1 files changed, 14 insertions, 5 deletions

diff --git a/.github/workflows/fuzz.yml b/.github/workflows/fuzz.yml
index 188a4c7..eaa04cd 100644
--- a/.github/workflows/fuzz.yml
+++ b/.github/workflows/fuzz.yml
@@ -9,6 +9,7 @@
 
 name: CIFuzz
 on:
+  merge_group:
   pull_request:
     types: [opened, reopened, synchronize]
     paths:
@@ -19,7 +20,10 @@ on:
       - '**CMakeLists.txt'
       - .github/workflows/fuzz.yml
 
-concurrency: 
+permissions:
+  contents: read
+
+concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}-${{ github.event_name }}
   cancel-in-progress: ${{ github.event_name == 'pull_request' }}
 
@@ -27,8 +31,13 @@ jobs:
   fuzzing:
     runs-on: ubuntu-latest
     steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
+      with:
+        egress-policy: audit
+
     - name: Checkout source
-      uses: actions/checkout@v2
+      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       id: checkout
       with:
         # The build_fuzzers action checks out the code to the storage/libjxl
@@ -38,18 +47,18 @@ jobs:
         submodules: true
     - name: Build Fuzzers
       id: build
-      uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master
+      uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@71ecd5d4e4bf9a6edc19c9fa6d2422fb528bca4f # master
       with:
         oss-fuzz-project-name: 'libjxl'
         language: c++
     - name: Run Fuzzers
-      uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master
+      uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@71ecd5d4e4bf9a6edc19c9fa6d2422fb528bca4f # master
       with:
         oss-fuzz-project-name: 'libjxl'
         language: c++
         fuzz-seconds: 600
     - name: Upload Crash
-      uses: actions/upload-artifact@v1
+      uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
       if: failure() && steps.build.outcome == 'success'
       with:
         name: artifacts