diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000000..3e9c04353c
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,23 @@
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly
+    groups:
+      dev-dependencies:
+          applies-to: version-updates
+          patterns:
+              - '*'
+          dependency-type: development
+      production-dependencies:
+          applies-to: version-updates
+          patterns:
+              - '*'
+          dependency-type: production
+    cooldown:
+      default-days: 7
+      include:
+          - '*'
+      exclude:
+          - react
diff --git a/.github/workflows/release-reminder.yml b/.github/workflows/release-reminder.yml
index ad47caae1d..8bdc307f51 100644
--- a/.github/workflows/release-reminder.yml
+++ b/.github/workflows/release-reminder.yml
@@ -12,6 +12,11 @@ jobs:
     outputs:
       should_run: ${{ steps.should_run.outputs.bool }}
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1
+        with:
+          egress-policy: audit
+
       - name: Should run
         id: should_run
         run: |
@@ -42,6 +47,11 @@ jobs:
     needs: [ determine-date ]
     if: ${{ needs.determine-date.outputs.should_run == 'true' }}
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1
+        with:
+          egress-policy: audit
+
       - name: Get Date
         id: date
         run: |
@@ -52,7 +62,7 @@ jobs:
           echo "window_close_date=$window_close_date" >> "${GITHUB_OUTPUT}"
 
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
         with:
           token: ${{ secrets.CF_BOT_GITHUB_TOKEN }}
           fetch-depth: 0
@@ -71,7 +81,7 @@ jobs:
 
       - name: File Issue
         id: file-issue
-        uses: paketo-buildpacks/github-config/actions/issue/file@main
+        uses: paketo-buildpacks/github-config/actions/issue/file@94b73877cdf1df138db21159809bae9653a267cf # main
         with:
           token: ${{ secrets.CF_BOT_GITHUB_TOKEN }}
           repo: ${{ github.repository }}
@@ -83,7 +93,7 @@ jobs:
 
       - name: Add issue to project
         id: issue-to-proj
-        uses: paketo-buildpacks/github-config/actions/issue/add-to-project@main
+        uses: paketo-buildpacks/github-config/actions/issue/add-to-project@94b73877cdf1df138db21159809bae9653a267cf # main
         with:
           # CF buildpacks project - https://github.com/orgs/cloudfoundry/projects/37
           project-org: cloudfoundry
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
new file mode 100644
index 0000000000..e17b03df0b
--- /dev/null
+++ b/.pre-commit-config.yaml
@@ -0,0 +1,13 @@
+repos:
+- repo: https://github.com/gitleaks/gitleaks
+  rev: v8.16.3
+  hooks:
+  - id: gitleaks
+- repo: https://github.com/jumanjihouse/pre-commit-hooks
+  rev: 3.0.0
+  hooks:
+  - id: shellcheck
+- repo: https://github.com/pre-commit/pre-commit-hooks
+  rev: v4.4.0
+  hooks:
+  - id: end-of-file-fixer