From 21078fbf064036a6d30218f340b8806309a348df Mon Sep 17 00:00:00 2001
From: Jonathan Hartman
 <208858388+cx-jonathan-hartman@users.noreply.github.com>
Date: Fri, 5 Jun 2026 15:54:52 -0700
Subject: [PATCH] Install Harden Runner in the release workflow

macOS is the only GitHub runner platform that can't be custom-built with
it preinstalled. Use the installer action in this case.
---
 .github/workflows/release.yml | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 5ed3bb8d..c56c1678 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -40,6 +40,11 @@ jobs:
       COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
       COSIGN_PUBLIC_KEY: ${{ secrets.COSIGN_PUBLIC_KEY }}
     steps:
+      - name: Install Harden Runner
+        uses: checkmarx/harden-runner-action@9af89fc71515a100421586dfdb3dc9c984fbf411 #v2.19.4
+        with:
+          use-policy-store: true
+          api-key: ${{ secrets.STEP_SECURITY_API_KEY }}
       - name: Checkout
         uses: actions/checkout@1e31de5234b9f8995739874a8ce0492dc87873e2 #v4.0.0
         with:
@@ -193,4 +198,4 @@ jobs:
     with:
       cli_version: ${{ inputs.tag }}
     secrets: inherit
- 
\ No newline at end of file
+