diff --git a/.github/workflows/merge-dependabot.yml b/.github/workflows/merge-dependabot.yml
index 144caa94..5e79f254 100644
--- a/.github/workflows/merge-dependabot.yml
+++ b/.github/workflows/merge-dependabot.yml
@@ -44,6 +44,24 @@ jobs:
         with:
           script: |
             core.info('Owner: ${{github.repository_owner}}');
+
+      - name: "Harden Security"
+        uses: step-security/harden-runner@v2.7.0
+        with:
+          egress-policy: audit
+          disable-sudo: true
+          allowed-endpoints: >
+            api.github.com:443
+            api.osv.dev:443
+            api.securityscorecards.dev:443
+            codeload.github.com:443
+            fulcio.sigstore.dev:443
+            github.com:443
+            oss-fuzz-build-logs.storage.googleapis.com:443
+            rekor.sigstore.dev:443
+            tuf-repo-cdn.sigstore.dev:443
+            www.bestpractices.dev:443
+
       - name: "Auto-Merge"
         if: github.repository_owner == 'funfair-tech'
         uses: pascalgn/automerge-action@v0.16.2