diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml
index 5724b60..42ecf9e 100644
--- a/.github/workflows/go.yml
+++ b/.github/workflows/go.yml
@@ -9,20 +9,41 @@ on:
   pull_request:
     branches: [ "main" ]
 
+permissions: read-all
+
 jobs:
 
   build:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
     - name: Set up Go
-      uses: actions/setup-go@v4
+      uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
       with:
-        go-version: '1.22'
+        go-version-file: go.mod
 
     - name: Build
       run: go build -v ./...
 
     - name: Test
       run: go test -v ./...
+
+    - name: Go report card
+      uses: creekorful/goreportcard-action@1f35ced8cdac2cba28c9a2f2288a16aacfd507f9 # v1.0
+
+    - name: Harden-Runner
+      uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+      with:
+        disable-sudo: true
+        egress-policy: block
+        allowed-endpoints: >
+          github.com:443
+          api.github.com:443
+          github-releases.githubusercontent.com:443
+          goreportcard.com:443
+          objects.githubusercontent.com:443
+          proxy.golang.org:443
+          storage.googleapis.com:443
+          golang.org:443
+          go.dev:443