diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 38eb5c0a..77562e39 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -8,7 +8,9 @@ updates:
   - package-ecosystem: 'npm' # See documentation for possible values
     directory: '/' # Location of package manifests
     schedule:
-      interval: 'daily'
+      interval: 'weekly'
+    cooldown:
+      default-days: 1
     groups:
       prod-dependencies:
         dependency-type: 'production'
@@ -20,3 +22,10 @@ updates:
         update-types:
           - 'minor'
           - 'patch'
+
+  - package-ecosystem: 'github-actions'
+    directory: '/'
+    schedule:
+      interval: 'weekly'
+    cooldown:
+      default-days: 1
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 62d875bf..9d41b21b 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -14,6 +14,10 @@ jobs:
   lint:
     runs-on: ubuntu-latest
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
       - uses: actions/checkout@v2
       - run: npm i
       - run: npm run lint
@@ -25,6 +29,10 @@ jobs:
         node-version: [22.x, 20.x]
         cds-version: [9, 8]
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
       - uses: actions/checkout@v2
       - name: Use Node.js ${{ matrix.node-version }}
         uses: actions/setup-node@v2
diff --git a/.github/workflows/hana.yml b/.github/workflows/hana.yml
index 993b2231..528d237a 100644
--- a/.github/workflows/hana.yml
+++ b/.github/workflows/hana.yml
@@ -22,6 +22,10 @@ jobs:
       HANA_DRIVER: ${{ matrix.hana-driver }}
       HANA_PROM: ${{ matrix.hana-prom }}
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
       - uses: actions/checkout@v2
       - uses: actions/setup-node@v2
       - uses: cap-js/.github/.github/actions/hana-hdi-container@main
diff --git a/.github/workflows/label-issues.yml b/.github/workflows/label-issues.yml
index 7e570a4e..2790ceeb 100644
--- a/.github/workflows/label-issues.yml
+++ b/.github/workflows/label-issues.yml
@@ -13,6 +13,10 @@ jobs:
   label_issues:
     runs-on: ubuntu-latest
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
       - run: gh issue edit "$NUMBER" --add-label "$LABELS"
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 2551c5b8..993364a1 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -12,6 +12,10 @@ jobs:
     runs-on: ubuntu-latest
     environment: npm
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
       - uses: actions/checkout@v3
       - uses: actions/setup-node@v3
         with: