From ba6a4201ce0994b9be3256fcde2af808834a63ae Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dan=20Gr=C3=B8ndahl?= <dan@kosli.com>
Date: Wed, 25 Mar 2026 16:07:50 +0100
Subject: [PATCH] ci: add harden-runner to all workflows

---
 .github/workflows/pr-quality.yml      | 5 +++++
 .github/workflows/update-cli-docs.yml | 5 +++++
 2 files changed, 10 insertions(+)

diff --git a/.github/workflows/pr-quality.yml b/.github/workflows/pr-quality.yml
index f229a7b..78cf7c2 100644
--- a/.github/workflows/pr-quality.yml
+++ b/.github/workflows/pr-quality.yml
@@ -15,6 +15,11 @@ jobs:
     permissions:
       pull-requests: read
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
       - name: Check PR title follows Conventional Commit format
         uses: amannn/action-semantic-pull-request@v6
         env:
diff --git a/.github/workflows/update-cli-docs.yml b/.github/workflows/update-cli-docs.yml
index ab8a36e..fa3f09f 100644
--- a/.github/workflows/update-cli-docs.yml
+++ b/.github/workflows/update-cli-docs.yml
@@ -17,6 +17,11 @@ jobs:
   update-docs:
     runs-on: ubuntu-latest
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
       - name: Determine CLI tag
         id: tag
         run: |