diff --git a/.github/workflows/auto-project.yml b/.github/workflows/auto-project.yml
index 4747379b4b..db78c5fdcc 100644
--- a/.github/workflows/auto-project.yml
+++ b/.github/workflows/auto-project.yml
@@ -4,6 +4,9 @@ on:
   issues:
     types: [opened]
 
+permissions:
+  contents: read
+
 jobs:
   add-to-project:
     uses: RequestNetwork/.github/.github/workflows/add-to-project.yml@main
diff --git a/.github/workflows/auto_assign_pr.yml b/.github/workflows/auto_assign_pr.yml
index 7dc5326ec4..cacc16f2b0 100644
--- a/.github/workflows/auto_assign_pr.yml
+++ b/.github/workflows/auto_assign_pr.yml
@@ -12,4 +12,8 @@ jobs:
   add-reviews:
     runs-on: ubuntu-latest
     steps:
-      - uses: kentaro-m/auto-assign-action@v1.2.0
+      - name: Harden Runner
+        uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2
+        with:
+          egress-policy: audit
+      - uses: kentaro-m/auto-assign-action@50ee9a1818bde2eb93a948448994a9d414457e3a # v1.2.0
diff --git a/.github/workflows/pr-comments.yml b/.github/workflows/pr-comments.yml
index ce41e4b9c8..007e7c3339 100644
--- a/.github/workflows/pr-comments.yml
+++ b/.github/workflows/pr-comments.yml
@@ -4,6 +4,10 @@ on:
   pull_request_target:
     types: [opened, ready_for_review, closed]
 
+permissions:
+  contents: read
+  pull-requests: write
+
 jobs:
   pr-comments:
     name: PR Comments
diff --git a/.github/workflows/reopen-issue-if-prs-open.yml b/.github/workflows/reopen-issue-if-prs-open.yml
index 986342f103..665c07d030 100644
--- a/.github/workflows/reopen-issue-if-prs-open.yml
+++ b/.github/workflows/reopen-issue-if-prs-open.yml
@@ -4,6 +4,9 @@ on:
   issues:
     types: [closed]
 
+permissions:
+  contents: read
+
 jobs:
   reopen-if-needed:
     uses: RequestNetwork/.github/.github/workflows/reopen-issue-if-prs-open.yml@main
diff --git a/.github/workflows/security-echidna.yml b/.github/workflows/security-echidna.yml
index 5a9b9f404d..c8ac5f0e7d 100644
--- a/.github/workflows/security-echidna.yml
+++ b/.github/workflows/security-echidna.yml
@@ -26,6 +26,7 @@ on:
 permissions:
   contents: read
   pull-requests: write
+  issues: write
 
 jobs:
   echidna-fuzzing:
@@ -34,13 +35,17 @@ jobs:
     timeout-minutes: 90
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2
+        with:
+          egress-policy: audit
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
           fetch-depth: 0
 
       - name: Setup Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
         with:
           node-version: '22'
           cache: 'yarn'
@@ -82,7 +87,7 @@ jobs:
           echidna --version
 
       - name: Restore corpus cache
-        uses: actions/cache@v4
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
         with:
           path: packages/smart-contracts/corpus
           key: echidna-corpus-${{ github.ref_name }}-${{ github.sha }}
@@ -175,7 +180,7 @@ jobs:
 
       - name: Upload Echidna reports
         if: always()
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
         with:
           name: echidna-reports-${{ steps.mode.outputs.MODE }}
           path: |
@@ -185,7 +190,7 @@ jobs:
 
       - name: Comment on PR
         if: github.event_name == 'pull_request' && always()
-        uses: actions/github-script@v7
+        uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |
@@ -257,7 +262,7 @@ jobs:
 
       - name: Create issue for nightly failures
         if: github.event_name == 'schedule' && steps.echidna.outcome == 'failure'
-        uses: actions/github-script@v7
+        uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |
diff --git a/.github/workflows/security-slither.yml b/.github/workflows/security-slither.yml
index c58fb1f0f9..bda7b239c6 100644
--- a/.github/workflows/security-slither.yml
+++ b/.github/workflows/security-slither.yml
@@ -21,13 +21,17 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2
+        with:
+          egress-policy: audit
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
           fetch-depth: 0
 
       - name: Setup Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
         with:
           node-version: '22'
           cache: 'yarn'
@@ -48,7 +52,7 @@ jobs:
           yarn build:sol
 
       - name: Setup Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
         with:
           python-version: '3.11'
           cache: 'pip'
@@ -90,14 +94,14 @@ jobs:
 
       - name: Upload SARIF to GitHub Security
         if: always() && hashFiles('packages/smart-contracts/reports/security/slither.sarif') != ''
-        uses: github/codeql-action/upload-sarif@v4
+        uses: github/codeql-action/upload-sarif@5e316336eb4f107009e477d4bfbfff13d7250fae # v4
         with:
           sarif_file: packages/smart-contracts/reports/security/slither.sarif
           category: slither
 
       - name: Upload Slither reports
         if: always()
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
         with:
           name: slither-reports
           path: packages/smart-contracts/reports/security/
@@ -132,7 +136,7 @@ jobs:
 
       - name: Comment on PR
         if: github.event_name == 'pull_request' && always()
-        uses: actions/github-script@v7
+        uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |
diff --git a/.github/workflows/tron-smart-contracts.yml b/.github/workflows/tron-smart-contracts.yml
index a7cd610cff..0f28d4e889 100644
--- a/.github/workflows/tron-smart-contracts.yml
+++ b/.github/workflows/tron-smart-contracts.yml
@@ -32,17 +32,24 @@ on:
       - 'packages/currency/src/chains/tron/**'
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   tron-compile-check:
     name: Tron Contract Compilation Check
     runs-on: ubuntu-latest
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2
+        with:
+          egress-policy: audit
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
       - name: Setup Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
         with:
           node-version: '22'
           cache: 'yarn'
@@ -50,8 +57,13 @@ jobs:
       - name: Install TronBox globally
         run: npm install -g tronbox
 
+      - name: Setup Socket.dev
+        uses: SocketDev/action@ba6de6cc0565af1f42295590380973573297e31f # v1.3.2
+        with:
+          mode: firewall-free
+
       - name: Install dependencies
-        run: yarn install --frozen-lockfile
+        run: sfw yarn install --frozen-lockfile
 
       - name: Compile Tron contracts
         working-directory: packages/smart-contracts
@@ -134,17 +146,26 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2
+        with:
+          egress-policy: audit
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
       - name: Setup Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
         with:
           node-version: '22'
           cache: 'yarn'
 
+      - name: Setup Socket.dev
+        uses: SocketDev/action@ba6de6cc0565af1f42295590380973573297e31f # v1.3.2
+        with:
+          mode: firewall-free
+
       - name: Install dependencies
-        run: yarn install --frozen-lockfile
+        run: sfw yarn install --frozen-lockfile
 
       - name: Build dependencies
         run: |
@@ -163,17 +184,26 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2
+        with:
+          egress-policy: audit
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
       - name: Setup Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
         with:
           node-version: '22'
           cache: 'yarn'
 
+      - name: Setup Socket.dev
+        uses: SocketDev/action@ba6de6cc0565af1f42295590380973573297e31f # v1.3.2
+        with:
+          mode: firewall-free
+
       - name: Install dependencies
-        run: yarn install --frozen-lockfile
+        run: sfw yarn install --frozen-lockfile
 
       - name: Build smart-contracts package
         run: |