # v0.0.9
-      - uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 # v2.8.2
+      - uses: step-security/rust-cache@9be15b830520fab0ec3939586e917e4855cf76bd # v2.8.3
       - run: rustup show
       - run: |
           curl -L -s https://github.com/prometheus/prometheus/releases/download/v${PROMTOOL_VERSION}/prometheus-${PROMTOOL_VERSION}.linux-amd64.tar.gz |\
@@ -32,10 +37,15 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 5
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-      - uses: rui314/setup-mold@v1
+      - uses: rui314/setup-mold@725a8794d15fc7563f59595bd9556495c0564878 # v1
       - uses: mozilla-actions/sccache-action@7d986dd989559c6ecdb630a3fd2557667be217ad # v0.0.9
-      - uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 # v2.8.2
+      - uses: step-security/rust-cache@9be15b830520fab0ec3939586e917e4855cf76bd # v2.8.3
       - run: rustup show
       - run: cargo clippy --workspace -- -D warnings
         env:

diff --git a/.github/workflows/image.yml b/.github/workflows/image.yml
@@ -25,6 +25,9 @@ on:
         required: false
         default: false
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
@@ -34,7 +37,12 @@ jobs:
       packages: write
       security-events: write
     steps:
-      - uses: vexxhost/github-actions/build-docker-image@main
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0
+        with:
+          egress-policy: audit
+
+      - uses: vexxhost/github-actions/build-docker-image@377e35d3a5c570338901d9e0edf48bcf86c7c9ef # main
         id: build
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
@@ -55,6 +63,11 @@ jobs:
       contents: write
       security-events: write
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0
+        with:
+          egress-policy: audit
+
       - uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # 0.33.1
         with:
           image-ref: ${{ needs.image.outputs.image_name }}

diff --git a/.github/workflows/nix-image.yaml b/.github/workflows/nix-image.yaml
@@ -27,7 +27,12 @@ jobs:
     runs-on: ubuntu-24.04
     timeout-minutes: 10
     steps:
-      - uses: vexxhost/github-actions/nix-image@main
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0
+        with:
+          egress-policy: audit
+
+      - uses: vexxhost/github-actions/nix-image@377e35d3a5c570338901d9e0edf48bcf86c7c9ef # main
         id: build
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
@@ -40,7 +45,12 @@ jobs:
     runs-on: ubuntu-24.04-arm
     timeout-minutes: 10
     steps:
-      - uses: vexxhost/github-actions/nix-image@main
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0
+        with:
+          egress-policy: audit
+
+      - uses: vexxhost/github-actions/nix-image@377e35d3a5c570338901d9e0edf48bcf86c7c9ef # main
         id: build
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
@@ -59,12 +69,17 @@ jobs:
       id-token: write
       packages: write
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0
+        with:
+          egress-policy: audit
+
       - uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
         id: meta
         with:
           images: ${{ needs.amd64.outputs.image-name }}
           tags: ${{ inputs.tags }}
-      - uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+      - uses: step-security/docker-login-action@c3e677aae8393bc9c81cfdf9709648720ea4bd4d # v3.6.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}

diff --git a/build-docker-image/action.yml b/build-docker-image/action.yml
@@ -36,8 +36,8 @@ runs:
       with:
         images: ${{ inputs.image-ref }}
         tags: ${{ inputs.tags }}
-    - uses: depot/setup-action@b0b1ea4f69e92ebf5dea3f8713a1b0c37b2126a5 # v1.6.0
-    - uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+    - uses: step-security/depot-setup-action@f5473e0857ae0042e260d41d027c9b23ac531127 # v1.6.1
+    - uses: step-security/docker-login-action@c3e677aae8393bc9c81cfdf9709648720ea4bd4d # v3.6.0
       if: ${{ inputs.push == 'true' }}
       with:
         registry: ghcr.io
@@ -61,7 +61,7 @@ runs:
       with:
         msg: ${{ fromJSON(steps.build.outputs.metadata)['image.name'] }}
         separator: ","
-    - uses: vexxhost/github-actions/scan-image@main
+    - uses: vexxhost/github-actions/scan-image@377e35d3a5c570338901d9e0edf48bcf86c7c9ef # main
       with:
         image-ref: ${{ steps.split.outputs._0 }}
         fail-on-vulnerability: ${{ inputs.push == 'true' && 'false' || 'true' }}

diff --git a/nix-image/action.yaml b/nix-image/action.yaml
@@ -14,11 +14,11 @@ runs:
   using: "composite"
   steps:
     - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-    - uses: DeterminateSystems/nix-installer-action@v17
+    - uses: DeterminateSystems/nix-installer-action@21a544727d0c62386e78b4befe52d19ad12692e3 # v17
       with:
         determinate: true
     - uses: DeterminateSystems/flakehub-cache-action@146f476c94460cb634f9ade79470fcbc3f7e5b36 # v1
-    - uses: DeterminateSystems/flake-checker-action@v9
+    - uses: DeterminateSystems/flake-checker-action@078f5f7f47ee188aa6cb472527ca5984e195222d # v9
     - shell: bash
       run: nix build .#dockerImage
     - shell: bash
@@ -32,7 +32,7 @@ runs:
         images: ${{ steps.image-info.outputs.name }}
         tags: |
           type=sha,suffix=-${{ steps.image-info.outputs.arch }}
-    - uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+    - uses: step-security/docker-login-action@c3e677aae8393bc9c81cfdf9709648720ea4bd4d # v3.6.0
       if: ${{ inputs.push == 'true' }}
       with:
         registry: ghcr.io