diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 4a3cd710..00bca29a 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -12,18 +12,35 @@ jobs:
     needs: [tests]
     runs-on: ubuntu-latest
     permissions:
+      contents: read
       id-token: write  # Required for OIDC
     steps:
-      - uses: actions/checkout@v4
+      # Egress allowlist — blocks Shai-Hulud-style exfil (getsession.org, IMDS 169.254.169.254, vault.svc.cluster.local).
+      - name: Harden runner
+        uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450  # v2.19.1
+        with:
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            github.com:443
+            objects.githubusercontent.com:443
+            uploads.github.com:443
+            registry.npmjs.org:443
+            nodejs.org:443
+            fulcio.sigstore.dev:443
+            rekor.sigstore.dev:443
+            tuf-repo-cdn.sigstore.dev:443
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
       - name: Use Node.js 20.x
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e  # v6.4.0
         with:
           node-version: '20.x'
           registry-url: 'https://registry.npmjs.org'
+      # --ignore-scripts blocks transitive postinstall (Shai-Hulud worm vector).
       - name: Install dependencies
         run: |
           npm install -g npm@11
-          npm ci
+          npm ci --ignore-scripts
       - name: Security audit (production only)
         run: npm audit --audit-level=high --omit=dev
       - name: Publish