diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
index 3e72c530a..ab9ab4b68 100644
--- a/.github/workflows/labeler.yml
+++ b/.github/workflows/labeler.yml
@@ -5,6 +5,9 @@ name: "Labeler"
 on: # yamllint disable-line rule:truthy
     - "pull_request_target"
 
+permissions:
+  contents: read
+
 jobs:
     triage:
         runs-on: "ubuntu-latest"
@@ -12,6 +15,11 @@ jobs:
             contents: "read"
             pull-requests: "write"
         steps:
+            - name: Harden the runner (Audit all outbound calls)
+              uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+              with:
+                egress-policy: audit
+
             - uses: "actions/labeler@634933edcd8ababfe52f92936142cc22ac488b1b" # v6.0.1
               with:
                   repo-token: "${{ secrets.GITHUB_TOKEN }}"
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index c11ac1f74..cf31eabd6 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -81,7 +81,7 @@ jobs:
 
             - name: "Setup resources and environment"
               id: "setup"
-              uses: "anolilab/workflows/step/setup@main"
+              uses: "anolilab/workflows/step/setup@c56082a9d841a5261123032173b8848d9aa69a58" # main
               with:
                   node-version: "20.x"
                   cache-prefix: "lint"
@@ -133,7 +133,7 @@ jobs:
 
             - name: "Setup resources and environment"
               id: "setup"
-              uses: "anolilab/workflows/step/setup@main"
+              uses: "anolilab/workflows/step/setup@c56082a9d841a5261123032173b8848d9aa69a58" # main
               with:
                   node-version: "20.x"
                   cache-prefix: "lint"
@@ -185,7 +185,7 @@ jobs:
 
             - name: "Setup resources and environment"
               id: "setup"
-              uses: "anolilab/workflows/step/setup@main"
+              uses: "anolilab/workflows/step/setup@c56082a9d841a5261123032173b8848d9aa69a58" # main
               with:
                   node-version: "20.x"
                   cache-prefix: "lint"
diff --git a/.github/workflows/preview-release.yaml b/.github/workflows/preview-release.yaml
index e5fe5d643..ec7d4f5f2 100644
--- a/.github/workflows/preview-release.yaml
+++ b/.github/workflows/preview-release.yaml
@@ -47,7 +47,7 @@ jobs:
 
             - name: "Setup resources and environment"
               id: "setup"
-              uses: "anolilab/workflows/step/setup@main"
+              uses: "anolilab/workflows/step/setup@c56082a9d841a5261123032173b8848d9aa69a58" # main
               with:
                   node-version: "20.x"
                   cache-prefix: "preview-release"
diff --git a/.github/workflows/semantic-release.yml b/.github/workflows/semantic-release.yml
index 1322306b4..53cdfe88c 100644
--- a/.github/workflows/semantic-release.yml
+++ b/.github/workflows/semantic-release.yml
@@ -56,7 +56,7 @@ jobs:
 
             - name: "Setup resources and environment"
               id: "setup"
-              uses: "anolilab/workflows/step/setup@main"
+              uses: "anolilab/workflows/step/setup@c56082a9d841a5261123032173b8848d9aa69a58" # main
               with:
                   node-version: "22.x"
                   cache-prefix: "semantic-release"
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 75f796876..a4b594322 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -93,7 +93,7 @@ jobs:
 
             - name: "Setup resources and environment"
               id: "setup"
-              uses: "anolilab/workflows/step/setup@main"
+              uses: "anolilab/workflows/step/setup@c56082a9d841a5261123032173b8848d9aa69a58" # main
               with:
                   node-version: "${{ matrix.node_version }}"
                   install-bun: false