From cfdb2532c6dc4b45d2407e064d5793da25f0d0cf Mon Sep 17 00:00:00 2001
From: "stepsecurity-app[bot]"
 <188008098+stepsecurity-app[bot]@users.noreply.github.com>
Date: Fri, 22 May 2026 00:55:24 +0000
Subject: [PATCH] [StepSecurity] Apply security best practices

Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
---
 .github/workflows/dependabot-auto-merge.yml       | 2 +-
 .github/workflows/dependabot-rebase-conflicts.yml | 2 +-
 .github/workflows/pr-name-validation.yml          | 5 ++++-
 .github/workflows/release.yml                     | 4 ++--
 4 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml
index 65d0aa7..4de97da 100644
--- a/.github/workflows/dependabot-auto-merge.yml
+++ b/.github/workflows/dependabot-auto-merge.yml
@@ -11,7 +11,7 @@ permissions:
 
 jobs:
   auto-merge:
-    runs-on: ubuntu-latest
+    runs-on: cx-public-ubuntu-x64
     if: github.event.pull_request.user.login == 'dependabot[bot]'
     steps:
       - name: Fetch dependabot metadata
diff --git a/.github/workflows/dependabot-rebase-conflicts.yml b/.github/workflows/dependabot-rebase-conflicts.yml
index b56ec2d..7fbf340 100644
--- a/.github/workflows/dependabot-rebase-conflicts.yml
+++ b/.github/workflows/dependabot-rebase-conflicts.yml
@@ -16,7 +16,7 @@ permissions:
 
 jobs:
   rebase-conflicts:
-    runs-on: ubuntu-latest
+    runs-on: cx-public-ubuntu-x64
     steps:
       - name: Rebase conflicting Dependabot PRs
         run: |
diff --git a/.github/workflows/pr-name-validation.yml b/.github/workflows/pr-name-validation.yml
index a39fa29..8304fa5 100644
--- a/.github/workflows/pr-name-validation.yml
+++ b/.github/workflows/pr-name-validation.yml
@@ -6,9 +6,12 @@ on:
   push:
     branches: main # check how it can be always the default, either master or main or whatever
 
+permissions:
+  contents: read
+
 jobs:
   validate_jira_key:
-    runs-on: ubuntu-latest
+    runs-on: cx-public-ubuntu-x64
     steps:
       - name: Validate Jira Key
         if: ${{ github.event_name != 'push' }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 632a748..949493a 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -10,7 +10,7 @@ on:
 jobs:
   tag-and-release:
     if: github.event.pull_request.merged == true
-    runs-on: ubuntu-latest
+    runs-on: cx-public-ubuntu-x64
     steps:
       - name: Checkout the repository
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
@@ -53,7 +53,7 @@ jobs:
           git push origin $new_tag
 
       - name: Create release from tag
-        uses: actions/create-release@v1
+        uses: actions/create-release@0cb9c9b65d5d1901c1f53e5e66eaf4afd303e70e # v1.1.4
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # This token is provided by Actions, you do not need to create your own token
         with: