diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 17220c6..4a6667f 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -16,6 +16,7 @@ updates:
     #   - dependency-name: crazy-max/ghaction-dump-context
     #   - dependency-name: crazy-max/ghaction-github-labeler
     #   - dependency-name: crazy-max/ghaction-github-status
+    #   - dependency-name: GitHubSecurityLab/actions-permissions
     #   - dependency-name: hashicorp/setup-terraform
     #   - dependency-name: mxschmitt/action-tmate
     #   - dependency-name: step-security/harden-runner
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index e7a60b2..2cdd921 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -34,6 +34,12 @@ jobs:
     steps:
       # Note that a duplicate of this step must be added at the top of
       # each job.
+      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
+        with:
+          # Uses the organization variable unless overridden
+          config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }}
+      # Note that a duplicate of this step must be added at the top of
+      # each job.
       - id: harden-runner
         name: Harden the runner
         uses: step-security/harden-runner@v2
@@ -50,6 +56,10 @@ jobs:
       - diagnostics
     runs-on: ubuntu-latest
     steps:
+      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
+        with:
+          # Uses the organization variable unless overridden
+          config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }}
       - id: harden-runner
         name: Harden the runner
         uses: step-security/harden-runner@v2
diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml
index 5d5ab41..4aa552c 100644
--- a/.github/workflows/sync-labels.yml
+++ b/.github/workflows/sync-labels.yml
@@ -18,6 +18,12 @@ jobs:
     steps:
       # Note that a duplicate of this step must be added at the top of
       # each job.
+      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
+        with:
+          # Uses the organization variable unless overridden
+          config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }}
+      # Note that a duplicate of this step must be added at the top of
+      # each job.
       - id: harden-runner
         name: Harden the runner
         uses: step-security/harden-runner@v2
@@ -39,6 +45,10 @@ jobs:
       issues: write
     runs-on: ubuntu-latest
     steps:
+      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
+        with:
+          # Uses the organization variable unless overridden
+          config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }}
       - id: harden-runner
         name: Harden the runner
         uses: step-security/harden-runner@v2