diff --git a/.github/workflows/build-tokens.yml b/.github/workflows/build-tokens.yml
index ced95737a..840a63c89 100644
--- a/.github/workflows/build-tokens.yml
+++ b/.github/workflows/build-tokens.yml
@@ -15,6 +15,11 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - name: 🏗 Setup repo
         uses: pnpm/action-setup@v4
         with:
diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml
index 4f8c9cd86..0c6c22c32 100644
--- a/.github/workflows/checks.yml
+++ b/.github/workflows/checks.yml
@@ -6,11 +6,19 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   checks:
     name: Code Checks
     runs-on: ubuntu-latest
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - uses: pnpm/action-setup@v4
         with:
           version: 9
diff --git a/.github/workflows/chromatic.yml b/.github/workflows/chromatic.yml
index 6b475d7be..06011c15f 100644
--- a/.github/workflows/chromatic.yml
+++ b/.github/workflows/chromatic.yml
@@ -11,6 +11,11 @@ jobs:
   chromatic-deployment:
     runs-on: ubuntu-latest
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - uses: pnpm/action-setup@v4
         with:
           version: 9
diff --git a/.github/workflows/code-connect.yml b/.github/workflows/code-connect.yml
index 8445a6038..282995d5f 100644
--- a/.github/workflows/code-connect.yml
+++ b/.github/workflows/code-connect.yml
@@ -7,11 +7,19 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   code-connect:
     name: Code Connect
     runs-on: ubuntu-latest
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - name: 🏗 Setup repo
         uses: pnpm/action-setup@v4
         with:
diff --git a/.github/workflows/generate-colour-system.yml b/.github/workflows/generate-colour-system.yml
index af3c13ddf..5a13661bf 100644
--- a/.github/workflows/generate-colour-system.yml
+++ b/.github/workflows/generate-colour-system.yml
@@ -21,11 +21,19 @@ on:
 env:
   CI: true
 
+permissions:
+  contents: read
+
 jobs:
   generate:
     name: Generate colour system
     runs-on: ubuntu-latest
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - uses: pnpm/action-setup@v4
         with:
           version: 9
diff --git a/.github/workflows/previews-cleanup.yml b/.github/workflows/previews-cleanup.yml
index d89105f6a..d42c4e61b 100644
--- a/.github/workflows/previews-cleanup.yml
+++ b/.github/workflows/previews-cleanup.yml
@@ -8,6 +8,9 @@ on:
       - 'packages/native-ui/**'
       - 'apps/native-ui-storybook/**'
 
+permissions:
+  contents: read
+
 jobs:
   cleanup:
     name: Cleanup Previews
@@ -15,6 +18,11 @@ jobs:
     continue-on-error: true
     if: ${{ github.event.before && github.head_commit.author.username != 'github-actions[bot]'}}
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - name: 🔧 Setup pnpm
         uses: pnpm/action-setup@v4
         with:
diff --git a/.github/workflows/previews.yml b/.github/workflows/previews.yml
index c40b14782..11a25a8f9 100644
--- a/.github/workflows/previews.yml
+++ b/.github/workflows/previews.yml
@@ -24,6 +24,11 @@ jobs:
       group: preview-android-${{ github.ref }}
       cancel-in-progress: true
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - name: 🔍 Check if Android build should run
         id: check_build
         run: |
@@ -157,6 +162,11 @@ jobs:
       group: preview-ios-${{ github.ref }}
       cancel-in-progress: true
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - name: 🔍 Check if iOS build should run
         id: check_build
         run: |
@@ -294,6 +304,11 @@ jobs:
       VERCEL_ORG_ID: ${{ secrets.VERCEL_ORG_ID }}
       VERCEL_PROJECT_ID: ${{ secrets.VERCEL_PROJECT_ID }}
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - name: 📝 Echo needs
         run: |
           echo "Needs: ${{ toJson(needs) }}"
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 0430cd34e..76d486c61 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -6,11 +6,22 @@ on:
 env:
   CI: true
 
+permissions:
+  contents: read
+
 jobs:
   release:
+    permissions:
+      contents: write  # for changesets/action to push to the repo
+      pull-requests: write  # for changesets/action to create PRs
     name: Release
     runs-on: ubuntu-latest
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - uses: pnpm/action-setup@v4
         with:
           version: 9