diff --git a/.github/workflows/nix.yml b/.github/workflows/nix.yml
index 5cd6cfd..f0fad1b 100644
--- a/.github/workflows/nix.yml
+++ b/.github/workflows/nix.yml
@@ -16,6 +16,11 @@ jobs:
     runs-on: ${{ matrix.os }}
 
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false