diff --git a/.github/workflows/pr-quality.yml b/.github/workflows/pr-quality.yml
index f229a7b..78cf7c2 100644
--- a/.github/workflows/pr-quality.yml
+++ b/.github/workflows/pr-quality.yml
@@ -15,6 +15,11 @@ jobs:
     permissions:
       pull-requests: read
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
       - name: Check PR title follows Conventional Commit format
         uses: amannn/action-semantic-pull-request@v6
         env:
diff --git a/.github/workflows/update-cli-docs.yml b/.github/workflows/update-cli-docs.yml
index ab8a36e..fa3f09f 100644
--- a/.github/workflows/update-cli-docs.yml
+++ b/.github/workflows/update-cli-docs.yml
@@ -17,6 +17,11 @@ jobs:
   update-docs:
     runs-on: ubuntu-latest
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
       - name: Determine CLI tag
         id: tag
         run: |