From 7998ce522d49e2940b704c47d3aa8f24b0ee162f Mon Sep 17 00:00:00 2001
From: Mark Ridgwell <credfeto@users.noreply.github.com>
Date: Sun, 7 Apr 2024 15:42:41 +0000
Subject: [PATCH] [Actions] Updated .github/workflows/on-pr-closed.yml

---
 .github/workflows/on-pr-closed.yml | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/.github/workflows/on-pr-closed.yml b/.github/workflows/on-pr-closed.yml
index d1f6ccea..f7a83dd4 100644
--- a/.github/workflows/on-pr-closed.yml
+++ b/.github/workflows/on-pr-closed.yml
@@ -9,6 +9,23 @@ jobs:
   cleanup-cache:
     runs-on: ubuntu-latest
     steps:
+      - name: "Harden Security"
+        uses: step-security/harden-runner@v2.7.0
+        with:
+          egress-policy: audit
+          disable-sudo: true
+          allowed-endpoints: >
+            api.github.com:443
+            api.osv.dev:443
+            api.securityscorecards.dev:443
+            codeload.github.com:443
+            fulcio.sigstore.dev:443
+            github.com:443
+            oss-fuzz-build-logs.storage.googleapis.com:443
+            rekor.sigstore.dev:443
+            tuf-repo-cdn.sigstore.dev:443
+            www.bestpractices.dev:443
+
       - name: "Install extensions"
         run: gh extension install actions/gh-actions-cache
         env: