diff --git a/.github/workflows/check-upgrades.yml b/.github/workflows/check-upgrades.yml
index 6e9906d4..76c1e9b4 100644
--- a/.github/workflows/check-upgrades.yml
+++ b/.github/workflows/check-upgrades.yml
@@ -6,8 +6,12 @@ on:
       python-version:
         required: true
         type: string
+permissions: {}
+
 jobs:
   check:
+    permissions:
+      contents: read  # for actions/checkout to fetch code
     name: Check (Python ${{ matrix.python-version }})
     runs-on: ubuntu-latest
     strategy:
@@ -16,10 +20,15 @@ jobs:
         python-version: ${{ fromJson(inputs.python-version) }}
 
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
+        with:
+          egress-policy: audit
+
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
       - name: Setup Python
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
         with:
           python-version: ${{ matrix.python-version }}
       - name: Check for dependency updates