From ae825ff0f9e2ffbcd058019e3875f18746288187 Mon Sep 17 00:00:00 2001
From: "stepsecurity-app[bot]"
 <188008098+stepsecurity-app[bot]@users.noreply.github.com>
Date: Thu, 26 Feb 2026 18:37:19 +0000
Subject: [PATCH] [StepSecurity] Apply security best practices

Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
---
 .github/workflows/c-cpp.yml | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/c-cpp.yml b/.github/workflows/c-cpp.yml
index fbf32ec92..3eabb8527 100644
--- a/.github/workflows/c-cpp.yml
+++ b/.github/workflows/c-cpp.yml
@@ -6,13 +6,21 @@ on:
   pull_request:
     branches: [ "master" ]
 
+permissions:
+  contents: read
+
 jobs:
   build:
 
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v4
+    - name: Harden the runner (Audit all outbound calls)
+      uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0
+      with:
+        egress-policy: audit
+
+    - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
     - name: configure
       run: ./configure
     - name: make