diff --git a/.github/workflows/cacert-publish.yml b/.github/workflows/cacert-publish.yml
index c0182d02f..0de06888f 100644
--- a/.github/workflows/cacert-publish.yml
+++ b/.github/workflows/cacert-publish.yml
@@ -22,7 +22,20 @@ jobs:
       - name: Harden Runner
         uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
         with:
-          egress-policy: audit
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            adoptium.jfrog.io:443
+            api.github.com:443
+            auth.docker.io:443
+            deb.debian.org:80
+            github.com:443
+            objects.githubusercontent.com:443
+            production.cloudflare.docker.com:443
+            registry-1.docker.io:443
+            releases-cdn.jfrog.io:443
+            releases.jfrog.io:443
+            services.gradle.org:443
 
       - name: Checkout
         uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4