diff --git a/.github/workflows/build-fleetd-base-msi.yml b/.github/workflows/build-fleetd-base-msi.yml
index c3149f524d72..4af9e3f6abf6 100644
--- a/.github/workflows/build-fleetd-base-msi.yml
+++ b/.github/workflows/build-fleetd-base-msi.yml
@@ -83,6 +83,11 @@ jobs:
     needs: [build, code-sign]
     runs-on: ubuntu-latest
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - name: Download signed artifact
         uses: actions/download-artifact@9c19ed7fe5d278cd354c7dfd5d3b88589c7e2395 # v4.1.6
         with:
diff --git a/.github/workflows/dogfood-automated-policy-updates.yml b/.github/workflows/dogfood-automated-policy-updates.yml
index 460ae24679b1..57564962154f 100644
--- a/.github/workflows/dogfood-automated-policy-updates.yml
+++ b/.github/workflows/dogfood-automated-policy-updates.yml
@@ -5,13 +5,21 @@ on:
     - cron: '0 */6 * * *'  # Run every 6 hours
   workflow_dispatch:     # Allow manual trigger
 
+permissions:
+  contents: read
+
 jobs:
   update-macos-versions:
     runs-on: ubuntu-latest
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
+        with:
+          egress-policy: audit
+
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Set up Git
         run: |
diff --git a/.github/workflows/randokiller-go.yml b/.github/workflows/randokiller-go.yml
index c89809f09c3d..b4ad83665b26 100644
--- a/.github/workflows/randokiller-go.yml
+++ b/.github/workflows/randokiller-go.yml
@@ -33,6 +33,11 @@ jobs:
     outputs:
       json: ${{steps.get_config_json.outputs.json}}
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - name: Checkout Code
         uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
 
diff --git a/.github/workflows/test-go.yaml b/.github/workflows/test-go.yaml
index 1a65e08d65ad..d418e14167b4 100644
--- a/.github/workflows/test-go.yaml
+++ b/.github/workflows/test-go.yaml
@@ -310,6 +310,11 @@ jobs:
     needs: [test-go, test-go-nanomdm]
     runs-on: ubuntu-latest
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - name: Checkout Code
         uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
       - name: Download artifacts
diff --git a/.github/workflows/update-osquery-versions.yml b/.github/workflows/update-osquery-versions.yml
index 1f0b89c0c518..f78d79d895f1 100644
--- a/.github/workflows/update-osquery-versions.yml
+++ b/.github/workflows/update-osquery-versions.yml
@@ -5,6 +5,9 @@ on:
     - cron: "0 0 * * *" # Run daily at midnight UTC
   workflow_dispatch: # Allow manual triggering
 
+permissions:
+  contents: read
+
 jobs:
   update-versions:
     permissions:
@@ -12,6 +15,11 @@ jobs:
       pull-requests: write # for peter-evans/create-pull-request to create a PR
     runs-on: ubuntu-latest
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
       - name: Set up Python
         uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1