diff --git a/.github/workflows/build-fleetd-base-msi.yml b/.github/workflows/build-fleetd-base-msi.yml
index 4af9e3f6ab..78e9602ad6 100644
--- a/.github/workflows/build-fleetd-base-msi.yml
+++ b/.github/workflows/build-fleetd-base-msi.yml
@@ -84,7 +84,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@v2
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
         with:
           egress-policy: audit
 
diff --git a/.github/workflows/ingest-maintained-apps.yml b/.github/workflows/ingest-maintained-apps.yml
index 9ba431d96b..20a3ac9290 100644
--- a/.github/workflows/ingest-maintained-apps.yml
+++ b/.github/workflows/ingest-maintained-apps.yml
@@ -12,11 +12,14 @@ on:
     - cron: '0 21 * * *'
 
 permissions:
-  contents: write         # Required to push new branch
-  pull-requests: write    # Required to open PRs
+  contents: read
+  pull-requests: read
 
 jobs:
-  build:  
+  build:
+    permissions:
+      contents: write         # Required to push new branch
+      pull-requests: write    # Required to open PRs
     runs-on: ubuntu-latest
     timeout-minutes: 180
 
@@ -31,7 +34,7 @@ jobs:
         run: echo "::set-output name=date::$(date +'%y%m%d%H%M')"
 
       - name: Checkout Fleet
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           repository: fleetdm/fleet
           fetch-depth: 1
@@ -39,7 +42,7 @@ jobs:
           path: fleet
 
       - name: Setup Go
-        uses: actions/setup-go@v4.1.0
+        uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
         with:
           cache: false
           go-version: '^1.23.4'
@@ -51,7 +54,7 @@ jobs:
           go run cmd/maintained-apps/main.go
 
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v7
+        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e #v7.0.8
         with:
           base: main
           path: fleet
diff --git a/.github/workflows/randokiller-go.yml b/.github/workflows/randokiller-go.yml
index b4ad83665b..da26942813 100644
--- a/.github/workflows/randokiller-go.yml
+++ b/.github/workflows/randokiller-go.yml
@@ -34,7 +34,7 @@ jobs:
       json: ${{steps.get_config_json.outputs.json}}
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@v2
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
         with:
           egress-policy: audit
 
diff --git a/.github/workflows/update-tuf-timestamp-signature.yaml b/.github/workflows/update-tuf-timestamp-signature.yaml
index 056d3b6710..775e94a5ef 100644
--- a/.github/workflows/update-tuf-timestamp-signature.yaml
+++ b/.github/workflows/update-tuf-timestamp-signature.yaml
@@ -11,6 +11,9 @@ defaults:
     # fail-fast using bash -eo pipefail. See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference
     shell: bash
 
+permissions:
+  contents: read
+
 jobs:
   updates-update-timestamp:
     runs-on: ubuntu-latest