diff --git a/.github/workflows/label.yml b/.github/workflows/label.yml
index 24ffbfc0079..ff893c38db7 100644
--- a/.github/workflows/label.yml
+++ b/.github/workflows/label.yml
@@ -6,7 +6,12 @@ jobs:
   labeler:
     runs-on: ubuntu-latest
     steps:
-      - uses: docker://docker.io/ilyam8/periodic-pr-labeler:v0.1.1
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
+        with:
+          egress-policy: audit
+
+      - uses: docker://docker.io/ilyam8/periodic-pr-labeler:v0.1.1@sha256:acfe1c303c762f911f2d036ebc85bff6346418920260a55fbfdb88a71b096932
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           GITHUB_REPOSITORY: ${{ github.repository }}
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index ac9c92abd99..56842f0a5e1 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -19,7 +19,12 @@ jobs:
         name: DNS
         runs-on: ubuntu-latest
         steps:
-            - uses: actions/checkout@v4
+            - name: Harden the runner (Audit all outbound calls)
+              uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
+              with:
+                egress-policy: audit
+
+            - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
 
             - name: Run tests
               run: |
@@ -30,7 +35,7 @@ jobs:
               run: echo '{"cloudflare":{"TYPE":"CLOUDFLAREAPI","apitoken":"$CLOUDFLARE_API_TOKEN"}}' > ./creds.json
 
             - name: Push DNS records
-              uses: is-a-dev/dnscontrol-action@main
+              uses: is-a-dev/dnscontrol-action@cab3c5a3239f2eef84ca08f6ba03ce54439afa00 # main
               env:
                   CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
               with:
diff --git a/.github/workflows/raw-api.yml b/.github/workflows/raw-api.yml
index 4ba2bd85d74..b41082f2403 100644
--- a/.github/workflows/raw-api.yml
+++ b/.github/workflows/raw-api.yml
@@ -19,15 +19,20 @@ jobs:
         runs-on: ubuntu-latest
 
         steps:
-            - uses: actions/checkout@v4
+            - name: Harden the runner (Audit all outbound calls)
+              uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
+              with:
+                egress-policy: audit
+
+            - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
 
-            - uses: actions/checkout@v4
+            - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
               with:
                   repository: is-a-dev/raw-api
                   path: raw-api
                   token: ${{ secrets.BOT }}
 
-            - uses: actions/setup-node@v4
+            - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
               with:
                   node-version: 20.x
 
@@ -35,7 +40,7 @@ jobs:
               run: node raw-api/scripts/update.js
 
             - name: Commit
-              uses: cpina/github-action-push-to-another-repository@main
+              uses: cpina/github-action-push-to-another-repository@55306faa4ed53b815ae49e564af8cfb359d32ae2 # main
               with:
                   source-directory: "raw-api"
                   destination-github-username: is-a-dev
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
index ad78c7b616c..333c8852552 100644
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -5,11 +5,22 @@ on:
     schedule:
         - cron: "30 14 * * *"
 
+permissions:
+  contents: read
+
 jobs:
     stale:
+        permissions:
+          issues: write  # for actions/stale to close stale issues
+          pull-requests: write  # for actions/stale to close stale PRs
         runs-on: ubuntu-latest
         steps:
-            - uses: actions/stale@v3
+            - name: Harden the runner (Audit all outbound calls)
+              uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
+              with:
+                egress-policy: audit
+
+            - uses: actions/stale@98ed4cb500039dbcccf4bd9bedada4d0187f2757 # v3.0.19
               with:
                   repo-token: ${{ secrets.GITHUB_TOKEN }}
                   days-before-stale: 7
diff --git a/.github/workflows/validation.yml b/.github/workflows/validation.yml
index fa0fa8f5f47..f32c2f301cd 100644
--- a/.github/workflows/validation.yml
+++ b/.github/workflows/validation.yml
@@ -23,9 +23,14 @@ jobs:
         name: DNSControl
         runs-on: ubuntu-latest
         steps:
-            - uses: actions/checkout@v4
+            - name: Harden the runner (Audit all outbound calls)
+              uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
+              with:
+                egress-policy: audit
+
+            - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
 
-            - uses: is-a-dev/dnscontrol-action@main
+            - uses: is-a-dev/dnscontrol-action@cab3c5a3239f2eef84ca08f6ba03ce54439afa00 # main
               with:
                   args: check
 
@@ -33,7 +38,12 @@ jobs:
         name: Tests
         runs-on: ubuntu-latest
         steps:
-            - uses: actions/checkout@v4
+            - name: Harden the runner (Audit all outbound calls)
+              uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
+              with:
+                egress-policy: audit
+
+            - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
 
             - run: npm install