From c54a037bda9a101f7ca95cfa5cae4935b7e66f4e Mon Sep 17 00:00:00 2001
From: "stepsecurity-app[bot]"
 <188008098+stepsecurity-app[bot]@users.noreply.github.com>
Date: Mon, 2 Mar 2026 09:36:04 +0000
Subject: [PATCH] [StepSecurity] Apply security best practices

Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
---
 .github/workflows/matrix-example.yml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/.github/workflows/matrix-example.yml b/.github/workflows/matrix-example.yml
index f4882d8..07d8d61 100644
--- a/.github/workflows/matrix-example.yml
+++ b/.github/workflows/matrix-example.yml
@@ -60,6 +60,11 @@ jobs:
     needs: [changed-files]
     if: contains(needs.changed-files.outputs.matrix, 'README.md') # Conditional check for README
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0
+        with:
+          egress-policy: audit
+
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Execute Conditional Logic