diff --git a/.github/workflows/stale-branches.yml b/.github/workflows/stale-branches.yml
index db9f2cf1..792cfb9a 100644
--- a/.github/workflows/stale-branches.yml
+++ b/.github/workflows/stale-branches.yml
@@ -1,29 +1,31 @@
-# .github/workflows/stale-branches.yml
-
 name: stale-branches.yml – Delete Stale Branches
 
 on:
-  workflow_dispatch:  # Manual trigger from GitHub UI
+  #workflow_dispatch:  # Manual trigger from GitHub UI
   schedule:
     - cron: '0 6 * * 0'
 
-permissions: {}
+permissions:
+  issues: write
+  contents: write
 
 jobs:
   stale_branches:
     runs-on: ubuntu-latest
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+        with:
+          egress-policy: audit
+
       - name: Stale Branches
-        permissions:
-          issues: write
-          contents: write
-        uses: crs-k/stale-branches@v8.2.2          
-          with:
+        uses: crs-k/stale-branches@865501af01284d43aef267d4b9aab0f9f1734b12 # v8.2.2
+        with:
             # days-before-delete: 180
             # comment-updates: false
             # max-issues: 20
             tag-committer: true
-            # stale-branch-label: 'stale branch 🗑️'
+            stale-branch-label: 'stale branch 🗑️'
             # compare-branches: 'info'
             # branches-filter-regex: '^((?!dependabot))'
             # rate-limit: false