diff --git a/.github/workflows/build-images-release.yaml b/.github/workflows/build-images-release.yaml
index 6b9cc08ec..affffb9a0 100644
--- a/.github/workflows/build-images-release.yaml
+++ b/.github/workflows/build-images-release.yaml
@@ -25,6 +25,11 @@ jobs:
     name: Determine Deployment
     runs-on: ubuntu-22.04
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3
+        with:
+          egress-policy: audit
+
       - name: Determine deployment environment
         id: environment
         # use 'release' deployment if the workflow was triggered on a pushed tag starting with "v"
@@ -46,6 +51,11 @@ jobs:
             dockerfile: ./Dockerfile
 
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3
+        with:
+          egress-policy: audit
+
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0
 
@@ -106,6 +116,11 @@ jobs:
     runs-on: ubuntu-22.04
     needs: build-and-push
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3
+        with:
+          egress-policy: audit
+
       - name: Getting image tag
         id: tag
         run: |
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 375fa292d..00fc9d7b2 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -16,13 +16,25 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.event.after || 'scheduled' }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   analyze:
+    permissions:
+      actions: read  # for github/codeql-action/init to get workflow details
+      contents: read  # for actions/checkout to fetch code
+      security-events: write  # for github/codeql-action/analyze to upload SARIF results
     if: github.repository == 'cilium/hubble'
     runs-on: ubuntu-22.04
     strategy:
       fail-fast: false
     steps:
+    - name: Harden the runner (Audit all outbound calls)
+      uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3
+      with:
+        egress-policy: audit
+
     - name: Checkout repo
       uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       with:
diff --git a/.github/workflows/integration-tests.yaml b/.github/workflows/integration-tests.yaml
index 6b0a54ac0..7e3a50844 100644
--- a/.github/workflows/integration-tests.yaml
+++ b/.github/workflows/integration-tests.yaml
@@ -25,11 +25,19 @@ env:
   CILIUM_VERSION: v1.15.3
   CILIUM_VALUES: .github/cilium-values.yaml
 
+permissions:
+  contents: read
+
 jobs:
   integration-test:
     runs-on: ubuntu-22.04
     timeout-minutes: 20
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3
+        with:
+          egress-policy: audit
+
       - name: Checkout the repository
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: Setup go
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index b1d6ad47f..d0d871e8e 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -6,12 +6,23 @@ on:
 
 name: Create a release
 
+permissions:
+  contents: read
+
 jobs:
   build:
+    permissions:
+      actions: write  # for skx/github-action-publish-binaries to attach binaries to release artifacts
+      contents: write  # for actions/create-release to create a release
     name: Create Release
     if: github.repository == 'cilium/hubble'
     runs-on: ubuntu-22.04
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3
+        with:
+          egress-policy: audit
+
       - name: Checkout code
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: Generate artifacts
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index 4029f593b..4749fc74b 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -16,11 +16,17 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.event.after }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   unit-test:
+    permissions:
+      contents: read  # for actions/checkout to fetch code
+      pull-requests: read  # for golangci/golangci-lint-action to fetch pull requests
     runs-on: ubuntu-22.04
     steps:
-    - uses: step-security/harden-runner@rc
+    - uses: step-security/harden-runner@c51e8eeb6c4fdcd08f65e43a051dacdbfaa69702 # rc
       with:
         egress-policy: audit
     - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1