diff --git a/.github/workflows/rubocop.yaml b/.github/workflows/rubocop.yaml
index 1b36e3b6..8aeaec00 100644
--- a/.github/workflows/rubocop.yaml
+++ b/.github/workflows/rubocop.yaml
@@ -1,5 +1,8 @@
 on:
   - push
+permissions:
+  contents: read
+
 jobs:
   rubocop:
     runs-on: ubuntu-latest
@@ -9,9 +12,14 @@ jobs:
         ruby: ['3.2.1']
 
     steps:
-    - uses: actions/checkout@v2
+    - name: Harden the runner (Audit all outbound calls)
+      uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1
+      with:
+        egress-policy: audit
+
+    - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0
     - name: Set up Ruby
-      uses: ruby/setup-ruby@v1
+      uses: ruby/setup-ruby@a4effe49ee8ee5b8b5091268c473a4628afb5651 # v1.245.0
       with:
         ruby-version: ${{ matrix.ruby }}
         bundler-cache: true
diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml
index 25f72f74..67a5618e 100644
--- a/.github/workflows/tests.yaml
+++ b/.github/workflows/tests.yaml
@@ -1,12 +1,20 @@
 ---
 on:
   - push
+permissions:
+  contents: read
+
 jobs:
   tests_job:
     runs-on: ubuntu-latest
     name: Automated Tests
     steps:
-      - uses: actions/checkout@v1
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@50fbc622fc4ef5163becd7fab6573eac35f8462e # v1.2.0
       - name: Build Salus
         run: docker build -t salus-local .
       - name: Run salus