step-security-bot
diff --git a/‎.github/dependabot.yml
+15 b/‎.github/dependabot.yml
+15
diff --git a/‎.github/workflows/codeql-analysis.yml
+5 b/‎.github/workflows/codeql-analysis.yml
+5
diff --git a/‎.github/workflows/dependency-review.yml
+5 b/‎.github/workflows/dependency-review.yml
+5
diff --git a/‎.github/workflows/dispatch_analytics.yml
+5 b/‎.github/workflows/dispatch_analytics.yml
+5
diff --git a/‎.github/workflows/label_pr_on_title.yml
+5 b/‎.github/workflows/label_pr_on_title.yml
+5
diff --git a/‎.github/workflows/layer_rename.yml
+13 b/‎.github/workflows/layer_rename.yml
+13
diff --git a/‎.github/workflows/on_closed_issues.yml
+5 b/‎.github/workflows/on_closed_issues.yml
+5
diff --git a/‎.github/workflows/on_label_added.yml
+5 b/‎.github/workflows/on_label_added.yml
+5
diff --git a/‎.github/workflows/on_merged_pr.yml
+5 b/‎.github/workflows/on_merged_pr.yml
+5
diff --git a/‎.github/workflows/on_opened_pr.yml
+10 b/‎.github/workflows/on_opened_pr.yml
+10
diff --git a/‎.github/workflows/on_pr_updates.yml
+5 b/‎.github/workflows/on_pr_updates.yml
+5
diff --git a/‎.github/workflows/ossf_scorecard.yml
+5 b/‎.github/workflows/ossf_scorecard.yml
+5
diff --git a/‎.github/workflows/pre-release.yml
+25 b/‎.github/workflows/pre-release.yml
+25
diff --git a/‎.github/workflows/publish_v2_layer.yml
+15 b/‎.github/workflows/publish_v2_layer.yml
+15
diff --git a/‎.github/workflows/publish_v3_layer.yml
+15 b/‎.github/workflows/publish_v3_layer.yml
+15
diff --git a/‎.github/workflows/quality_check.yml
+5 b/‎.github/workflows/quality_check.yml
+5
diff --git a/‎.github/workflows/record_pr.yml
+5 b/‎.github/workflows/record_pr.yml
+5
diff --git a/‎.github/workflows/release-drafter.yml
+5 b/‎.github/workflows/release-drafter.yml
+5
@@ -87,3 +87,18 @@ updates:
       layer-balancer:
         patterns:
           - "*"
+
+  - package-ecosystem: pip
+    directory: /tests/performance/data_masking/load_test_data_masking/pt-load-test-stack/function_1024
+    schedule:
+      interval: daily
+
+  - package-ecosystem: pip
+    directory: /tests/performance/data_masking/load_test_data_masking/pt-load-test-stack/function_128
+    schedule:
+      interval: daily
+
+  - package-ecosystem: pip
+    directory: /tests/performance/data_masking/load_test_data_masking/pt-load-test-stack/function_1769
+    schedule:
+      interval: daily
@@ -27,6 +27,11 @@ jobs:
       actions: read
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        with:
+          egress-policy: audit
+
       - name: Checkout repository
         uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938  # v4.2.0
 
 
@@ -16,6 +16,11 @@ jobs:
   dependency-review:
     runs-on: ubuntu-latest
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        with:
+          egress-policy: audit
+
       - name: 'Checkout Repository'
         uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
       - name: 'Dependency Review'
 
@@ -42,6 +42,11 @@ jobs:
       security-events: read
       statuses: read
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        with:
+          egress-policy: audit
+
       - name: Configure AWS credentials
         uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 # v2.2.0
         with:
 
@@ -49,6 +49,11 @@ jobs:
     permissions:
       pull-requests: write  # label respective PR
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        with:
+          egress-policy: audit
+
       - name: Checkout repository
         uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938  # v4.2.0
       - name: "Label PR based on title"
 
@@ -37,6 +37,9 @@ on:
 name: Layer Rename
 run-name: Layer Rename - ${{ inputs.environment }}
 
+permissions:
+  contents: read
+
 jobs:
   download:
     runs-on: ubuntu-latest
@@ -53,6 +56,11 @@ jobs:
           - AWSLambdaPowertoolsPythonV3-python312
     environment: layer-prod
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        with:
+          egress-policy: audit
+
       - name: Configure AWS Credentials
         uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
         with:
@@ -125,6 +133,11 @@ jobs:
           - "us-west-2"
     environment: layer-${{ inputs.environment }}
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        with:
+          egress-policy: audit
+
       - name: Download Zip
         uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
 
@@ -21,6 +21,11 @@ jobs:
       permissions:
           issues: write  # comment on issues
       steps:
+          - name: Harden Runner
+            uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+            with:
+              egress-policy: audit
+
           - uses: aws-actions/closed-issue-message@80edfc24bdf1283400eb04d20a8a605ae8bf7d48
             with:
                 repo-token: "${{ secrets.GITHUB_TOKEN }}"
 
@@ -47,6 +47,11 @@ jobs:
     permissions:
       pull-requests: write  # comment on PR
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938  # v4.2.0
       # Maintenance: Persist state per PR as an artifact to avoid spam on label add
       - name: "Suggest split large Pull Request"
 
