diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 51fdf4f..bad377e 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -15,8 +15,13 @@ jobs:
   ci:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
+      - name: Harden Runner
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+      - uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4
       - run: npm ci
       - run: npm run lint
       - run: npm run build
diff --git a/.github/workflows/email.yml b/.github/workflows/email.yml
index 94c0662..56c331a 100644
--- a/.github/workflows/email.yml
+++ b/.github/workflows/email.yml
@@ -11,16 +11,21 @@ jobs:
     name: Copilot Usage
     runs-on: ubuntu-latest
     steps:
-      - uses: austenstone/copilot-usage@main
+      - name: Harden Runner
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        with:
+          egress-policy: audit
+
+      - uses: austenstone/copilot-usage@0438c3b1f61607bd537dc614d2feab7c7c453c52 # main
         id: usage
         with:
           organization: ${{ secrets.ORG }}
           github-token: ${{ secrets.TOKEN }}
-      - uses: austenstone/job-summary@v2.0
+      - uses: austenstone/job-summary@67b7e1f68ee55e44d073ab7354e7b580cd09567c # v2.0
         id: pdf
         with:
           name: copilot-usage
-      - uses: dawidd6/action-send-mail@v3
+      - uses: dawidd6/action-send-mail@4226df7daafa6fc901a43789c49bf7ab309066e7 # v3.11.0
         with:
           server_address: smtp.gmail.com
           server_port: 465
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
index cf1990a..aade76d 100644
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -31,6 +31,11 @@ jobs:
       # actions: read
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        with:
+          egress-policy: audit
+
       - name: "Checkout code"
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
diff --git a/.github/workflows/usage.yml b/.github/workflows/usage.yml
index cf0f316..e264edf 100644
--- a/.github/workflows/usage.yml
+++ b/.github/workflows/usage.yml
@@ -14,7 +14,12 @@ jobs:
     name: Copilot Usage
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - name: Harden Runner
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
       - uses: ./
         with:
           organization: ${{ secrets.ORG }}