diff --git a/.github/workflows/ci-actions.yaml b/.github/workflows/ci-actions.yaml
index 2f57e6e..4b27e4b 100644
--- a/.github/workflows/ci-actions.yaml
+++ b/.github/workflows/ci-actions.yaml
@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: ["**"]
 
+permissions:
+  contents: read
+
 jobs:
   zizmor:
     name: zizmor latest via PyPI
@@ -15,6 +18,11 @@ jobs:
       contents: read
       actions: read
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
+        with:
+          egress-policy: audit
+
       - name: Checkout repository
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
         with:
diff --git a/.github/workflows/ci-chart.yaml b/.github/workflows/ci-chart.yaml
index 21c9eae..b34552f 100644
--- a/.github/workflows/ci-chart.yaml
+++ b/.github/workflows/ci-chart.yaml
@@ -8,10 +8,18 @@ on:
       - charts/**
       - .github/workflows/ci-chart.yaml
 
+permissions:
+  contents: read
+
 jobs:
   lint-test:
     runs-on: ubuntu-latest
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
+        with:
+          egress-policy: audit
+
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
         with:
diff --git a/.github/workflows/ci-code.yaml b/.github/workflows/ci-code.yaml
index d53a431..c374447 100644
--- a/.github/workflows/ci-code.yaml
+++ b/.github/workflows/ci-code.yaml
@@ -9,6 +9,9 @@ on:
       - Cargo.*
       - .github/workflows/ci-code.yaml
 
+permissions:
+  contents: read
+
 jobs:
   rustfmt:
     name: rustfmt