@@ -49,6 +49,11 @@ jobs:
       issues: write         # label issue with pending-release
     if: needs.get_pr_details.outputs.prIsMerged == 'true'
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938  # v4.2.0
       - name: "Label PR related issue for release"
         uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
 
@@ -47,6 +47,11 @@ jobs:
     needs: get_pr_details
     runs-on: ubuntu-latest
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938  # v4.2.0
       - name: "Ensure related issue is present"
         uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
@@ -66,6 +71,11 @@ jobs:
     permissions:
       pull-requests: write  # label and comment on PR if missing acknowledge section (requirement)
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938  # v4.2.0
       - name: "Ensure acknowledgement section is present"
         uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
 
@@ -29,6 +29,11 @@ jobs:
   check-requirements:
     runs-on: ubuntu-latest
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        with:
+          egress-policy: audit
+
       - name: Block if it doesn't minimum requirements
         if: contains(github.event.pull_request.labels.*.name, 'do-not-merge')
         run: |
 
@@ -21,6 +21,11 @@ jobs:
       id-token: write  # confirm org+repo identity before publish results
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        with:
+          egress-policy: audit
+
       - name: "Checkout code"
         uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
         with:
 
@@ -61,6 +61,11 @@ jobs:
       # NOTE: Different from prod release, we need both poetry and source code available in earlier steps to bump and verify.
 
       # We use a pinned version of Poetry to be certain it won't modify source code before we create a hash
+      - name: Harden Runner
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        with:
+          egress-policy: audit
+
       - name: Install poetry
         run: |
           pipx install git+https://github.com/python-poetry/poetry@68b88e5390720a3dd84f02940ec5200bfce39ac6 # v1.5.0
@@ -110,6 +115,11 @@ jobs:
       contents: read
     steps:
       # NOTE: we need actions/checkout to configure git first (pre-commit hooks in make dev)
+      - name: Harden Runner
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938  # v4.2.0
         with:
           ref: ${{ env.RELEASE_COMMIT }}
@@ -151,6 +161,11 @@ jobs:
       attestation_hashes: ${{ steps.encoded_hash.outputs.attestation_hashes }}
     steps:
       # NOTE: we need actions/checkout to configure git first (pre-commit hooks in make dev)
+      - name: Harden Runner
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938  # v4.2.0
         with:
           ref: ${{ env.RELEASE_COMMIT }}
@@ -220,6 +235,11 @@ jobs:
       RELEASE_VERSION: ${{ needs.seal.outputs.RELEASE_VERSION }}
     steps:
       # NOTE: we need actions/checkout in order to use our local actions (e.g., ./.github/actions)
+      - name: Harden Runner
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938  # v4.2.0
         with:
           ref: ${{ env.RELEASE_COMMIT }}
@@ -244,6 +264,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       # NOTE: we need actions/checkout to authenticate and configure git first
+      - name: Harden Runner
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938  # v4.2.0
         with:
           ref: ${{ env.RELEASE_COMMIT }}
 
@@ -87,6 +87,11 @@ jobs:
       run:
         working-directory: ./layer
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        with:
+          egress-policy: audit
+
       - name: checkout
         uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938  # v4.2.0
         with:
@@ -246,6 +251,11 @@ jobs:
       id-token: none
       pages: none
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        with:
+          egress-policy: audit
+
       - name: Checkout repository # reusable workflows start clean, so we need to checkout again
         uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938  # v4.2.0
         with:
@@ -292,6 +302,11 @@ jobs:
     outputs:
       DOCS_ALIAS: ${{ steps.set-alias.outputs.DOCS_ALIAS }}
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        with:
+          egress-policy: audit
+
       - name: Set docs alias
         id: set-alias
         run: |
 
@@ -90,6 +90,11 @@ jobs:
       run:
         working-directory: ./layer_v3
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        with:
+          egress-policy: audit
+
       - name: checkout
         uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938  # v4.2.0
         with:
@@ -244,6 +249,11 @@ jobs:
       id-token: none
       pages: none
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        with:
+          egress-policy: audit
+
       - name: Checkout repository # reusable workflows start clean, so we need to checkout again
         uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938  # v4.2.0
         with:
@@ -290,6 +300,11 @@ jobs:
     outputs:
       DOCS_ALIAS: ${{ steps.set-alias.outputs.DOCS_ALIAS }}
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        with:
+          egress-policy: audit
+
       - name: Set docs alias
         id: set-alias
         run: |
 
@@ -52,6 +52,11 @@ jobs:
     permissions:
       contents: read  # checkout code only
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938  # v4.2.0
       - name: Install poetry
         run: pipx install poetry
 
@@ -46,6 +46,11 @@ jobs:
     permissions:
       contents: read  # NOTE: treat as untrusted location
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938  # v4.2.0
       - name: "Extract PR details"
         uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
 
@@ -27,6 +27,11 @@ jobs:
     permissions:
       contents: write  # create release in draft mode
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        with:
+          egress-policy: audit
+
       - uses: release-drafter/release-drafter@3f0f87098bd6b5c5b9a36d49c41d998ea58f9348 # v5.20.1
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}