diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 6c3a802..3540c46 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -7,6 +7,7 @@ updates:
     directory: '/'
     schedule:
       interval: 'weekly'
+
   - package-ecosystem: 'github-actions' # See documentation for possible values
     directory: '/' # Location of package manifests
     schedule:
diff --git a/.github/workflows/node.js.yml b/.github/workflows/ci.yml
similarity index 69%
rename from .github/workflows/node.js.yml
rename to .github/workflows/ci.yml
index ef2aecc..d9b507b 100644
--- a/.github/workflows/node.js.yml
+++ b/.github/workflows/ci.yml
@@ -1,8 +1,11 @@
 name: Node.js CI
 
 on:
-  workflow_dispatch:
   push:
+    branches: ['main']
+  pull_request:
+    branches: ['main']
+  workflow_dispatch:
 
 env:
   CONTENTFUL_ACCESS_TOKEN: ${{ secrets.CONTENTFUL_ACCESS_TOKEN }}
@@ -27,11 +30,19 @@ jobs:
             cdn.contentful.com:443
             github.com:443
             registry.npmjs.org:443
-      - uses: actions/checkout@v4@b4ffde65f46336ab88eb53be808477a3936bae11
-      - name: Use Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8
+
+      - name: 🔔 Checkout
+        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+
+      - name: ⚙️ Setup Node.js
+        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
         with:
           node-version: ${{ matrix.node-version }}
-      - run: npm ci
-      - run: npm test
-      - run: npm run test:e2e
+
+      - name: ⚙️ Install dependencies
+        run: npm ci
+
+      - name: 🧪 Run tests
+        run: |
+          npm test
+          npm run test:e2e
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 47ddf76..2cc9db9 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -51,19 +51,13 @@ jobs:
       - name: 🔐 Harden Runner
         uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
         with:
-          egress-policy: audit
-          # disable-sudo: true
-          # egress-policy: block
-          # allowed-endpoints: >
-          #   api.github.com:443
-          #   api.osv.dev:443
-          #   api.securityscorecards.dev:443
-          #   fulcio.sigstore.dev:443
-          #   github.com:443
-          #   oss-fuzz-build-logs.storage.googleapis.com:443
-          #   rekor.sigstore.dev:443
-          #   tuf-repo-cdn.sigstore.dev:443
-          #   www.bestpractices.dev:443
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            github.com:443
+            objects.githubusercontent.com:443
+            uploads.github.com:443
 
       - name: ⚙️ Checkout code
         uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
diff --git a/.github/workflows/deploy-documentation.yml b/.github/workflows/deploy-documentation.yml
index a20ec4e..5727869 100644
--- a/.github/workflows/deploy-documentation.yml
+++ b/.github/workflows/deploy-documentation.yml
@@ -18,19 +18,12 @@ jobs:
       - name: 🔐 Harden Runner
         uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
         with:
-          egress-policy: audit
-          # disable-sudo: true
-          # egress-policy: block
-          # allowed-endpoints: >
-          #   api.github.com:443
-          #   api.osv.dev:443
-          #   api.securityscorecards.dev:443
-          #   fulcio.sigstore.dev:443
-          #   github.com:443
-          #   oss-fuzz-build-logs.storage.googleapis.com:443
-          #   rekor.sigstore.dev:443
-          #   tuf-repo-cdn.sigstore.dev:443
-          #   www.bestpractices.dev:443
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            github.com:443
+            registry.npmjs.org:443
+            tuf-repo-cdn.sigstore.dev:443
 
       - name: ⚙️ Checkout code
         uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
diff --git a/.github/workflows/release-and-publish.yml b/.github/workflows/release-and-publish.yml
index fd34b1d..73ea1c9 100644
--- a/.github/workflows/release-and-publish.yml
+++ b/.github/workflows/release-and-publish.yml
@@ -18,6 +18,11 @@ jobs:
       release_created: ${{ steps.release.outputs.release_created }}
 
     steps:
+      - name: 🔐 Harden Runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
+
       - name: 🆕 Create or update release
         uses: google-github-actions/release-please-action@a37ac6e4f6449ce8b3f7607e4d97d0146028dc0b # 4.1.0
         id: release
@@ -37,7 +42,13 @@ jobs:
       - name: 🔐 Harden Runner
         uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
         with:
-          egress-policy: audit
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            fulcio.sigstore.dev:443
+            github.com:443
+            registry.npmjs.org:443
+            rekor.sigstore.dev:443
 
       - name: 🔔 Checkout
         uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # 4.1.2
diff --git a/.github/workflows/semantic-pull-request.yml b/.github/workflows/semantic-pull-request.yml
index af64b04..9a9e5e7 100644
--- a/.github/workflows/semantic-pull-request.yml
+++ b/.github/workflows/semantic-pull-request.yml
@@ -18,7 +18,10 @@ jobs:
       - name: 🔐 Harden Runner
         uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
         with:
-          egress-policy: audit
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
 
       - name: 🔎 Validate Pull Request format
         uses: amannn/action-semantic-pull-request@e9fabac35e210fea40ca5b14c0da95a099eff26f # v5.4.0