diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
index 077a6d7..a03886c 100644
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -3,11 +3,21 @@ on:
   push:
     branches: main
 
+permissions:
+  contents: read
+
 jobs:
   docs:
+    permissions:
+      contents: write  # for Git to git push
     runs-on: ubuntu-20.04
 
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@v2
         with:
           submodules: true
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 90c0229..5f5b06b 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -6,6 +6,9 @@ on:
   pull_request:
     types: [opened, synchronize]
 
+permissions:
+  contents: read
+
 jobs:
   unit:
     strategy:
@@ -35,6 +38,11 @@ jobs:
     runs-on: ${{ matrix.config.os }}
 
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@v2
         with:
           submodules: recursive