diff --git a/.github/workflows/empty-commiter.yml b/.github/workflows/empty-commiter.yml
index 5fa8b554..c00605ee 100644
--- a/.github/workflows/empty-commiter.yml
+++ b/.github/workflows/empty-commiter.yml
@@ -1,15 +1,25 @@
 name: empty-commiter
 on:
   push:
+permissions:
+  contents: read
+
 jobs:
   commit:
+    permissions:
+      contents: write  # for Git to git push
     runs-on: ubuntu-latest
     env:
       COMMIT_AUTHOR: ${{ github.event.head_commit.author.username }}
     if: github.repository_owner == 'LazerTechnologies'
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1
+        with:
+          egress-policy: audit
+
       - name: checkout
-        uses: actions/checkout@v2.3.1
+        uses: actions/checkout@28c7f3d2b5162b5ddd3dfd9a45aa55eaf396478b # v2.3.1
         with:
           submodules: recursive
           fetch-depth: 0