diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index 76a33f9..5d65fea 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -10,7 +10,19 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+    - name: Harden Runner
+      uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+      with:
+        egress-policy: block
+        allowed-endpoints: >
+          archive.ubuntu.com:80
+          auth.docker.io:443
+          github.com:443
+          production.cloudflare.docker.com:443
+          registry-1.docker.io:443
+          registry.npmjs.org:443
+          security.ubuntu.com:80
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
     - name: Build the container
       run: docker build -f test/Dockerfile . -t sitespeedio/throttle
     - name: Test Throttle
diff --git a/.github/workflows/install.yml b/.github/workflows/install.yml
index c30e3e2..eb3b08d 100644
--- a/.github/workflows/install.yml
+++ b/.github/workflows/install.yml
@@ -13,6 +13,12 @@ jobs:
       matrix:
         node-version: [24.x]
     steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+      with:
+        egress-policy: block
+        allowed-endpoints: >
+          registry.npmjs.org:443
     - name: Install throttle
       run: npm install @sitespeed.io/throttle -g
     - name: Install dependencies
diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml
index 6c811f1..ad1f9f7 100644
--- a/.github/workflows/linux.yml
+++ b/.github/workflows/linux.yml
@@ -13,9 +13,13 @@ jobs:
       matrix:
         node-version: [20.x, 22.x, 24.x]
     steps:
-    - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+    - name: Harden Runner
+      uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+      with:
+        egress-policy: audit
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
     - name: Use Node.js ${{ matrix.node-version }}
-      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
+      uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
       with:
         node-version: ${{ matrix.node-version }}
     - name: Install throttle
diff --git a/.github/workflows/osx.yml b/.github/workflows/osx.yml
index 5a4c55a..c97ec03 100644
--- a/.github/workflows/osx.yml
+++ b/.github/workflows/osx.yml
@@ -10,9 +10,13 @@ jobs:
   build:
     runs-on: macos-latest
     steps:
-    - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+    - name: Harden Runner
+      uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+      with:
+        egress-policy: audit
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
     - name: Use Node.js
-      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
+      uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
       with:
         node-version: '20.x'
     - name: Install dependencies