diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 6ec1bf5..9b94813 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -10,6 +10,9 @@ env:
   GHCR_USER: ${{ github.repository_owner }}
   GHCR_PASS: ${{ github.token }}
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
@@ -18,8 +21,13 @@ jobs:
       packages: write
       id-token: write # needed for GitHub OIDC Token
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
+
       - name: Build, sign, inspect an image using wolfi-act
-        uses: wolfi-dev/wolfi-act@main
+        uses: wolfi-dev/wolfi-act@c7bc05c8af23bca710b267e0db3b39c939eb7b02 # main
         with:
           packages: curl,apko,cosign,crane,grype,trivy
           command: |
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index e3ea199..670a819 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -12,6 +12,11 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
 
       - name: Build, sign, inspect an image using wolfi-act
@@ -49,6 +54,11 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
 
       - name: Build, sign, inspect an image using wolfi-act