diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 36a9e91c..6ff518bf 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -10,6 +10,10 @@ jobs:
   test:
     runs-on: ubuntu-latest
     steps:
+      - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
+
       - name: Checkout code
         uses: actions/checkout@v4
 
diff --git a/.github/workflows/fast-forward.yaml b/.github/workflows/fast-forward.yaml
index 74431437..98817299 100644
--- a/.github/workflows/fast-forward.yaml
+++ b/.github/workflows/fast-forward.yaml
@@ -17,6 +17,10 @@ jobs:
       issues: write
 
     steps:
+      - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
+
       - name: Fast forwarding
         uses: sequoia-pgp/fast-forward@v1
         with:
diff --git a/.github/workflows/heroku.yaml b/.github/workflows/heroku.yaml
index 54a8b5df..2c404c51 100644
--- a/.github/workflows/heroku.yaml
+++ b/.github/workflows/heroku.yaml
@@ -17,6 +17,10 @@ jobs:
       || (contains(github.event.comment.body, '/refresh-heroku-status') && github.event.issue.pull_request) }}
 
     steps:
+      - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
+
       # Forward deployment's status to the deployed commit.
       - uses: octokit/request-action@v2.x
         env:
@@ -41,6 +45,10 @@ jobs:
 
     # Check that the deployed app returns successful HTTP response.
     steps:
+      - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
+
       - id: health_check
         uses: jtalk/url-health-check-action@v4
         with: